Founded in 1975, CHS is the industry’s largest independent provider of workforce health care solutions. The company offers onsite health and wellness services to Fortune 500 firms who prefer to self-insure their employees by taking on the capital liability of providing coverage. Clients depend on CHS for health and productivity management solutions including onsite primary care, health coaching, occupational health, and pharmacy services.
CHS typically maintains information on all the employees who are eligible to participate in health care benefits for each of its clients. This results in dealing with substantial amounts of highly sensitive personal data, including health records, clinical information, and examination results. The nature of the data means that CHS must meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA).
Joseph Johnson, chief information security officer for CHS, commented, “Frequently HIPAA is the primary compliance driver for how we manage client data but there is a possibility that we have to handle payment information, so conforming to the Payment Card Industry Data Security Standard (PCI DSS) also became a priority for us.”
CHS looked for solutions to be compliant with these standards. Johnson recalled, “The requirements around the ‘meaningful use’ of information are pushing more medical organizations into using electronic health records (EHR) which is very positive but it does present a variety of security challenges. Many current EHR applications don’t lend themselves very well to easily securing data, especially the encryption of data at rest.
“We evaluated native SQL TDE encryption solutions but they ended up being extremely costly and actually offered very little in return. On top of this, certain EHR solution vendors don’t directly support encryption.”
He continued, “We investigated other solutions that ultimately weren’t viable because of their need for unrestricted access into the core of our applications. So we found ourselves in a bind: The solutions were either too expensive and didn’t even meet the requirements or they were incapable of interacting with our closed source application environment. Even if we did decide on a workable encryption product, it looked like we would have to deploy a completely separate solution to handle key management, or add full time employees just for the keys and certificate exchanges.”
“We were very excited when we discovered Vormetric; by performing data-level encryption it completely avoided the need to modify the application in any way, and this alone was a big win as we did not need to involve our development or applications support teams,” stated Johnson. “Not only could it handle all of our encryption needs but it could seamlessly perform key management. Vormetric also gave us the ability to effectively implement role-based encryption; this was really important because some of our environments are multi-tenant and our clients are obviously very serious about data segregation. Being able to offer this level of granularity and sophistication was a really powerful driver in our decision to purchase the Vormetric Data Security solutions.”
The CHS team conducted a proof-of-concept to validate expectations across all of the organization’s stakeholders. “There were absolutely no problems whatsoever and everyone quickly gave their approval to move to production,” recounted Johnson. “Once we’d done this, the impact on performance of implementing encryption across the live environment was exactly as promised; virtually imperceptible.”
“EHR environments are not built with very strong access management capabilities. They just weren’t designed to accommodate the different roles of practitioners and explicitly control who can get to specific records. With Vormetric we can see exactly who is trying to view sensitive data and this has enabled us to implement very effective role-based access controls throughout our environments. We’ve been able to mitigate the data leakage issues that have traditionally plagued the healthcare industry,” noted Johnson.
The ease of deploying and managing the Vormetric solutions were appreciated by Johnson. He stated, “After the purchase decision is made, I think a lot of organizations overlook the level of effort and cost that goes into implementing and maintaining security in their own environment. Vormetric’s ability to so efficiently provide this level of sophistication takes away all those concerns about both initial and ongoing resource requirements.”
He concluded, “One of the biggest fears of my peers is that they know they have to solve the issue of encrypting data but are afraid of investing in a solution that never becomes fully operational. The approach that Vormetric has taken with streamlining both encryption and key management has removed this concern for CHS. We have an unwavering commitment to security and protecting the integrity of our data: Vormetric helps us to deliver exactly what is required.”
Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1100 customers, including 17 of the Fortune 25 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable solution suite protects any file, any database and any application — anywhere it resides — with a high performance, market-leading Data Security Platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence.