When The Medical Industry Wants A Review They Can Trust, Allmed Delivers

Providing informed medical opinions is what physicians are paid to do: Each diagnosis and recommendation can trigger multiple outcomes, including prescriptions for drugs, insurance payment authorizations and formal completion of treatments. If a judgement is ever questioned or needs further validation a highly specialized category of company, known as an independent review organization (IRO), is called in to provide an expert review of the facts.

Headquartered in Portland, Oregon, AllMed Healthcare Management offers comprehensive physician peer review solutions to leading payer and provider organizations. The company utilizes a panel of hundreds of licensed, board-certified and actively practicing physicians to conduct its assessments. Their clients include medical management and managed care organizations (MMO, MCO), third party administrators (TPA) disability carriers and other providers.

Given the wide variety of highly confidential data that it handles, AllMed falls at the intersection of numerous federal, regional, industry and general regulatory mandates associated with personally identifiable information (PII), protected health information (PHI) and other sensitive data categories. As a demonstration of its commitment to adhere to the highest levels of data integrity, AllMed is one of just a handful of independent review organizations to have earned the stringent Health Information Trust Alliance (HITRUST) certification for information technology security.

When The Medical Industry Wants A Review They Can Trust, Allmed Delivers

Business Need

Joel Campbell, Information Security Officer at AllMed, commented, “In the healthcare industry the number of regulations relating to data protection can be totally overwhelming, even for security professionals. For AllMed, being HITRUST certified is tangible proof to our stakeholders that we uphold the highest standards of security and privacy: They don’t need to know what the ‘HIPAA’ or ‘HITECH’ acronyms stand for, they just need to know that we’ve met or exceeded industry-defined requirements relating to protecting patient data.”

Technical Need

HITRUST certification utilizes a comprehensive security framework that integrates requirements from many authoritative sources – such as ISO, NIST, PCI, HIPAA and others – and tailors them specifically to healthcare organizations. “HITRUST touches all aspects of an organization, so it is imperative to architect a solid foundation on which to build security policies, controls and procedures,” reflected Campbell. “A key step was to ensure that our data is continually secure, and for me this means encryption.”

He continued, “I’ve been in the security industry a long time and the number one name for encryption technologies has always been Thales. There are obviously competing products but Thales is always the name that jumps to the top.”

Solution

AllMed deployed Vormetric Transparent Encryption from Thales in conjunction with the Vormetric Data Security Manager (DSM) to manage access policies and encryption keys across physical data centers, cloud environments and hybrid deployments. Vormetric Transparent Encryption provides the necessary access controls and data access logging functions needed by almost all compliance and data privacy standards and mandates, including PCI DSS, HIPAA/HITECH, GDPR and many others. AllMed is able to secure information with file and volume-level encryption for both data at rest and in motion. Agents installed above the file system on servers or virtual machines enforce data security and compliance policies; making deployment simple and fast.

“Everything gets encrypted,” described Campbell. “HIPAA doesn’t explicitly distinguish between different data states but by using Thales we immediately remove any concerns or issues about how we secure information.”

Result

“We use a lot of different applications and were able to implement the Thales solutions without having to modify any code, databases or infrastructure components,” recalled Campbell. “We have a modestly sized security team and despite serving such a critical role, the administrative overhead of the Thales solution has been phenomenally low, truly ‘set and forget’ once configured.”

Providing its panel members with the information needed to review medical cases involves sending numerous files, some of significant size. This transfer process has several areas of potential vulnerability, especially because AllMed panelists are spread around the country, outside of the company’s headquarters infrastructure. Campbell remarked, “With Thales we can prove that all data being transmitted is both unchanged and unseen, from its origin through to the receiving physician. Given its sensitivity, being able to guarantee that only the intended recipient can view the information is critical.”

Serious Security

Campbell added, “AllMed is always looking for new business opportunities and we are growing quickly, making it essential that our IT infrastructure can support the company’s business objectives. Thales has engineered its solutions to scale and adapt to accommodate exactly this type of dynamic situation.”

The widespread, positive reputation of Thales continues to bring benefits, Campbell summarized, “Without data integrity we wouldn’t have a business. When prospects, or even existing clients, learn that we use Thales to perform all our encryption duties, that’s typically all they need to hear. They know we’re serious.”

About Thales eSecurity

Thales eSecurity is a leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premises, in the cloud, in data centers or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales eSecurity is part of Thales Group.

Download