If you are going to lock the door, you may as well close the window, too.
That’s what IT managers at Harvard Pilgrim Health Care learned as they moved to secure personal data traversing their email system. While a solid encryption tool got them part way home, it took adding a content monitoring and filtering application to bring the solution full circle.
“Not everybody has the same cookie-cutter architecture in place for their email systems, so you really need to take time to develop how this is going to fit together and how it is going to work,” says Ken Patterson, chief information security officer at Harvard Pilgrim Health Care.
A nonprofit company based in Wellesley, Mass., Harvard Pilgrim delivers health benefits throughout Massachusetts, New Hampshire, and Maine. In addition to its million members, the company keeps up regular communications with some 30,000 providers, over 130 hospitals, more than 6,000 brokers and other outside partners. Harvard Pilgrim averages about 5,000 outbound email messages per day.
Like others, Harvard Pilgrim must comply with HIPAA and other regulations or face stiff penalties. So far, says Patterson, his system has never had a breach, but “We don’t like to wait until something happens before we react.”
The health plan’s existing system was potentially vulnerable. Users protected Word and Excel documents in emails by using the password protection offered by Microsoft Office. It was too hands-on, too time-consuming, Patterson says.
A preliminary risk assessment identified email as a source of potential vulnerability, with encryption as the most likely way to mitigate risk. To assess potential solutions, Patterson turned to a longtime partner Perot Systems of Plano, Texas. In addition to ease of use and reliability, Patterson wanted a solution supported by an open standards architecture. “I didn’t really want any proprietary solutions,” he said.
Together with Perot he identified the PGP Universal Gateway Email, an encryption system that works with the Harvard Pilgrim’s Lotus Notes 6.5 e-mail system. Any time a user fires off an email containing confidential information, that user simply clicks a button in Notes: “PGP Send.” This encrypts the message, while on the other end the recipient takes in not just the message but also instructions for downloading a certificate from a Harvard Pilgrim Web server, which allows the e-mail program to decrypt the contents of the message.
The system tested well with internal users, while giving Patterson the openness he was seeking. Trouble was, encryption alone was not delivering the expected results.
To ensure things were running smoothly, Patterson test drove Vontu data protection software. “It was immediately apparent we had a need to help enforce our policy,” he said, without specifying the degree of failure within the system. San Francisco-based Vontu provides data security and compliance tools to a range of verticals including the health care industry.
Simply put, people were not always pushing the encryption button. Patterson needed Vontu’s ability to catch and correct oversights before sensitive information could get out on the street. Vontu monitors communications flow, flags potential breaches, and puts the brakes on suspect traffic.
Pattern’s passion for openness paid off; Vontu could integrate into PGP, thus delivering a more well-rounded solution, including discovery and prevention steps that augmented encryption. “I like the fact that I was not driven toward using a single content monitoring and filtering solution,” he said.
All these capabilities depend largely on the initial ability to identify and define potentially sensitive information. Here Patterson gives Vontu high marks. “We think we know where it all is, but we wanted to be able to really inventory where exactly that protected health data is and whether it is adequately secured.”
Now, he said, it is.
Want to read more expert articles like this? Click here to subscribe to Digital HealthCare & Productivity.