Founded in 1975, CHS is the industry’s largest independent provider of workforce health care solutions. The company offers onsite health and wellness services to Fortune 500 firms who prefer to self-insure their employees by taking on the capital liability of providing coverage. Clients depend on CHS for health and productivity management solutions including onsite primary care, health coaching, occupational health, and pharmacy services.
CHS typically maintains information on all the employees who are eligible to participate in health care benefits for each of its clients. This results in dealing with substantial amounts of highly sensitive personal data, including health records, clinical information, and examination results. The nature of the data means that CHS must meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA).
Joseph Johnson, chief information security officer for CHS, commented, “Frequently HIPAA is the primary compliance driver for how we manage client data but there is a possibility that we have to handle payment information, so conforming to the Payment Card Industry Data Security Standard (PCI DSS) also became a priority for us.”
CHS looked for solutions to be compliant with these standards. Johnson recalled, “The requirements around the ‘meaningful use’ of information are pushing more medical organizations into using electronic health records (EHR) which is very positive but it does present a variety of security challenges. Many current EHR applications don’t lend themselves very well to easily securing data, especially the encryption of data at rest.
“We evaluated native SQL TDE encryption solutions but they ended up being extremely costly and actually offered very little in return. On top of this, certain EHR solution vendors don’t directly support encryption.”
He continued, “We investigated other solutions that ultimately weren’t viable because of their need for unrestricted access into the core of our applications. So we found ourselves in a bind: The solutions were either too expensive and didn’t even meet the requirements or they were incapable of interacting with our closed source application environment. Even if we did decide on a workable encryption product, it looked like we would have to deploy a completely separate solution to handle key management, or add full time employees just for the keys and certificate exchanges.”
“We were very excited when we discovered the Thales eSecurity solution; by performing data-level encryption it completely avoided the need to modify the application in any way, and this alone was a big win as we did not need to involve our development or applications support teams,” stated Johnson. “Not only could it handle all of our encryption needs but it could seamlessly perform key management. The Thales eSecurity solution also gave us the ability to effectively implement role-based encryption; this was really important because some of our environments are multi-tenant and our clients are obviously very serious about data segregation. Being able to offer this level of granularity and sophistication was a really powerful driver in our decision to purchase Thales eSecurity’s solutions.”
The CHS team conducted a proof-of-concept to validate expectations across all of the organization’s stakeholders. “There were absolutely no problems whatsoever and everyone quickly gave their approval to move to production,” recounted Johnson. “Once we’d done this, the impact on performance of implementing encryption across the live environment was exactly as promised; virtually imperceptible.”
“EHR environments are not built with very strong access management capabilities. They just weren’t designed to accommodate the different roles of practitioners and explicitly control who can get to specific records. With the Thales eSecurity solution we can see exactly who is trying to view sensitive data and this has enabled us to implement very effective role-based access controls throughout our environments. We’ve been able to mitigate the data leakage issues that have traditionally plagued the healthcare industry,” noted Johnson.
The ease of deploying and managing the Thales eSecurity solutions were appreciated by Johnson. He stated, “After the purchase decision is made, I think a lot of organizations overlook the level of effort and cost that goes into implementing and maintaining security in their own environment. Thales’ ability to so efficiently provide this level of sophistication takes away all those concerns about both initial and ongoing resource requirements.”
He concluded, “One of the biggest fears of my peers is that they know they have to solve the issue of encrypting data but are afraid of investing in a solution that never becomes fully operational. The approach that Thales has taken with streamlining both encryption and key management has removed this concern for CHS. We have an unwavering commitment to security and protecting the integrity of our data: Thales eSecurity helps us to deliver exactly what is required.”