Identify PHI or PII in SNOW and Take Action

chrisinhoff
Tera Contributor

Please see request below

In the past there have been discussions on PHI (and PII) in ServiceNow.  These conversations have focused on limiting the amount of PHI/PII that gets put into ServiceNow tickets, but ultimately, we need to have an allowance for it.  I was wondering if there is any option in ServiceNow to flag tasks/incidents as containing PHI/PII and then having "break the glass" functionality if an agent believes they need to review that data.  This is how Sherlock works (Epic's ticketing system), where a ticket can be entered with no restriction, but if the original submitter or anyone attached to the ticket believes there is PHI, that data can be tagged and is then blurred out.  To view it you need to type in an explanation of why you need to see it, which is then available for auditing.

Can you see if there is anything out of the box for this that ServiceNow provides?

3 REPLIES 3

Ravi Chandra_K
Kilo Patron
Kilo Patron

Hello @chrisinhoff 

There is no OOB flag for PII data but a custom check box can be used to indicate it contains sensitive data, then it can be masked.

 

If it's on Catalog items or record producers, Sensitive data can be masked using Masked variable.

Check out:

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0681163

 

Please mark the answer as helpful and correct if helped.

Kind Regards,

Ravi

Can SNOW do this?

We cannot just create a new field called PHI and then encrypt it if needed. We would want to have the record identified, and if possible, have SNOW read the record and maybe with pattern recognition or something similar, block out some content? (I feel like this last ask is not possible, especially without isolating the PHI data)

How does this work? The KB you shared is for a catalog item. We have fields where we are not sure if PII is in there or not. Would I then need to create a masked field on the form in addition to the field that marks it as PII present? Can I mask all the old fields and populated data that is already present in these fields or would this just work going forward?

 

Thank you for your help.