PHNS: Health care outsourcer offers email security solution

• Customer Profile: Business process outsourcer; 1,400 employees; private company
• Goals: Regulatory compliance; brand protection
• Solution: PGP Universal™ Gateway Email & PGP® Desktop Email encrypt sensitive emails; PGP® Command Line secures server-to-server communication
• Deployment: Integration with content filter; low operating cost through virtualization
• Benefits: Higher security; regulatory compliance; ROI from standardization

PHNS provides managed security solutions for email and data flow between applications in health care organizations based on the PGP® Encryption Platform.

PHNS provides comprehensive business solutions for hospitals and other health care organizations, including information technology, health information management (medical records management and storage, transcription, coding, release of information, and electronic medical record services), receivables management services, advisory services, and security and compliance services. Serving more than 400 U.S. hospitals, PHNS services help hospitals improve operations, enhance technology, and reduce IT-related costs.

The Challenge

As a technology outsourcing provider, PHNS was called upon to help its partners comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA), which requires health care organizations to protect the privacy of "individually identifiable health information." With HIPAA deadlines fast approaching, PHNS had to identify a secure mail solution that was able to service the needs of multiple customers with high volumes of email.

Compliance as driver. The primary use case was PHNS customers communicating with their business partners, associates, and patients. Brian Perry, director of information security at PHNS, explains how the project started: "The impetus for finding an email encryption solution that was integrated into our standard email security infrastructure was driven by HIPAA; however, we also wanted to secure other sensitive information. PGP Corporation offered a flexible solution that addressed all our compliance and integration requirements."

Customer demand. PHNS initiated this project as a result of customer demand: "The biggest sponsors for this project were our customers, who were aware of the impending HIPAA deadlines and wanted to ensure this issue was checked off the list," Perry explains. "We definitely saw our managed secure email service as a strategic way to service our customers' business needs. It was very important that we design a well-though-out solution."

Protecting the bottom line. Perry knew that unauthorized information disclosure could be costly. In the course of providing quality patient care, hospitals and physicians are required to communicate some very sensitive information. Disclosure of this information could not only affect people's lives but the organization's brand, image, and even the bottom line. "As our customer's IT security partner, we have to ensure an information breach doesn't happen because it could significantly hurt their business as well as ours. It really comes down to a matter of trust," Perry says.

The Solution

Perry evaluated multiple solutions and determined that the PGP® Encryption Platform was the best fit to address his customers' requirements: "PGP® technology is well accepted as the standard for strong data encryption, so for us, it was a logical choice."

Integration with existing services. PHNS offers its customers comprehensive secure email services: "We'd already invested heavily in other email security solutions for content filtering, anti-virus, and anti-spam," Perry says. "While we were evaluating an email encryption solution, we heard that PGP Corporation was developing a strategic alliance with our email content-filtering partner. This moved PGP Universal Gateway Email higher up on my list because we'd spent a lot of time designing and figuring out how to consolidate our email flow into one strategic, hosted, secure environment. As an outsourcing company, we have to look for ways to consolidate solutions and to manage things efficiently so we can reduce costs. Having distributed email environments was not easy to manage, and it also wasn't as secure as we wanted it to be. That's why these two projects went hand-in-hand."

Unexpected capabilities. The director was surprised at how much PGP Corporation had changed in recent years: "I was very impressed with the new PGP® product line. The capabilities of the company's sales and support organizations were also impressive. Our main concerns were integration with our existing mail content solution and whether the software was mature enough for our production environment, and PGP Corporation performed well in both areas."

Choosing the market leader. "When we choose a vendor, the company and brand are important to us," says the director. "PGP Corporation is the market leader in encryption. Even the least-technical of our customers was either already using or was familiar with PGP® encryption. Many of the other solutions were from new companies that didn't have the same market presence as PGP Corporation. Whenever we select a strategic technology, we look for the leading name because it makes it a lot easier to convince our customers to employ the technology if they know and trust the brand."

Perry explains how the PGP® solution fit into the PHNS business model: "Part of what PHNS does is to reduce IT costs for health care providers by leveraging the buying power of multiple organizations. That's why it's important to find a solution that meets everybody's needs. The PGP Encryption Platform not only fit well into all environments, but it compared favorably to all the alternative solutions we looked at."

Safe option in volatile market. The outsourcer scrutinized a range of vendors: "We took a close look at the industry and some of the industry analysts, such as Gartner, to verify the market positions of the vendors we were investigating," Perry says. "The security space is very volatile, and we wanted to ensure we wouldn't end up with a great solution that didn't have a great company behind it. We try to make strategic decisions for our customers because we're their trusted IT advisor. The last thing we want is to recommend a technology or a product that suddenly is no longer supported. That wouldn't be a good situation for our customers or for us, and that is why we chose PGP Corporation."

Alternatives considered. Perry evaluated several other vendor solutions as well, including one that was selling aggressively into the PHNS customer base: "It wasn't a bad solution, but it didn't really stack up against the maturity and robustness of PGP Universal Gateway Email. We wanted the encryption solution to be as transparent as possible to end users, and we needed to ensure that the availability and performance of what we recommended didn't cause unnecessary delays. PGP Universal Gateway Email fulfilled and even exceeded our expectations."

No proprietary solutions. PHNS also looked at some solutions that used proprietary encryption protocols. "We always shy away from proprietary solutions because they haven't been subjected to the same scrutiny, peer review, and utilization across a broad user base that can dissect it and understand what's going on," Perry says. "Most companies hesitate to deploy proprietary solutions when there's a product available that supports an open standard. We anticipated more problems with deployment and establishing secure communications with business partners when employing a proprietary solution."

Increased security for corporate communications. Apart from deploying PGP Universal Gateway Email to protect email at the gateway, PHNS also installed PGP Desktop Email: "We needed a way to protect certain documents that pass outside the boundary of our trusted network. We decided to use PGP Desktop Email so we could send and store sensitive information securely."

Securing heterogeneous systems. PHNS uses PGP Command Line to secure the data flow between key systems. According to Perry, "My security group had been pressuring other departments to move away from insecure protocols and explore more secure options such as PGP Command Line. The PHNS Integrations group was able to write some scripts and develop applications that leverage PGP Command Line."

Valuable training. PHNS security specialists attended PGP® Technical Training so they would be able to support corporate and customers' systems more effectively: "Our engineers thought PGP training was very valuable and came back with some suggestions for deployment and how to better manage the solution," Perry says.

24x7 support. PHNS wanted to ensure it had effective ways to escalate support calls it couldn't handle internally, so it chose a 24x7 PGP® Platinum Support plan with an assigned engineer plus a backup engineer. According to Perry, "This support option suits our business needs well. We've been very happy with the PGP® Support team. Everyone has been very responsive, and the answers we've received have been 100% accurate. In particular, the collaboration between PGP Support and our email content management vendor has been excellent. We've also found the PGP® Support Portal very useful for downloading patches and updates."

Assigned support engineer. Perry said it was important that PHNS have an assigned engineer: "It's always much easier if you've developed a relationship with someone, especially during the early deployment phases of a new solution, because that person is familiar with your specific configuration and the components of your deployment."

The Results

According to Perry, PHNS completed the project within the specified timeframe: "We got the system running on schedule and stayed very favorably within budget. The PGP Universal Gateway Email deployment was one of the easiest I've ever managed," Perry says.

Content-based encryption. PHNS was able to establish an on-demand approach to encryption as well as automated encryption solutions-all with minimal impact on end users. "Our email content server was set up to trigger automatic encryption through PGP Universal Gateway Email for emails that contained sensitive content but were not flagged for on-demand encryption," recounts Perry. In addition, compliance and monitoring of the effectiveness of PHNS security policies was a challenge, so automating these functions was very helpful: "I don't have a huge staff that can watch email traffic around the clock, so automation and reporting are important. If we couldn't use content-based encryption, we'd be stuck with only an on-demand form of encryption that depends on users to remember when they're transmitting sensitive information, which isn't always the most effective way to do things."

Benefits from virtualization. PHNS hosts a number of its solutions on virtual machine technology. "We have a very aggressive strategy of 'virtual first,' so we didn't want to deploy a hardware appliance if we could avoid it," Perry says. "Because PGP Universal Gateway Email ships as a software appliance, it enabled us to experiment and eventually deploy it on virtual servers. PGP® deployment engineers came on-site to help us install it in our complex environment. Working with them was great."

Perry elaborates on the PHNS infrastructure: "Our secure email environment essentially consists of our email content management system-that also provides anti-virus capability, spam control, and compliance monitoring-and PGP Universal Gateway Email. It was important to set up a separate, virtual PGP Universal Gateway Email server for each customer so we could customize it to that customer's requirements. There are many advantages to virtualization, such as uptime, scalability, reliability, and the ability to move servers from one machine to another or even to a different geographical location. Using a hardware appliance would have made the entire project a lot more expensive and wouldn't have given us this flexibility."

Support for virtual environment. Today, running PGP Universal Gateway Email on a virtual machine is a supported environment, but that was not the case when PHNS wanted to introduce the solution. "When the virtualization issue came up, this wasn't a supported configuration," Perry says. "PGP Support worked closely with us on problems that arose when running a hardened appliance in a virtual environment, and we were able to resolve all the issues."

Positive feedback. Perry like the feedback he received from other organizations: "PGP Universal Gateway Email was well-received by our business partners. One of the biggest challenges isn't necessarily introducing a new technology but getting partners on board with a new business process they need to integrate. PGP Universal Gateway Email makes that process much easier than alternative solutions would have."

Return on investment. Perry says that bringing different email security solutions in line brought a considerable return on investment (ROI): "Before the project, our customers used a number of different solutions for email anti-virus, anti-spam, and content filtering. We were able to consolidate and automate these systems so that we could manage them with fewer people and resources, leading to lower costs and a higher ROI for our customers. PGP® encryption solutions also compared favorably to those from other vendors in terms of ROI."

Low operating costs. The PHNS help desk has had a good experience with the new PGP solutions: "Our help desk people like the PGP solutions because they haven't created a large volume of work for them," Perry points out, "so the operating costs are very low."

Summary

The director sums up his experience in the project: "PGP Universal Gateway Email is one of the easiest products I've ever used."

Lessons learned. There are some things Perry would do differently next time: "I think our biggest challenge was on the communications side. PGP Corporation provided us with some great training and communications materials. If I were to do another project like this, I would leverage that information more to inform customers and partners earlier in the project about the new solution and exactly what was going to happen in the process."

An extensible solution. Perry says that PHNS is planning to extend its use of PGP solutions: "The PGP Encryption Platform is now part of the security services line of business. Email security is a strategic offering for us, and we're planning to add other services such as disk encryption for mobile systems as well. There are also other areas we want to secure, such as our 'work-at-home' program user's systems. This is an area of concern for service providers because people are working on a computer that is inside their house rather than in a corporate office or secure data center, so there are increased risks of information disclosure. We'll look at what's needed to secure this environment and will definitely consider asking PGP Corporation to help. The alternative solutions we looked at couldn't secure these areas and only dealt with email encryption. Using the PGP Encryption Platform, we can leverage one skill set and management platform for a wide range of security applications while reducing costs."

The PGP Encryption Platform. The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, FTP or bulk data transfers, and backups.