As America’s oldest and largest healthcare services company, McKesson Corporation provides a broad range of pharmaceuticals, medical supplies and information technologies to customers in every segment of the industry. The publicly traded company achieved sales of $191 billion in 2016, making it the 5th largest company in the U.S.
McKesson is subjected to an enormous number of regulatory standards for securing data found in every one of the segments in which it operates. Sabastian High, senior manager for Product Development Standards and Innovation at McKesson, commented, “We needed to identify an enterprise-wide solution for encryption and key management that could be easily deployed across our business units without impacting operations or security.
“An aspect that is of utmost importance to us is the responsiveness of a vendor’s tier-2 phone support and the resulting speed of escalation to engineering. Our requirements for resolving issues are pretty unique: If we’re doing encryption of data at rest for an application that is involved with supporting critical care activities, the notion of having a non- operational system is just unacceptable. It literally can be a life or death situation.”
McKesson has grown both organically and through acquisitions for 180 years. This very successful strategy has led to an accumulation of multiple disparate environments, technologies and data repositories spread throughout the company.
High and his colleagues created a detailed set of criteria to identify and select the optimal solution for the McKesson environment. “We had a large number of technical specifications for our key management and encryption solution; the top factors were ease of deployment, the performance impact of doing encryption, the strength of key domain capabilities across disparate file systems and file system agnosticism.”
Following a multi-month research and evaluation period, High and his team selected Thales e-Security’s healthcare solutions. High noted, “Thales e-Security’s implementation – especially the total separation of roles within a domain model and the ability to consistently provide robust key management across disparate file systems – was the best we saw.“
“The Vormetric Data Security Platform also exceeded all of our acceptance criteria for problem identification and resolution responsiveness,” High continued.
“Performance is a very critical factor for us. We conducted a proof of concept with several vendors’ solutions configured in parallel. We created a wide variety of scenarios, involving data warehousing, analytics, and informatics platforms: Vormetric consistently scored the highest marks. Every other encryption solution increased the file IO and data IO latency by a factor of 50 to 100. There was a really significant performance advantage using Vormetric when compared to the degradation we experienced with the other competitors.
“I also appreciated Thales e-Security’s approach to encryption; I was never satisfied with the competitors’ strategies of encrypting individual tables or columns, both of which made no sense to us.”
Technology solution provider, Williams & Garcia, was tasked to help refine the overall implementation and support models, as well as to coordinate the massive deployment across the McKesson environment. The Atlanta, Georgia-based company is responsible for actively managing key domain for each business unit and providing ongoing operational maintenance and support.
Since beginning the enterprise-wide deployment, reliability of the Vormetric solutions has been impeccable. High described, “We’ve never had a Vormetric Data Security Manager appliance fail, or even falter. Agent reliability has been equally flawless.”
He continued, “The separation of key operators, key creator, policy, administrator, access controls, and the separation of duties model are all truly military grade; and I have a lot of experience in this field!”
The Vormetric solution provides full coverage of all regulated data throughout the McKesson infrastructure, including facilitating compliance with the HIPAA HITECH Act, PCI DSS, FDA and EPCS (Electronic Prescriptions for Controlled Substances) mandates.
“The flexibility of our Vormetric solution gives us an enterprise-wide capability that enables business units to implement a service and support model that exactly works for them. We’ve been able use the Vormetric platform as the vehicle to implement robust key management practices that support corporate policies across the company, no other vendor can compete with the Thales e-Security model; we love the technology,” concluded High.