PII and PHI

- [Instructor] Data privacy is a primary concern for many businesses. The first step in securing data in the cloud is to be able to identify and classify sensitive data, such as personally identifiable information, PII or PII, as well as protected health information or PHI. Let's define what PII really is. Personally identifiable information is any information that can lead back to an individual. Now, that could be one or more pieces of information together that lead back to a person. And so, PII then needs to be labeled as such. Now, this can be done through cloud resource tagging or through file metadata added to files individually. And there are many automated tools that can discover data, and using some pre-configured rules, can label data accordingly, such as being personally identifiable information or maybe even being more specific by labeling it as being financial type of PII. Protected health information or PHI is any medical-related information that can lead back to an individual. Again, like PII, it can be a single piece of information or a combination of pieces of information. So just like with PII, protected health information should also be labeled whether through cloud resource tagging or file metadata that's been added for classification purposes. Some examples of protected health information would include things like health insurance details, blood test results, medical history. And there are many different data privacy standards. Some are international, some are regional-specific. The Payment Card Industry Data Security Standard or PCI DSS is a set of security standards that are designed to protect credit card holder information. The General Data Protection Regulation or GDPR is designed for the protection of private data related to European Union citizens, regardless of where that data is being handled, such as by organizations outside of the EU. The GDPR would still apply. The Health Insurance Portability and Accountability Act or HIPAA is a legislative act in the United States that's designed to protect patient medical information. And so, in the cloud, it's important to consider the type of data that the organization will process and store and where it will be stored in the cloud.