Blue Cross Blue Shield of Tennessee auto-encrypts patient data

Using IBM System Storage DS8700

Published on 22-Jul-2011

"Our decision in favor of the DS8700 was based on the benchmark that showed no change in performance when encryption was enabled." - Michael Lawley, Vice President, Technology Shared Services, BCBST

Customer:
Blue Cross Blue Shield of Tennessee (BCBST)

Industry:
Healthcare

Deployment country:
United States

Solution:
Virtualization, Virtualization - Storage

Overview

Blue Cross Blue Shield of Tennessee (BCBST) serves more than two million people across Tennessee with health plan coverage and insurance products, and has more than five million customers nationwide. The company is an independent, not-for-profit, locally governed health plan organization, part of the Blue Cross Blue Shield Association, a nationwide association of health care plans.

Business need:
To ensure compliance with HIPAA, BCBST needed to protect patient data against unauthorized access — even where disks, laptops and USB keys are taken off site.

Solution:
Implemented disk-level hardware-based data encryption on three IBM® System Storage® DS8700 arrays and software-based encryption for other systems, controlled through IBM Tivoli® Key Lifecycle Manager.

Benefits:
Automatic encryption of data ensures protection that meets or exceeds regulatory standards at minimal cost to BCBST; simple end-to-end management minimizes administrative time and effort for IT staff.

Case Study

Blue Cross Blue Shield of Tennessee (BCBST) serves more than two million people across Tennessee with health plan coverage and insurance products, and has more than five million customers nationwide. The company is an independent, not-for-profit, locally governed health plan organization, part of the Blue Cross Blue Shield Association, a nationwide association of health care plans.

BCBST is regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires specific data security standards to be met and includes severe financial penalties for non-compliance.

The theft of disk drives from BCBST, on which more than a million patient data records were stored, unencrypted, highlighted the risk of physical loss. The breach of data security incurred significant penalties under various federal regulations, and the total operational cost to BCBST was estimated to be greater than $10 million.

Michael Lawley, Vice President, Technology Shared Services, explains, “The drives were part of a RAID array with proprietary codecs, and all the data was backed up to a second site. It is extremely unlikely that anyone would have been able to recover sensitive patient data, and we suffered no data loss—but it demonstrated a weakness that we had to correct.”

Fast encryption
BCBST turned to IBM for advice on protecting nearly 1 PB of customer data held on enterprise storage devices and backup tapes.This set of data includes customer call recordings, financial and health information.

For a portion of their enterprise data, BCBST selected the IBM System Storage DS8700, which offers disk-level hardware encryption. In a proof of concept, IBM demonstrated that the encryption does not negatively impact system performance, and does not require any changes to SAN or application configuration.

The drives in the DS8700 can encrypt data automatically as it enters the drive to be stored, and decrypt it as it moves out of the drive. The embedded encryption engine helps to ensure that there is virtually no performance degradation compared to non-encrypting drives. Self-encrypting drives are rapidly becoming the preferred model for securing data stored on tape cartridges and disk drives. For example, the National Security Agency has qualified self-encrypting disk drives for protecting information on computers deployed by U.S. government agencies and contractors for national security purposes.

“In the past, theft of a disk would have to be notified as data loss,” says Michael Lawley. “Additionally, every person and organization with records on that disk would have to be contacted and advised that their information was potentially at risk of disclosure. The disk-level encryption offered by DS8700 is considered to fully protect the data, and therefore removes the notification requirements.”

He adds, “Making the DS8700 part of our solution was based on the benchmark that showed no change in performance when encryption was enabled. This meant that we could meet our information protection, regulatory and contractual compliance obligations with no technical or business penalty.”

Full control
To extend data protection across all devices and to keep the administrative burden to a minimum, BCBST deployed IBM Tivoli Key Lifecycle Manager software to manage all encryption keys.

Enforcing enterprise-wide encryption standards is critical, because data storage is inherently mobile: tapes are archived offsite and disk drives are routinely replaced. Tivoli Key Lifecycle Manager authenticates interactions between all client systems and the three DS8700 arrays deployed by BCBST. It also handles authentication with non-IBM enterprise storage devices offering disk controller-level encryption, as well as providing the necessary public key infrastructure for other systems within BCBST that rely on software-based encryption.

Ed Shields, Director of Infrastructure Engineering Services, comments, “Many of the vendors we talked to could offer a software solution at all levels of the enterprise. However, introducing software-level encryption throughout the whole business would probably have degraded our performance, requiring additional hardware investments to get us back up to speed.

Tiered storage
BCBST uses IBM System Storage SAN Volume Controller to virtualize its enterprise storage devices, creating a single pool of disk capacity that can be shared flexibly between any servers in the enterprise. SAN Volume Controller allowed BCBST to migrate data from unencrypted legacy systems to the new DS8700 arrays without requiring any application change or service interruption. BCBST now uses SAN Volume Controller to manage its storage tiering strategy, moving critical data to the high-performance DS8700 and less frequently accessed data to slower devices, optimizing its storage investments.

Enterprise data backup, archive and recovery is managed and automated by IBM Tivoli Storage Manager, to encrypted tape.

Transformational solution
BCBST has transformed its enterprise data encryption standards, and is in the process of completing operating system encryption for more than 1,000 servers, in addition to enforcing encryption on countless removable media devices and remote systems, such as USB sticks, CD/DVD drives, Blackberrys and iPads.

Michael Lawley concludes, “Our business is to a very large extent built on trust, and having IBM’s secure, encrypted systems helps build that trust with our consumers. Combined with the huge benefits of using SAN Volume Controller to virtualize our storage and introduce tiered storage, we have transformed our protection of data at rest.”

Products and services used

IBM products and services that were used in this case study.

Hardware:
Storage: DS8700

Software:
Tivoli Key Lifecycle Manager, Tivoli Storage Manager, System Storage SAN Volume Controller

Legal Information

© Copyright IBM Corporation 2011. IBM Systems and Technology Group, Route 100, Somers, New York 10589, U.S.A. Produced in the United States of America. May 2011. All Rights Reserved. IBM, the IBM logo, ibm.com, System Storage, System Storage DS and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. Offerings are subject to change, extension or withdrawal without notice. All client examples cited represent how some clients have used IBM products and the results they may have achieved. The information in this document is provided “as-is” without any warranty, either expressed or implied.