Small Insurer, Big InfoSec InvestmentBreach Prevention Makes Security a Top Priority
A small health plan in Tennessee is making a big investment in information security, using encryption, secure e-mail and other technologies to help prevent breaches.
See Also: HIPAA Audits: A Revised Game Plan
TRH Health Plans, which serves 186,000 enrollees in Tennessee, "takes our customers' privacy very seriously," says Scott Alberd, assistant vice president of information technology. "We feel that our customers trust us to not only provide them with the best health coverage possible, but to keep their personal information secure."
The insurer, which is affiliated with the Tennessee Farm Bureau and has just 100 employees, specializes in providing coverage directly to individuals, rather than through employers.
"Our executive management recognizes that keeping our customer's personal data safe requires a large investment in personnel and information security systems," Alberd says. "Security-related purchases account for at least one-third of our annual IT spending."
That's an extraordinary investment, given that the Healthcare Information Security Today survey shows that only about 11 percent of organizations devote 7 percent or more of their IT budgets to information security. But the survey also shows 43 percent expect the percentage devoted to information security to grow in the year ahead.
Commenting on the survey findings, Christopher Paidhrin, security compliance officer at PeaceHealth Southwest Medical Center, notes: "As healthcare leaders discover how much more vulnerable their information systems are, and the real costs for breaches, the return on investment calculus [for security] is shifting."
The Role of Encryption
TRH Health Plans views encryption as an essential component of an effort to prevent breaches and comply with HIPAA's security requirements.
"The cost of encryption, and any performance impact, is much lower than the costs associated with an intentional or accidental data loss," Alberd stresses.
For three years now, the health insurer has centrally managed whole disk encryption for all desktops and laptops. "And our company has not experienced any measurable application performance decreases after implementing encryption," Alberd says.
In addition to its major investment in encryption to protect stored data, the small health insurer has invested in technologies to protect e-mail.
It recently migrated to the latest version of an e-mail management application from Red Earth Software that performs several functions. The application, for example, can scan inbound and outgoing e-mail for sensitive information, such as Social Security numbers, and "quarantine" potentially troublesome messages so they can be reviewed by a legal team or automatically deleted based on a set of rules.
TRH Health Plans uses the Red Earth application in conjunction with another product, from Barracuda Networks, for virus detection and spam filtering.
The health insurer also uses a secure portal from Zix Corp. to send encrypted e-mail to its clients. And it has established direct links to certain business partners to avoid sending sensitive information over the public Internet.
"For a majority of our employees, we force outbound e-mail through the secure portal so there's less risk of accidental release of information," Alberd explains. "With Red Earth, we can run a report to see what's been sent."
In another security move, TRH requires employees to authenticate their identity using a hardware token when using a virtual private network to remotely access information.
Money Well Spent
Alberd sees a substantial investment in information security as the cost of doing business in the 21st century."Keeping customer data secure is not an option," he stresses. "We have been entrusted to keep their information safe. It is our place to make sure we implement the appropriate technologies and utilize them to their full potential."