Large healthcare insurer improves application testing and protects privacy with IBM Optim

Mergers and acquisitions created one of the largest healthcare insurers and benefits providers in the United States. The company expanded to include group insurance, healthcare and behavioral health. Managing routine insurance activities and daily operations, while supporting continued growth, relies heavily on hundreds of applications in the mainframe and open systems environments.

The systems associated with each insurance offering provide information for financial, tax and customer reporting, as well as medical and information management. The IT infrastructure also includes a massive data warehouse that collects data for analysis purposes. In this highly integrated operating environment, all of these systems receive information from the top three healthcare applications: Client Accounts, Benefits and Eligibility, and Partner Providers.

Focusing on HIPAA privacy requirements
The primary focus on Health Insurance Portability and Accountability Act (HIPAA) compliance requirements led to a Client Information Protection (CIP) initiative to ensure the privacy of sensitive client information in nonproduction (development, testing and training) environments. “We had some copies of production data in test, and with our information protection initiative we had to comply with the HIPAA data privacy requirements,” says the director of application testing and quality. The CIP directive launched the search for a data management solution to protect privacy.

The application environment contains volumes of Private Healthcare Information (PHI). In addition to managing eligibility and claim information, these applications process checks, initiate electronic transfers, manage healthcare reimbursements and fund transfers in and out of employees’ financial accounts. Additionally, some applications process 1099 tax reporting information for partner providers that includes bank account numbers. Other applications manage debit healthcare cards that are similar to flex spending accounts and used to pay for healthcare. To protect privacy, it is necessary to mask sensitive data such as personal identification, Social Security numbers and tax ID numbers. Masking ensures that even if exposed, the data is not useful to anyone.

Improving application testing
The director was also involved in a test data management review to support application enhancements that enable improving customer service and expanding insurance offerings. Automating procedures to set up test data from across the 150-plus enterprise applications was a high priority. However, it was while setting up data for one of these massive integrated releases that the need to shorten the data setup time had the most impact.

“Because our application testing environment is highly integrated, we did not want to create ‘fake’ or unrealistic test data, and because we were testing new functionality, we could not copy data from production. All test data had to be created and set up manually,” says the director. “It would take a month to set up benefits and eligibility account information to run claims, customer reporting, process payment checks, run all the banking transfers and so on. It took over four hours to load one account into our Client Account system. So it would take us a month to set up test data for 30 or more accounts, and only a few testers were fully knowledgeable about the functionality of specific integrated applications.”

A solution that would automate processes wherever possible would reduce the time to
set up test data for each testing cycle. Automation would allow testers to be more independent in satisfying their requirements. A viable test data management solution would also reduce capacity and processing requirements and lower the cost of masking test data from production environments.

One solution for addressing two issues
The enterprise initiative for protecting privacy required a solution with capabilities for masking data in nonproduction environments and across applications, databases, operating systems and hardware platforms. Similarly, ensuring reliability and maintaining critical business applications required automated test data management capabilities that would shorten the time to create and refresh development, testing and training environments.

From a data privacy perspective, most of the evaluation criteria focused on data masking capabilities. The director notes, “IBM® Optim™ satisfied our requirements to mask data and bring it into the testing environments logically intact and valid for testing. Optim’s built-in data masking techniques offered the flexibility needed to mask data consistently and to protect privacy across our applications and testing environments. We would also be able to eliminate privacy gaps in our IT infrastructure.”

From a test data management perspective, they had already evaluated a competing solution. “In fact, one of our tests ran for several hours and cost us thousands of dollars to find out that it did not work. So I tossed it out before we even finished the evaluation,” the director explains. “In comparison, we immediately recognized Optim’s potential value for improving our test data management capabilities. With one solution to meet all of our needs, we stepped in to purchase Optim.”

Implementing step by step
The Application Testing and Quality team continues to make progress in defining and improving their test data management strategy. Initially, they used Optim to focus on data masking for the top two of the three systems. At the same time, they are managing development requests as well as database maintenance and replication.

“Our primary goal is to provide more test data in less time. Using Optim, we have been able to automate the process of creating subsets of data for several accounts, and these tasks take minutes rather than hours, an incredible accomplishment,” the director explains. “Our next goal is establishing database refresh-and-compare strategies. We are also planning to outsource more of our development and quality assurance efforts, and Optim’s data masking capabilities are a major factor in this plan. In the final analysis, outsourcing will save millions of dollars in development costs, and with Optim’s masking capabilities, the PHI data we process will remain confidential.”

Realizing time and cost savings
Implementing Optim to protect privacy and shorten the time to set up test data will save tens of thousands of dollars per year. “Using Optim, we defined selection criteria and automated processes to mask and extract precise sets of test data in a form that can be shared and reused,” says the director. “We have improved testing efficiencies by creating an inventory of these definitions and making them available on our development and quality assurance server, where testers have easy access to the test data they need. We can protect privacy while making developers and testers more self-sufficient.”

Optim’s automated capabilities are having a positive impact. “For example, the Volume Stress Test group required a week to set up the JCL for test data, and with Optim, it took only 15 minutes—a 160 percent time reduction,” says the director. “We are also using Optim to create multiple test environments. For example, it takes about six hours to create data manually for two massive accounts. Using Optim, we are going to replicate these accounts eight times and estimate that we can save 96 hours because Optim automates the replication process.”

“Similarly, we have to replicate an account 200 times to support training. Every trainee in classes simultaneously across the country must have individual account numbers. Optim allows us to propagate masked account numbers and data fields so we can deploy multiple copies of the same account for training. Cloning 200 accounts using Optim will take only a few minutes for each account, versus hours to enter 200 accounts manually,” says the director. “In addition, using Optim’s automated compare capability, we were able to validate a full account list and even found a few production errors. Performing the validation process manually took six days, and we were only able to validate 50 percent of the data. We are now validating 100 percent of the data for a much safer release process—and by the way, Optim took two hours to do the compare.”

Integrating data management
The provider’s primary goal was to protect PHI for HIPAA compliance, but its next focus will be on intellectual property standards and restricted data, which is more about private information from a corporate perspective. The company’s second goal was to shorten the time required to set up the test data to allow more time for actual testing.

“Optim allows us to automate processes for creating and managing masked data across our development, testing and training environments. The time we save allows us to test new functionality, develop reliable applications and ultimately make our applications more robust to improve business operations and service,” notes the director. “I would recommend Optim without a doubt. We are extremely satisfied with Optim’s capabilities and will continue to extend its use to other areas within the company.”

For more information
Contact your IBM sales representative or IBM Business Partner, or visit us at: ibm.com/software/data/data-management/optim-solutions/