The need: BCBST needed to protect patient data against unauthorized access—even where disks, laptops and USB keys are taken off site.The solution: Implemented disk-level hardware-based data encryption on three IBM System Storage DS8700 arrays and software-based encryption for other systems, controlled through IBMTivoli Key LifecycleManager.The benefit: Automatic encryption of data ensures protection that meets or exceeds regulatory standards at minimal cost.
IBM SmartCloud Virtual Desktop Infrastructure for Microsoft Windows Server 20...
Blue Cross Blue Shield of Tennessee auto-encrypts patient data
1. IBM Systems and Technology Health
Case Study
Blue Cross Blue Shield of
Tennessee auto-encrypts
patient data
Using IBM System Storage DS8700
Blue Cross Blue Shield of Tennessee (BCBST) serves more than two mil-
Overview lion people across Tennessee with health plan coverage and insurance
products, and has more than five million customers nationwide. The
The need
company is an independent, not-for-profit, locally governed health plan
To ensure compliance with HIPAA,
organization, part of the Blue Cross Blue Shield Association, a nationwide
BCBST needed to protect patient data
against unauthorized access—even association of health care plans.
where disks, laptops and USB keys are
taken off site. BCBST is regulated by the Health Insurance Portability and
The solution Accountability Act of 1996 (HIPAA), which requires specific data
security standards to be met and includes severe financial penalties for
Implemented disk-level hardware-based
data encryption on three IBM® System non-compliance.
Storage® DS8700 arrays and software-
based encryption for other systems, con- The theft of disk drives from BCBST, on which more than a million
trolled through IBM Tivoli® Key Lifecycle
Manager. patient data records were stored, unencrypted, highlighted the risk of
physical loss. The breach of data security incurred significant penalties
The benefit under various federal regulations, and the total operational cost to
Automatic encryption of data ensures BCBST was estimated to be greater than $10 million.
protection that meets or exceeds regula-
tory standards at minimal cost to BCBST;
simple end-to-end management mini- Michael Lawley, Vice President, Technology Shared Services, explains,
mizes administrative time and effort for “The drives were part of a RAID array with proprietary codecs, and all
IT staff. the data was backed up to a second site. It is extremely unlikely that any-
one would have been able to recover sensitive patient data, and we suf-
fered no data loss—but it demonstrated a weakness that we had
to correct.”
Fast encryption
BCBST turned to IBM for advice on protecting nearly 1 PB of customer
data held on enterprise storage devices and backup tapes.This set of data
includes customer call recordings, financial and health information.
2. IBM Systems and Technology Health
Case Study
For a portion of their enterprise data, BCBST selected the IBM System
Storage DS8700, which offers disk-level hardware encryption. In a proof
“Our decision in favor of of concept, IBM demonstrated that the encryption does not negatively
the DS8700 was based impact system performance, and does not require any changes to SAN or
application configuration.
on the benchmark that
showed no change in The drives in the DS8700 can encrypt data automatically as it enters
performance when the drive to be stored, and decrypt it as it moves out of the drive. The
embedded encryption engine helps to ensure that there is virtually no
encryption was enabled.” performance degradation compared to non-encrypting drives. Self-
encrypting drives are rapidly becoming the preferred model for securing
—Michael Lawley, Vice President, Technology data stored on tape cartridges and disk drives. For example, the National
Shared Services, BCBST
Security Agency has qualified self-encrypting disk drives for protecting
information on computers deployed by U.S. government agencies and
contractors for national security purposes.
“In the past, theft of a disk would have to be notified as data loss,” says
Michael Lawley. “Additionally, every person and organization with
records on that disk would have to be contacted and advised that their
information was potentially at risk of disclosure. The disk-level encryp-
tion offered by DS8700 is considered to fully protect the data, and there-
fore removes the notification requirements.”
He adds, “Making the DS8700 part of our solution was based on the
benchmark that showed no change in performance when encryption was
enabled. This meant that we could meet our information protection, reg-
ulatory and contractual compliance obligations with no technical or busi-
ness penalty.”
Full control
To extend data protection across all devices and to keep the administrative
burden to a minimum, BCBST deployed IBM Tivoli Key Lifecycle
Manager software to manage all encryption keys.
Enforcing enterprise-wide encryption standards is critical, because data
storage is inherently mobile: tapes are archived offsite and disk drives are
routinely replaced. Tivoli Key Lifecycle Manager authenticates interac-
tions between all client systems and the three DS8700 arrays deployed by
BCBST. It also handles authentication with non-IBM enterprise storage
devices offering disk controller-level encryption, as well as providing the
necessary public key infrastructure for other systems within BCBST that
rely on software-based encryption.
2
3. IBM Systems and Technology Health
Case Study
Ed Shields, Director of Infrastructure Engineering Services, comments,
Solution components: “Many of the vendors we talked to could offer a software solution at all
levels of the enterprise. However, introducing software-level encryption
Hardware
throughout the whole business would probably have degraded our per-
● IBM® System Storage® DS8700
formance, requiring additional hardware investments to get us back up
Software to speed.
● IBM Tivoli® Key Lifecycle Manager
● IBM Tivoli Storage Manager Tiered storage
● IBM System Storage SAN Volume
BCBST uses IBM System Storage SAN Volume Controller to virtualize
Controller
its enterprise storage devices, creating a single pool of disk capacity that
can be shared flexibly between any servers in the enterprise. SAN Volume
Controller allowed BCBST to migrate data from unencrypted legacy sys-
tems to the new DS8700 arrays without requiring any application change
or service interruption. BCBST now uses SAN Volume Controller to
manage its storage tiering strategy, moving critical data to the high-
performance DS8700 and less frequently accessed data to slower devices,
optimizing its storage investments.
Enterprise data backup, archive and recovery is managed and automated
by IBM Tivoli Storage Manager, to encrypted tape.
Transformational solution
BCBST has transformed its enterprise data encryption standards, and is
in the process of completing operating system encryption for more than
1,000 servers, in addition to enforcing encryption on countless removable
media devices and remote systems, such as USB sticks, CD/DVD drives,
Blackberrys and iPads.
Michael Lawley concludes, “Our business is to a very large extent built
on trust, and having IBM’s secure, encrypted systems helps build that
trust with our consumers. Combined with the huge benefits of using
SAN Volume Controller to virtualize our storage and introduce tiered
storage, we have transformed our protection of data at rest.”
3