California Department of Health Care Services - Healthy Data Protection Strategies
Background: The Department of Health Care Services (DHCS) is a department within the California Health and Human Services Agency. DHCS' mission is to preserve and improve the health status of all Californians. DHCS works closely with healthcare professionals, county governments and health plans to provide a healthcare safety net for California’s low-income and persons with disabilities.
DHCS finances and administers a number of individual healthcare service delivery programs, including (Medi-Cal), California Children’s Services program, Child Health and Disability Prevention program and Genetically Handicapped Persons Program. DHCS also helps maintain the financial viability of critical specialized care services, such as burn centers, trauma centers and children’s specialty hospitals. In addition, DHCS funding helps hospitals and clinics located in underserved areas and those serving underserved populations.
Challenges: As one of the largest government agencies in California, the Department of Health Care Services (DHCS) employs more than 7,000 people and administers a broad range of public and clinical programs that provide health care services to citizens throughout the state. In the administration of its programs, DHCS maintains more than 60 field offices and frequently collaborates with other state agencies, as well as hospitals, clinics, health plans, local health jurisdictions and community-based organizations. As such, many DHCS employees rely on laptop computers to store medical records and other protected health information (PHI). The theft or loss of even one of these laptops could compromise thousands of medical records, leaving patients vulnerable to ID theft and other forms of fraud.
Long before the State mandated the use of encryption for laptops, Christy Quinlan, the CIO of the DHCS knew that they had a lot of “personal health information” on computing resources, that had to be protected to meet the needs of the Healthcare Information and Portability and Accountability Act (HIPAA), beyond what most agencies and healthcare companies were doing at the time. But with employees who do Medi-Cal audits and investigations and outreach into the AIDS community and with women and children, she felt a need for a broader encryption policy. With 2,100 laptops and 8,000 desktops in the department and 8,000 employees, Quinlan knew that a forceful and rapid initiative would need to be implemented to achieve protection of public data to her satisfaction. Rather than wait for an edict from the state security officer to encrypt data (which eventually came many months later) Quinlan and her department unanimously launched an ambitious program to install encryption within 30 days of the internal executive decision to do so; a phenomenal undertaking given the number of approvals and studies that needed to be performed.
“Residents hold government agencies to a higher level of responsibility in securing their sensitive information, and there is an expectation that personal information will remain uncompromised. Increasing mobile workforces, combined with federal mandates like the Health Insurance Portability and Accountability Act (HIPAA), make the encryption of sensitive data even more paramount. The GuardianEdge Data Protection Platform helps the California Department of Health Care Services secure sensitive or proprietary information and provides peace of mind and greater security to all government program recipients.”
Ram Krishnan, Senior Vice President, Products and Marketing, at GuardianEdge
Issues: In doing business with the state, especially a state with a budget larger than many countries’ GDP’s, you find that time moves very slowly with procurements. In this instance, no-one had implemented such an ambitious project in such a short timeframe. The level of encryption and range of requirements also was broader than required by law or by the top levels of the government, but became a strategic and forward-thinking requirement which helped to “set policy” for the state government and beyond, through thorough examination of the flow of Public Health Information throughout state government and shockingly rapid deployment of the best technology to secure it.
Solution provided by GuardianEdge: GuardianEdge Hard Disk Encryption - a critical component of the complete GuardianEdge Endpoint Data Protection Suite. By delivering strong pre-boot user authentication and full disk encryption, GuardianEdge Hard Disk Encryption ensures a premier level of protection against the compromise of sensitive or proprietary information if a PC is lost or stolen. The selection of GuardianEdge’s hard disk encryption solution demonstrates DHCS’ proactive approach to information technology security. It also underscores DHCS’ commitment to complying with federal mandates, such as the Health Insurance Portability and Accountability Act (HIPAA), and protecting the health information of Californians by safeguarding all information stored on DHCS' California Department of Public Health and California Health and Human Services Agency laptops and desktop personal computers. GuardianEdge’s compatibility with DHCS’ existing information technology environment and ease of testing and deployment enabled DHCS to leverage existing software to deploy the GuardianEdge hard disk encryption solution among all laptop and desktop personal computers within a self-imposed 30-day timeframe to ensure personal health and confidential information was protected from unauthorized access, thereby taking a leadership position in guiding the security procedures for other state agencies.
“In the administration of its programs, the California Department of Health Care Services maintains more than 60 field offices and frequently collaborates with other state agencies, as well as hospitals, clinics, health plans, local health jurisdictions and community-based organizations. Many organization employees rely on laptop computers to store medical records and other protected health information. Without an encryption solution in place, the theft or loss of even one of these laptops could compromise thousands of medical records, leaving patients vulnerable to ID theft and other forms of fraud. Data encryption was clearly the most effective way to protect these laptops."
Jason Weinberg, Senior Account Manager, at GuardianEdge
Summary: Since the policy was implemented, DHCS has had laptop losses but, as a result of the strong encryption policy, absolutely zero breaches. Both the state and private industry are catching up to their visionary actions and more and more have recognized the seriousness of patient data privacy and are implementing full-disk encryption to maintain that security. By increasingly requiring partners and vendors to use similar high levels of encryption, DHCS is setting a standard for maintaining privacy of information throughout the state, and leading the healthcare industry into higher levels of patient information protection, through the use of sound, intelligent technology choices. Even with the division of the department into two departments (the Department of Health Care Services and the California Department of Public Health, as of July 1, 2007), and increasing privacy mandates, the group that researched, developed and implemented the forward-thinking encryption policy, remains the standard-bearer for both internal and vendor encryption requirements.
475 Brannan Street, Suite 400,
San Francisco, CA 94107-5421