HIPAA / PCI-DSS Compliance Review of a Data Ingestion Platform's Masking Engine

Posted yesterday

Worldwide

Summary

HIPAA / PCI-DSS Compliance Review of a Data Ingestion Platform's Masking Engine Project Overview We've built a data ingestion platform that ingests structured, semi-structured, unstructured, streaming, and IoT data — including healthcare data from sources like FHIR, HL7v2, DICOM, and pharmacy/e-prescribing feeds — and applies PHI/PCI masking inline at ingestion time, before data is written anywhere downstream. The masking engine is built and covered by an extensive automated test suite (30 tests, all passing), but it has not yet been reviewed by a licensed compliance professional. We need that review before representing the platform as HIPAA/PCI compliant to any client. This is a code-and-documentation review engagement, not a build engagement — the masking logic already exists; we need a qualified opinion on whether it actually satisfies the relevant regulatory standards, and a clear list of gaps if it doesn't. Scope of Work Review the compliance engine's source code (Python — regex-based content detection plus field-name-based detection, deterministic HMAC-token masking, audit-record signing) against HIPAA's Privacy Rule, specifically the Safe Harbor de-identification standard (the 18 identifier categories). Review the PCI cardholder-data redaction logic (Luhn-validated card-number detection and redaction) against PCI-DSS requirements relevant to how this data is stored and transmitted downstream. Assess whether deterministic (same-input-produces-same-output) masking is an appropriate de-identification approach for our use case, or whether its re-identification properties are a problem worth flagging. Review the existing automated test suite (we'll provide it) and identify any regulatory-relevant scenarios it doesn't cover. Deliver a written report: pass/fail-style findings per requirement, specific gaps if any, and concrete remediation recommendations we can hand to our engineers. Optional/bonus: light familiarity with ITAR/EAR export-control classification, in case a small subset of ingested data ever needs that tagging reviewed too. This is NOT required — please apply even if this isn't your area. Deliverables A written compliance review report (HIPAA Safe Harbor + PCI-DSS at minimum) A prioritized list of any gaps found, with severity A short call to walk through findings with our engineering team What We'll Provide Read-only access to the relevant source code and test files (under NDA) A spreadsheet mapping our current automated test coverage to compliance areas Written documentation of the engine's design and known limitations Required Qualifications Demonstrated professional experience with HIPAA compliance review (Privacy Rule / Security Rule), ideally including de-identification methodology (Safe Harbor and/or Expert Determination) Demonstrated professional experience with PCI-DSS requirements, ideally QSA or ISA credentialed, or equivalent hands-on assessment experience Comfortable reading Python code well enough to evaluate what it actually does, not just documentation about it Available for a short scoping call before starting Experience reviewing healthcare data pipelines specifically (FHIR, HL7v2, DICOM familiarity) ITAR/EAR export-control classification experience Prior experience producing compliance documentation used in actual client-facing certifications My be willing to sign our NDA

  • $250.00

    Fixed-price
  • Intermediate
    Experience Level
  • Remote Job
  • Ongoing project
    Project Type
Skills and Expertise
Mandatory skills
Python
cryptography concepts
Activity on this job
  • Proposals:5 to 10
  • Last viewed by client:yesterday
  • Interviewing:
    4
  • Invites sent:
    17
  • Unanswered invites:
    12
About the client
Member since Jul 13, 2017
  • United States
    Allentown11:07 PM
  • $4.8K total spent
    50 hires, 2 active
  • 206 hours
  • Tech & IT
    Mid-sized company (10-99 people)

Explore similar jobs on Upwork

Help with cyber security photoshopHourly‐ Posted 10 months ago
Penetration Testing
System Security
Cybersecurity Management
Vulnerability Assessment
Security Assessment & Testing
Network Penetration Testing
Testing
Software Testing
Ethical Hacking
Threat Detection
Security and Compliance SpecialistFixed-price‐ Posted 2 weeks ago
Network Security
Information Security
Penetration Testing
Security Analysis

How it works

  • Post a job icon
    Create your free profile
    Highlight your skills and experience, show your portfolio, and set your ideal pay rate.
  • Talent comes to you icon
    Work the way you want
    Apply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
  • Payment simplified icon
    Get paid securely
    From contract to payment, we help you work safely and get paid securely.
Want to get started? Create a profile

About Upwork

  • Rating is 4.9 out of 5.
    4.9/5
    (Average rating of clients by professionals)
  • G2 2021
    #1 freelance platform
  • 49,000+
    Signed contract every week
  • $2.3B
    Freelancers earned on Upwork in 2020

Find the best freelance jobs

Growing your career is as easy as creating a free profile and finding work like this that fits your skills.

Trusted by

  • Microsoft Logo
  • Airbnb Logo
  • Bissell Logo
  • GoDaddy Logo