w w w . t h a l e s - e s e c u r i t y . c o m

CHS RELIES ON THALES E-SECURITY SOLUTIONS TO PROVIDE SOPHISTICATED PROTECTION OF CLIENT DATA

Founded in 1975, CHS is the industry’s largest independent provider of workforce health care solutions. The company offers onsite health and wellness services to Fortune 500 firms who prefer to self-insure their employees by taking on the capital liability of providing coverage. Clients depend on CHS for health and productivity management solutions including onsite primary care, health coaching, occupational health, and pharmacy services.

BUSINESS CHALLENGECHS typically maintains information on all the employees who are eligible to participate in health care benefits for each of its clients. This results in dealing with substantial amounts of highly sensitive personal data, including health records, clinical information, and examination results. The nature of the data means that CHS must meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Joseph Johnson, chief information security officer for CHS, commented, “Frequently HIPAA is the primary compliance driver for how we manage client data but there is a possibility that we have to handle payment information, so conforming to the Payment Card Industry Data Security Standard (PCI DSS) also became a priority for us.”

TECHNICAL CHALLENGECHS looked for solutions to be compliant with these standards. Johnson recalled, “The requirements around the ‘meaningful use’ of information are pushing more medical organizations into using electronic health records (EHR) which is very positive but it does present a variety of security challenges. Many current EHR applications don’t lend themselves very well to easily securing data, especially the encryption of data at rest.

“We evaluated native SQL TDE encryption solutions but they ended up being extremely costly and actually offered very little in return. On top of this, certain EHR solution vendors don’t directly support encryption.”

He continued, “We investigated other solutions that ultimately weren’t viable because of their need for unrestricted access into the core of our applications. So we found ourselves in a bind: The solutions were either too expensive and didn’t even meet the requirements or they were incapable of interacting with our closed source application environment. Even if we did decide on a workable encryption product, it looked like we would have to deploy a completely separate solution to handle key management, or add full time employees just for the keys and certificate exchanges.”

“ Thales e-Security has allowed us to quickly implement a sophisticated role-based access control mechanism that at one time was considered to be the Holy Grail.”

– Joseph Johnson, chief information security officer, CHS

“ The Vormetric solution not only solved all of our encryption needs but alleviated any fears of the complexity and overhead of managing the environment once it was in place.”

– Joseph Johnson, chief information security officer, CHS

Americas – Thales e-Security Inc. 900 South Pine Island Road, Suite 710, Plantation, FL 33324 USA • Tel:+1 888 744 4976 or +1 954 888 6200 • Fax:+1 954 888 6211 • E-mail: sales@thalesesec.comAsia Pacific – Thales Transport & Security (HK) Lt, Unit 4101-3, 41/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong • Tel:+852 2815 8633 • Fax:+852 2815 8141 • E-mail: asia.sales@thales-esecurity.comEurope, Middle East, Africa – Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ • Tel:+44 (0)1844 201800 • Fax:+44 (0)1844 208550 • E-mail: emea.sales@thales-esecurity.com

Follow us on:

SOLUTION“We were very excited when we discovered the Vormetric solution; by performing data-level encryption it completely avoided the need to modify the application in any way, and this alone was a big win as we did not need to involve our development or applications support teams,” stated Johnson. “Not only could it handle all of our encryption needs but it could seamlessly perform key management. The Vormetric solution also gave us the ability to effectively implement role-based encryption; this was really important because some of our environments are multi-tenant and our clients are obviously very serious about data segregation. Being able to offer this level of granularity and sophistication was a really powerful driver in our decision to purchase Thales e-Security’s Vormetric solutions.”

The CHS team conducted a proof-of-concept to validate expectations across all of the organization’s stakeholders. “There were absolutely no problems whatsoever and everyone quickly gave their approval to move to production,” recounted Johnson. “Once we’d done this, the impact on performance of implementing encryption across the live environment was exactly as promised; virtually imperceptible.”

RESULTS“EHR environments are not built with very strong access management capabilities. They just weren’t designed to accommodate the different roles of practitioners and explicitly control who can get to specific records. With the Vormetric solution we can see exactly who is trying to view sensitive data and this has enabled us to implement very effective role-based access controls throughout our environments. We’ve been able to mitigate the data leakage issues that have traditionally plagued the healthcare industry,” noted Johnson.

The ease of deploying and managing the Vormetric solutions were appreciated by Johnson. He stated, “After the purchase decision is made, I think a lot of organizations overlook the level of effort and cost that goes into implementing and maintaining security in their own environment. Thales e-Security’s ability to so efficiently provide this level of sophistication takes away all those concerns about both initial and ongoing resource requirements.”

He concluded, “One of the biggest fears of my peers is that they know they have to solve the issue of encrypting data but are afraid of investing in a solution that never becomes fully operational. The approach that Thales e-Security has taken with streamlining both encryption and key management has removed this concern for CHS. We have an unwavering commitment to security and protecting the integrity of our data: Thales e-Security helps us to deliver exactly what is required.”

ABOUT THALES E-SECURITYThales e-Security is the leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premise, in the cloud, in data centers or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales e-Security is part of Thales Group.

© T

hale

s - M

arch

201

7 •

PLB

6447

PROTECTING EHR APPLICATIONS WITH ROLE-BASED ACCESS CONTROLBusiness Need:

Meet HIPAA and PCI DSS requirements Identify cost-effective encryption solution

Technology Need: Accommodate closed source application environment Avoid the overhead associated with separate encryption and key management solutions Provide logical data segregation

Thales e-Security Solutions: Vormetric Transparent Data Encryption Vormetric Key Management

Result: Coverage of data in motion and at rest, compliant with HIPAA and PCI standards Implementation of role-based access controls Averted need to for any application changes with data-centric security model Minimal ongoing resource requirements