Vormetric Encryption helps Delta Dental of Missouri be a ‘good ombudsman’ of patients’ data.
Delta Dental of Missouri – a member of the nation’s leading dental benefits organisation, Delta Dental Plans Association – offers dental and vision benefits in the states of Missouri and South Carolina.
It is the carrier of choice for over 2,000 companies and has more than 1.5 million members. The company places a strong focus on prevention and evidence-based oral health quality measures, which has earned it the participation of 96% of all practicing dentists in Missouri.
Delta Dental of Missouri stores many terabytes of information in its claims system – member demographics and eligibility, claims, provider information, contracts, payment information, notices of benefits, statements, etc – approaching "big data" classification. Bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards for electronic health care transactions, all data must be encrypted both while in transit and at rest.
Karl Mudra, Delta Dental of Missouri’s CIO, says: "One of our corporate values is to be good stewards of the data we care for on behalf of patients, providers and the groups we serve. In our view, it was a sound practice – irrespective of the HIPAA mandates – to find a best-in-class security solution. With data encryption, I believe it’s essential to be prepared ahead of time, instead of trying to react after there’s been a data breach."
Database-level encryption proved challenging. "When we first started looking, not all of the alternatives to encrypt our SQL data were viable," recalls Mudra. "Because of our database version, many of the products necessitated rewriting our whole application, changing user-level processes and procedures, creating new reporting routines, and making modifications to our production and back-up environments."
Mudra had additional criteria for any viable encryption technology. He notes: "We wanted a policy-based encryption solution, so we could grant permissions at both the user and/or application levels according to pre-defined rules, similar to how most firewall products are configured. We also needed comprehensive key management, centralised administration, and the ability to leverage the solution across both the production and disaster recovery environments. Finally, the option we selected had to be invisible to our users, with zero impact on productivity."