My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Week 25 - Question 2

Scenario: A healthcare organization stores sensitive patient information. What data masking technique should be used to ensure that healthcare staff can access only the information necessary for patient care?

 

A.  Substitution

B.  Scrambling

C.  Nulling Out

D.  Tokenization

 

Answer:  D

Explanation:

A. Substitution

Substitution involves replacing a real value with a fake one from a pre-defined lookup table (e.g., replacing "John Smith" with "Robert Paulson").

  • The Limitation: While it maintains the "look and feel" of the data for testing, it is a Static change. If a nurse needs to see the real patient name to verify they are administering the correct medication, substitution would prevent them from doing their job entirely, as the real data is "lost" in that view.

B. Scrambling (Shuffling)

Scrambling involves jumbling the characters within a field or shuffling values between different rows in a column.

  • The Risk: Shuffling can often be reversed by analyzing patterns (Frequency Analysis). Furthermore, like substitution, it destroys the utility of the data for real-time patient care. You cannot treat a patient if their medical history has been "scrambled" with someone else's.

C. Nulling Out (Masking Out)

Nulling out involves replacing sensitive fields with null values or a string of "X" characters (e.g., XXX-XX-1234).

  • The Conflict: While highly secure, this is an "all or nothing" approach. If a billing specialist needs the middle four digits of a Social Security Number to verify an insurance claim, but the field is nulled out, they cannot complete the transaction.

D. Tokenization

Tokenization replaces sensitive data with a non-sensitive surrogate value called a "token."

  • Why it's the Answer: Unlike encryption, where the data itself is mathematically transformed, tokenization stores the original sensitive data in a highly secure, centralized "Token Vault." The application only handles the token.

  • The Healthcare Benefit: Healthcare staff can use the token for routine administrative tasks. However, if a doctor needs to see the real patient record for care, the system can "detokenize" the value for that authorized user only. This adheres to the Principle of Least Privilege while maintaining the Availability of the information for critical life-safety situations.

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel