Payformance Health: Protecting sensitive health care data on laptops and desktops

• Customer Profile: Health care; 125 employees
• Goals: Protect sensitive health care data; centrally manage encryption solution
• Solution: PGP® Whole Disk Encryption secures laptops & desktops; PGP Universal™ Server provides central management
• Deployment: Within time & budget; with PGP® Professional Services
• Alternatives: Solution that could not be easily managed or updated
  
• Benefits: Protecting reputation; lean administration; flexibility

Payformance Health chose centrally managed PGP Whole Disk Encryption to encrypt health care data.

The Challenge

During the course of business, Payformance Health acquires sensitive customer health care information, and many of its laptop users access, view, or store protected health information on their hard drives. “That data needed to be secured,” says George Betancourt, the director of IT and security official at Payformance Health. “The risk of such information being stored on a hard drive and then the laptop being stolen or lost was not acceptable to us.”

Regulatory compliance. As a company that handles health care information, Payformance Health must comply with the Health Insurance Portability and Accountability Act (HIPAA). Breach notification laws, such as California Senate Bill 1386, also apply to the company. “Encrypting data on desktops and laptops is one way to help mitigate the risks,” Betancourt says. Payformance Health is not a publicly traded company, so it is not directly bound by regulations such as the Sarbanes-Oxley or Gramm-Leach-Bliley Acts. Many Payformance Health customers are public companies, however, and therefore must comply with those regulations. “For our customers to satisfy their audit requirements, they need to show that everybody they do business with adheres to those same controls,” Betancourt explains. “So, indirectly, we also must adhere to them.”

Protect reputation and brand. Protecting its reputation and brand—as well as those of its customers—from damage due to a security breach was a primary motivation for Payformance Health to introduce laptop encryption. “Because we’re a relatively small company, our customers’ trust in us is our number one priority,” Betancourt explains. “If we were to breach that trust, it would be absolutely catastrophic to the company.”

Protect sensitive data. In mid-2006, after a number of data breaches related to the loss and theft of laptops made news headlines, Payformance Health senior management and the IT department decided they would strengthen their data security strategy by encrypting the hard drives of the company’s laptops. “As the number of internal users and customers grew, and as the company handled increasing amounts of highly sensitive health care and financial information, it was evident that we needed to encrypt a lot more than just our laptops,” Betancourt adds. Senior management decided the company would begin encrypting all the hard drives in the organization.

Lack of central management. The previous encryption solution required individual desktop-by-desktop management rather than central management and could not be updated easily. “When we realized that encrypting all the hard drives in the organization would surpass 100 systems, we started looking at what other products were available,” explains Betancourt.

The Solution

Betancourt first learned about PGP® solutions through information he received from a security reseller, Acuity Solutions. “When I asked about encryption, Acuity provided information about PGP® products,” Betancourt says. “In their eyes, this was the superior choice and the one a lot of their customers were using and were pleased with.” As a result, Payformance Health chose to deploy PGP Whole Disk Encryption, centrally managed with PGP Universal Server.

Risk mitigation for data on desktops. In addition to protecting its laptop computers, Payformance Health is using PGP Whole Disk Encryption to protect data on desktop computers and help mitigate the risk of theft. “We’ve had a couple of incidents of theft in the office,” Betancourt says. “Some windows have been smashed, and a couple of items have been removed—not PCs, but some monitors. We’re afraid that the next time it might be a PC that contains sensitive information. While making significant changes to building security, it was cost-effective enough to just go ahead and encrypt all the PCs in the company.”

Trusted solution. “PGP Whole Disk Encryption appeared to be a very mature, well-designed product,” Betancourt says. PGP name recognition and trust in the company’s products also factored into the IT Director’s choice.

Central management. According to Betancourt, the ability to centrally manage PGP Whole Disk Encryption as well as other PGP solutions was a unique selling point. “We chose PGP Whole Disk Encryption specifically because we could manage it centrally with PGP Universal Server. It’s also very attractive because we’ll be able to plug in additional applications in the future, such as PGP email or file encryption, using the same PGP® Encryption Platform architecture,” he says.

The Results

By the third quarter 2007, Betancourt’s team had started deploying PGP Whole Disk Encryption on its laptop and desktop computers.

Quick deployment. Moving from Payformance’s existing encryption product to the PGP solution required some additional steps. Before Payformance Health could deploy the PGP solution, the IT team had to decrypt each laptop or desktop, and then uninstall the previous encryption product—a process that took about 2 hours per computer. “The process isn’t too difficult,” Betancourt says, “but because the previous encryption product has no centralized management, it’s a very manual process. Our IT staff has to physically handle each individual laptop.” The IT staff can streamline deployment, however, by using Microsoft SMS to remotely push out PGP Whole Disk Encryption from their workstations.

Smooth rollout. PGP Professional Services spent 2 days at Payformance Health, working with the IT team to deploy the solution. “The first day they discussed what the deployment would mean in terms of installing PGP Universal Server and pushing out PGP Whole Disk Encryption to the desktops,” Betancourt explains. On the second day, the Payformance Health and PGP teams installed PGP Universal Server and deployed PGP Whole Disk Encryption on about 20 desktops. “A few minor questions came up, and PGP Professional Services was there to answer them and work through any issues. They were very knowledgeable. I think it was important that they were here to ensure the rollout was smooth. It all went well, and I’m pleased with the product,” Betancourt says. “I’m excited to move forward and complete the deployment.”

Integration with infrastructure. Payformance Health integrated PGP Universal Server with Microsoft Active Directory, which allowed the company to use its existing system to manage users and also to streamline the deployment. To simplify the process for the users, Payformance uses the single sign-on functionality in PGP Whole Disk Encryption. “Users just type in their network password at the PGP boot screen, and that’s it. They log right into their desktop,” Betancourt says.

Eager users. Use of PGP Whole Disk Encryption has generated very few requests at the Payformance Health Help Desk. “So far, we haven’t received any negative feedback. They like it,” Betancourt says.

Summary

For others considering a data protection solution, Betancourt recommends they first perform a risk assessment. “Make sure that the information you’re dealing with needs to be protected by encrypting the contents of your laptops or desktops,” he says. “If so, then I would recommend adopting a PGP solution.”