Harvard Pilgrim Health Care: Protecting patients' medical records in email

• Customer Profile: Health insurance; 1,300 employees; 971,000 members
• Goals: Protect customer privacy; regulatory compliance
• Solution: PGP Universal™ Gateway Email encrypts sensitive emails
• Deployment: On time and within budget
• Benefits: Higher security; regulatory compliance; user acceptance; fewer support calls

Harvard Pilgrim chose PGP Universal Gateway Email to secure sensitive information in emails, facilitating compliance with government regulations and protection of its members' privacy.

Harvard Pilgrim Health Care is a not-for-profit health benefits company that has been ranked the best health plan in the United States by U.S. News & World Report and the National Committee for Quality Assurance (NCQA). The company has 1,300 employees and 971,000 members in northern New England.

The Challenge

A first-rate health insurance provider, Harvard Pilgrim is committed to its members' privacy. The company regularly sends nearly 1 million members' confidential medical records to doctors, employers, and government agencies-and must send them securely.

Need to encrypt medical records. "Transmitting data over the Internet poses a significant risk of unauthorized people accessing the data," says Ken Patterson, chief information security officer (CISO) for Harvard Pilgrim. "Like most health insurance companies, Harvard Pilgrim requires those transmissions to be encrypted."

Regulatory compliance. All organizations that handle personal health records must protect the privacy of individually identifiable health information, according to the U.S. Health Insurance Portability and Accountability Act (HIPAA). The government encourages the use of encryption technology for transmitting patients' data. "Compliance with HIPAA is paramount for Harvard Pilgrim," says Patterson.

The organization must comply with other regulations as well. Because Harvard Pilgrim is an insurance company, it must follow rules specified in the Gramm-Leach-Bliley Act, such as taking necessary steps to protect nonpublic information.

The CISO also expects that the government may soon expand the Sarbanes-Oxley Act, which currently applies only to publicly traded companies, to cover not-for-profit organizations. In preparation, the insurance company has started establishing internal controls to ensure the accuracy and completeness of its financial reports.

An outdated solution. Harvard Pilgrim's email security practices were no longer viable. "Before introducing PGP Universal Gateway Email, we protected Word and Excel documents in emails by using the password protection offered by Microsoft Office. It was a completely manual and tedious process," Patterson says. Employees had to concoct long, complex passwords for every file and invent new passwords every time they sent the file to another person. They were not allowed to leave passwords on voice mail. In addition, they could not put any confidential data in the first 256 characters of a document.

When Patterson talked to the employees, he was not surprised to hear that they were not following the guidelines. "We couldn't rely on a manual process to ensure data security," he says.

Defining requirements. Patterson decided to find a better email encryption solution that would protect sensitive information and facilitate compliance with regulatory matters. He created a project team with people from Perot Systems, which operates information technology for Harvard Pilgrim. Together, they defined the required features for a new system. "Perot Systems provided invaluable support for the specification of requirements, evaluation, and implementation of our secure-messaging solution," Patterson says.

Standards and certifications. Harvard Pilgrim's business partners use many different email security products. The project team wanted to use a single system to communicate with all of them, which is only possible if all products can communicate. The most established standards for email encryption, OpenPGP and S/MIME, have both been scrutinized by security experts around the world. To ensure vendors have followed these standards properly, Patterson insisted on government validation according to the Federal Information Processing Standards, also known as FIPS 140-1 and FIPS 140-2.

The Solution

The project team looked at eight leading secure email products. The top three products were evaluated for compatibility, security, key management, business partner acceptance, and ease of implementation.

Choosing PGP Universal Gateway Email. Harvard Pilgrim decided that PGP Universal Gateway Email was the most suitable email encryption solution for its needs. The software encrypts emails at the gateway and does not require software installation on desktops. It can exchange messages with any system that uses S/MIME or OpenPGP. Email recipients who do not have an encryption system can use PGP Universal™ Web Messenger if they receive information occasionally or PGP Universal™ Satellite if they receive information frequently.

Ease of use. After the ineffectiveness of an earlier complex solution, the CISO knew the new system at Harvard Pilgrim would be successful only if it were easy to use. "PGP Universal Gateway Email is highly automated, so employees and administrators don't have to take any manual steps to encrypt an email. This capability helps to enforce our security guidelines effectively," Patterson says.

Proven vendor. The health care organization chose PGP Corporation because of its excellent track record. "PGP Corporation has been a proven leader in the encryption market for a decade," Patterson says. "The company has a strong vision for enterprise-level solutions that are leading the industry."

Room for growth. The PGP® Encryption Platform gives Harvard Pilgrim flexibility for the future. "I appreciate the ability to add functionality under the existing central management system. It simplifies administration and results in a lower operational cost compared to using several point solutions," Patterson says. "It offers the best capabilities today and for the future."

The Results

When Harvard Pilgrim introduced PGP Universal Gateway Email as its new secure email system, Patterson invited employees to a workshop to collect ideas on how the company could make email encryption more successful. Patterson's team then implemented many of these ideas, one of which was an email encryption button in the Lotus Notes email client, to enable forced encryption regardless of content.

Acceptance tests. During the pilot implementation, Patterson received consistently positive feedback from internal and external users. "Our people and business partners found PGP Universal Gateway Email very easy to use. Two weeks after the pilot, we went live. It doesn't get any better than this."

Few support calls. Patterson has earned very positive feedback from users who had been frustrated with the previous solution. So far, Harvard Pilgrim's help desk has received only one call regarding PGP Universal Gateway Email, and the issue was related to an outdated Lotus Notes template. Patterson occasionally receives questions by email, and he usually refers to the product documentation for answers. "PGP Universal Gateway Email has had little to no impact on our operational cost," he says.

Automated, two-way encryption. Communication partners that do not have an encryption solution use the PGP Universal™ Web Messenger service, which provides a Web portal for users to view and reply to secure messages. This approach is suitable for infrequent communication; however regular users may require a different solution to meet the needs associated with regularly encrypting email communication. Patterson plans to offer PGP Universal™ Satellite to these select business partners, who download the small program to the remote client: It automatically encrypts emails sent to and received from an external user's inbox to effectively eliminate human error.

Optimizing automation. Patterson plans to deploy a third-party email content filter that recognizes sensitive messages and routes them to PGP Universal Gateway Email. PGP solutions are compatible with many content filters, giving Patterson the freedom to choose the product that best fits his organization's needs.

Summary

Harvard Pilgrim successfully completed the project on time and within budget. "PGP Universal Gateway Email fulfilled all our requirements. It offered the best interoperability of all eight solutions we considered. We're extremely pleased with both PGP Universal Gateway Email and the great support we've received from PGP Corporation. It was the smoothest enterprise-wide product implementation I've ever experienced," he says.

Trust leads to success. U.S. News & World Report and the National Committee on Quality Assurance (NCQA) rated Harvard Pilgrim the #1 health plan in the U.S. In addition, J.D. Power and Associates recognized the company for providing an outstanding member experience. "Harvard Pilgrim's vision is to be the most trusted and respected name in health care. I believe our strong commitment to privacy contributes to our #1 ranking," Patterson concludes.

The PGP Encryption Platform. The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, FTP or bulk data transfers, and backups.