Delta Dental of Missouri – a member of the nation’s leading dental benefits organisation, Delta Dental Plans Association – offers dental and vision benefits in the states of Missouri and South Carolina.
It is the carrier of choice for over 2,000 companies and has more than 1.5 million members. The company places a strong focus on prevention and evidence-based oral health quality measures, which has earned it the participation of 96% of all practicing dentists in Missouri.
Business Challenge
Delta Dental of Missouri stores many terabytes of information in its claims system – member demographics and eligibility, claims, provider information, contracts, payment information, notices of benefits, statements, etc – approaching "big data" classification. Bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards for electronic health care transactions, all data must be encrypted both while in transit and at rest.
Karl Mudra, Delta Dental of Missouri’s CIO, says: "One of our corporate values is to be good stewards of the data we care for on behalf of patients, providers and the groups we serve. In our view, it was a sound practice – irrespective of the HIPAA mandates – to find a best-in-class security solution. With data encryption, I believe it’s essential to be prepared ahead of time, instead of trying to react after there’s been a data breach."
Technical Challenge
Content from our partners
Database-level encryption proved challenging. "When we first started looking, not all of the alternatives to encrypt our SQL data were viable," recalls Mudra. "Because of our database version, many of the products necessitated rewriting our whole application, changing user-level processes and procedures, creating new reporting routines, and making modifications to our production and back-up environments."
Mudra had additional criteria for any viable encryption technology. He notes: "We wanted a policy-based encryption solution, so we could grant permissions at both the user and/or application levels according to pre-defined rules, similar to how most firewall products are configured. We also needed comprehensive key management, centralised administration, and the ability to leverage the solution across both the production and disaster recovery environments. Finally, the option we selected had to be invisible to our users, with zero impact on productivity."
Solution
After rejecting multiple vendors, Mudra’s team brought in Vormetric to demonstrate Vormetric Data Security. "We were very impressed," he explains. "Vormetric Encryption gave us the policy-based approach we needed, and it didn’t matter if we were running Microsoft Windows or Linux, handling files or folders, storing data in a SQL database or dealing with a storage area network. The data-centric approach took care of all our issues and didn’t require users to do anything different, which was a huge positive for us."
Delta Dental of Missouri has a lean IT infrastructure team, and one of Mudra’s concerns was the burden of an overly demanding installation process. The staff spent about half a day doing pre-installation planning and opted to deploy file-level encryption. A Vormetric consultant was engaged for two days to train the team onsite, while completing encryption of the development environment. Installation was staged over three weekends, and the team was able to handle the last two installations without assistance.
Mudra says: "You define everything and set it up, and it does what you need without any headache. As always, we planned for the worst, but this time got the best. It was one of the easiest implementations from decision to production that I’ve experienced. I expected a painful install; thank goodness it was painless."
Results
After originally struggling to find a solution to support HIPAA compliance, Mudra has been pleased with Vormetric. He comments: "The encryption overhead is pretty close to zero. Back-up windows increased a little, however as that isn’t part of the user experience, it’s a good tradeoff for the protection. Most importantly, our users have no idea that each data request is coming and going to an encrypted source. My team is impressed with how self-sufficient the Vormetric appliances are: If we ever need to take one offline, we have automatic failover to the other. The management of those devices is very straightforward too, as the appliances handle the majority of activities for us. The Vormetric Data Security solution has supported everything we’ve wanted it to do. We’re all very happy with the choice."
Mudra concludes: "For us, the protection we now have is definitely worth the investment. By comparison, a single fine for failing to be HIPAA compliant would be much greater per occurrence than our total investment to date. With Vormetric Encryption, it’s so nice to be able to set-it-and-forget-it and be assured of our compliance. It’s perfect for us because it is platform agnostic, so I have no worries that as our infrastructure evolves, it will scale with us."
