DeKalb Medical Center: Lowering costs through content-based encryption

• Customer Profile: Health care; not-for-profit hospital system; 500,000 patients per year
• Goals: Regulatory compliance (HIPAA)
• Solution: PGP Universal™ Gateway Email for outbound email; PGP® Command Line secures server-to-server communication
• Deployment: Email encryption without desktop installation; reduced help desk calls
• Benefits: Enhanced customer service; higher security

DeKalb Medical Center introduced secure communications with patients, doctors, insurers, and business partners using the PGP® Encryption Platform.

Serving the community since 1961, DeKalb Medical Center is a not-for-profit hospital system that includes three hospitals in Georgia. A leader in progressive medical technology, the hospital system serves approximately 500,000 patients annually and offers a variety of community outreach programs.

The Challenge

DeKalb Medical Center was looking for a way to identify and secure Personal Health Records (PHR) covered by the U.S. Health Insurance Portability and Accountability Act (HIPAA), which requires health care organizations to protect the privacy of “individually identifiable health information.” Sharon Finney, information security administrator at DeKalb Medical Center, is responsible for all business and clinical information on all systems and networks. “We wanted to eliminate any potential risk of confidential information leaving the facility electronically,” says Finney. “We were looking for a solution that allowed us to monitor and secure outbound email traffic, but many solutions used proprietary mechanisms or didn’t offer encryption at all.”

In a second related project, DeKalb Medical Center needed to transfer confidential financial, patient, and billing information securely to accounting and market research companies as well as third-party billing and collection companies. According to Finney, some of these files were very large and contained extremely confidential information, such as service, diagnosis, and procedure codes, social security numbers, billing information, account numbers, medical record numbers, and demographic information. “Our partners were only allowed to transfer data through a VPN connection,” she explains. “It was difficult to manage and left information unprotected while stored on our FTP servers. There was also a chance that someone could gain access to another person’s account or that we might put a file into the wrong folder by mistake.”

The Solution

“We decided that we didn’t want to use a proprietary email encryption solution such as those offered by many of the content-filtering vendors,” Finney says. “Instead, we wanted to use an industry-standard solution a lot of our partners already used—a solution that would also be accepted outside the health care industry. This requirement naturally led us to the PGP Encryption Platform.”

Email encryption without desktop installations. As the IS administrator pointed out, “PGP Universal Gateway Email allowed us to deploy a solution that didn’t require anything to be installed on the recipient’s desktop. It gave us the flexibility to exchange data securely with recipients that used OpenPGP or S/MIME as well as with partners who didn’t have any encryption solution.”

DeKalb Medical Center’s content filtering mail transfer agent (MTA) filters emails for spam, malicious content, and sensitive information. Emails with sensitive information are routed to PGP Universal Gateway Email, which encrypts the contents and delivers them to external recipients. This setup eliminates the need for end users to classify information and ensures that all emails with sensitive content are always secured.

Although she’d had prior experience with PGP desktop solutions, Finney learned that PGP Corporation now provided enterprise-level encryption solutions. “The company had expanded its portfolio with solutions to secure data regardless of the mode of transport or storage,” she points out. “I initially thought we’d have to download and install a client, which is always time-consuming. After looking at PGP Universal Gateway Email, we realized this wasn’t the case.”

Easier process, higher security. DeKalb Medical Center also decided to phase out the VPN solution for its FTP servers and replace it with PGP file encryption. “There was no question about whether we would use PGP technology to encrypt our files,” Finney says. “We use PGP Command Line to encrypt files before they’re loaded onto the FTP server, which protects them both in storage and in transit so we no longer need additional transit protection such as a VPN. Equally important, PGP encryption is an industry standard and was very well accepted by our partners. They can opt either for an automated solution using PGP Command Line or choose an inexpensive, manual option using PGP Desktop Email if they only receive information sporadically.” Finney says another benefit of using PGP Command Line is that if the FTP server is breached or a file accidentally ends up in the wrong folder, the files are still encrypted and the data is secure.

Compliance and privacy as drivers. Compliance with HIPAA and information privacy concerns were the main drivers for the two projects, which were sponsored by the Compliance and Information Technology departments. “In the past 2 years, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has increasingly asked how we’re protecting patient information at rest and in transit, which we also need to detail in our annual audits,” Finney explains. “JAAHO has reported breaches in nine hospitals. The courts decide whether a breach occurred due to human error or to negligent security policy. If they determine negligence is the reason for a breach, the fines can be huge. That’s why we use PGP encryption: its reputation will stand up in court.”

The Results

According to the IS Administrator, hospital policy is to install most tools using the vendor-recommended version for 30 days and then modify the installation, if necessary, to fit specific needs. Finney had PGP Professional Services install PGP Universal Gateway Email, and then after 30 days, made adjustments with help from PGP Corporation via phone. “I was actually quite surprised at how well that process worked,” she says.

Easier communications. Finney said that before deployment, some departments were afraid encryption was going to complicate the communications process and handcuff them from a partner perspective. To address these concerns, the IS group put together a document for prospective partners that explained the hospital’s encryption standards for email and FTP. “For email, partners only need to install a client if they want to physically receive the file in their inbox,” says Finney. DeKalb Medical Center will also move the FTP server out to the DMZ to allow access without a VPN connection. “For FTP, partners are usually happy to purchase PGP Desktop Email or PGP Command Line to secure the connection because they’re easier to use than a VPN, eliminate a step in the process, and provide a more stable connection,” she says. In fact, Finney directs partners that want to purchase PGP solutions to DeKalb Medical Center’s PGP reseller: “They’re wonderful and have been a phenomenal resource for us. We love working with them. In the end, PGP encryption has made the entire process of securing data in transit and in storage much simpler.”

24x7 support. DeKalb Medical Center chose PGP® Platinum Support because it provided 24x7 assistance. “Our operations also run 24x7,” Finney explains, “and we have files that need to be sent at specific times. If they’re not sent on schedule, it creates trouble for our billing department. So far, we’ve had minimal problems.”

Reduced help desk calls. The IS Administrator said the internal introduction to encrypted email was nearly seamless. “There was almost zero impact on internal users. We created documents explaining how external recipients receive and reply to secure messages to make the process easier for them, and we included a phone number for assistance. The documents alleviated a lot of the help desk’s workload, and we also posted them on our PGP Universal Server. Although the PGP solution has been running for about a year, the help desk has received very few calls.” According to Finney, “Our help desk loves the PGP solution. They have minimal interaction with it. It encrypts and moves email. About the only thing they have to do is to reset someone’s password if they’ve forgotten it. Apart from that, they don’t have to do anything. They simply log on, do what they have to do, and that’s it.”

Finney rates the performance of the PGP solutions as phenomenal. She has not received any complaints from either FTP or email users. She also likes the scalability: “We bought this solution to last us at least 3 years, but it will probably last at least 5 because PGP Universal Gateway Email is very scalable.”

Enhanced customer service. “Before we introduced PGP Universal Gateway Email, our Customer Service department was not allowed to transmit patient information by email even if the request from the patient came in by email,” Finney says. “Instead, Customer Service had to pick up the phone and call them. Now, the combination of our content-filtering MTA and PGP Universal Gateway Email allows them to answer requests directly by email. They can even have extended ‘conversations’ with patients and physicians via email and include account numbers and codes without having to worry about whether it needs to be protected or whether it’s confidential.”

The IS Administrator is now seeing an increase in email traffic. “DeKalb Medical Center actively promotes the use of email by patients to communicate with the medical center. This capability means more choice for our patients and lower costs for us, so it’s a great deal for both sides,” she points out. “Our user response has been very positive. They love the fact that they can email without having to think about whether something needs to be secured.” Finney has also benefited. ”Because users no longer have to ask what information is confidential, my call volume has decreased. We now have a tool that does this job, and it’s doing exactly what it’s supposed to do—very well.”

Summary

Finney is very satisfied with the outcome of the project: “If I were to do this project again, I wouldn’t do anything differently. It was probably one of the best and most seamless implementations we’ve done. The solution came in, and three days later we were encrypting email. It was much easier than we’d anticipated.”

According to Finney, DeKalb Medical Center is looking at automating certain tasks in the future: “We’ve started to send out appointment information to patients via email, and we can now include instructions such as whether they could eat before a certain medical procedure without worrying about keeping that information confidential. This capability will make the process more cost-effective and create a better information exchange with patients.”

The PGP Encryption Platform. The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, FTP or bulk data transfers, and backups.