Blue Cross Blue Shield of Tennessee auto-encrypts patient data


Published on

The need: BCBST needed to protect patient data against unauthorized access—even where disks, laptops and USB keys are taken off site.The solution: Implemented disk-level hardware-based data encryption on three IBM System Storage DS8700 arrays and software-based encryption for other systems, controlled through IBMTivoli Key LifecycleManager.The benefit: Automatic encryption of data ensures protection that meets or exceeds regulatory standards at minimal cost.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Blue Cross Blue Shield of Tennessee auto-encrypts patient data

  1. 1. IBM Systems and Technology HealthCase Study Blue Cross Blue Shield of Tennessee auto-encrypts patient data Using IBM System Storage DS8700 Blue Cross Blue Shield of Tennessee (BCBST) serves more than two mil- Overview lion people across Tennessee with health plan coverage and insurance products, and has more than five million customers nationwide. The The need company is an independent, not-for-profit, locally governed health plan To ensure compliance with HIPAA, organization, part of the Blue Cross Blue Shield Association, a nationwide BCBST needed to protect patient data against unauthorized access—even association of health care plans. where disks, laptops and USB keys are taken off site. BCBST is regulated by the Health Insurance Portability and The solution Accountability Act of 1996 (HIPAA), which requires specific data security standards to be met and includes severe financial penalties for Implemented disk-level hardware-based data encryption on three IBM® System non-compliance. Storage® DS8700 arrays and software- based encryption for other systems, con- The theft of disk drives from BCBST, on which more than a million trolled through IBM Tivoli® Key Lifecycle Manager. patient data records were stored, unencrypted, highlighted the risk of physical loss. The breach of data security incurred significant penalties The benefit under various federal regulations, and the total operational cost to Automatic encryption of data ensures BCBST was estimated to be greater than $10 million. protection that meets or exceeds regula- tory standards at minimal cost to BCBST; simple end-to-end management mini- Michael Lawley, Vice President, Technology Shared Services, explains, mizes administrative time and effort for “The drives were part of a RAID array with proprietary codecs, and all IT staff. the data was backed up to a second site. It is extremely unlikely that any- one would have been able to recover sensitive patient data, and we suf- fered no data loss—but it demonstrated a weakness that we had to correct.” Fast encryption BCBST turned to IBM for advice on protecting nearly 1 PB of customer data held on enterprise storage devices and backup tapes.This set of data includes customer call recordings, financial and health information.
  2. 2. IBM Systems and Technology HealthCase Study For a portion of their enterprise data, BCBST selected the IBM System Storage DS8700, which offers disk-level hardware encryption. In a proof “Our decision in favor of of concept, IBM demonstrated that the encryption does not negatively the DS8700 was based impact system performance, and does not require any changes to SAN or application configuration. on the benchmark that showed no change in The drives in the DS8700 can encrypt data automatically as it enters performance when the drive to be stored, and decrypt it as it moves out of the drive. The embedded encryption engine helps to ensure that there is virtually no encryption was enabled.” performance degradation compared to non-encrypting drives. Self- encrypting drives are rapidly becoming the preferred model for securing —Michael Lawley, Vice President, Technology data stored on tape cartridges and disk drives. For example, the National Shared Services, BCBST Security Agency has qualified self-encrypting disk drives for protecting information on computers deployed by U.S. government agencies and contractors for national security purposes. “In the past, theft of a disk would have to be notified as data loss,” says Michael Lawley. “Additionally, every person and organization with records on that disk would have to be contacted and advised that their information was potentially at risk of disclosure. The disk-level encryp- tion offered by DS8700 is considered to fully protect the data, and there- fore removes the notification requirements.” He adds, “Making the DS8700 part of our solution was based on the benchmark that showed no change in performance when encryption was enabled. This meant that we could meet our information protection, reg- ulatory and contractual compliance obligations with no technical or busi- ness penalty.” Full control To extend data protection across all devices and to keep the administrative burden to a minimum, BCBST deployed IBM Tivoli Key Lifecycle Manager software to manage all encryption keys. Enforcing enterprise-wide encryption standards is critical, because data storage is inherently mobile: tapes are archived offsite and disk drives are routinely replaced. Tivoli Key Lifecycle Manager authenticates interac- tions between all client systems and the three DS8700 arrays deployed by BCBST. It also handles authentication with non-IBM enterprise storage devices offering disk controller-level encryption, as well as providing the necessary public key infrastructure for other systems within BCBST that rely on software-based encryption. 2
  3. 3. IBM Systems and Technology HealthCase Study Ed Shields, Director of Infrastructure Engineering Services, comments, Solution components: “Many of the vendors we talked to could offer a software solution at all levels of the enterprise. However, introducing software-level encryption Hardware throughout the whole business would probably have degraded our per- ● IBM® System Storage® DS8700 formance, requiring additional hardware investments to get us back up Software to speed. ● IBM Tivoli® Key Lifecycle Manager ● IBM Tivoli Storage Manager Tiered storage ● IBM System Storage SAN Volume BCBST uses IBM System Storage SAN Volume Controller to virtualize Controller its enterprise storage devices, creating a single pool of disk capacity that can be shared flexibly between any servers in the enterprise. SAN Volume Controller allowed BCBST to migrate data from unencrypted legacy sys- tems to the new DS8700 arrays without requiring any application change or service interruption. BCBST now uses SAN Volume Controller to manage its storage tiering strategy, moving critical data to the high- performance DS8700 and less frequently accessed data to slower devices, optimizing its storage investments. Enterprise data backup, archive and recovery is managed and automated by IBM Tivoli Storage Manager, to encrypted tape. Transformational solution BCBST has transformed its enterprise data encryption standards, and is in the process of completing operating system encryption for more than 1,000 servers, in addition to enforcing encryption on countless removable media devices and remote systems, such as USB sticks, CD/DVD drives, Blackberrys and iPads. Michael Lawley concludes, “Our business is to a very large extent built on trust, and having IBM’s secure, encrypted systems helps build that trust with our consumers. Combined with the huge benefits of using SAN Volume Controller to virtualize our storage and introduce tiered storage, we have transformed our protection of data at rest.” 3
  4. 4. For more informationTo learn more about the IBM System Storage DS8700, please contactyour IBM marketing representative or IBM Business Partner, or visit thefollowing website:, financing solutions from IBM Global Financing can enableeffective cash management, protection from technology obsolescence,improved total cost of ownership and return on investment. Also, ourGlobal Asset Recovery Services help address environmental concernswith new, more energy-efficient solutions. For more information onIBM Global Financing, visit:© Copyright IBM Corporation 2011IBM Systems and Technology GroupRoute 100Somers, New York 10589U.S.A.Produced in the United States of AmericaMay 2011All Rights ReservedIBM, the IBM logo,, System Storage, System Storage DS and Tivoli aretrademarks of International Business Machines Corporation in the United States, othercountries or both. If these and other IBM trademarked terms are marked on their firstoccurrence in this information with a trademark symbol (® or ™), these symbolsindicate U.S. registered or common law trademarks owned by IBM at the time thisinformation was published. Such trademarks may also be registered or common lawtrademarks in other countries. A current list of IBM trademarks is available on the webat “Copyright and trademark information” at company, product and service names may be trademarks or service marksof others.References in this publication to IBM products or services do not imply thatIBM intends to make them available in all countries in which IBM operates. Offeringsare subject to change, extension or withdrawal without notice. All client examples citedrepresent how some clients have used IBM products and the results they may haveachieved.The information in this document is provided “as-is” without any warranty, eitherexpressed or implied. Please Recycle TSC03118-USEN-00