Securing Medical Data
FROM ITS HEADQUARTERS in Turlock, California, Medic-Alert manages health information for approximately 4 million members. These members give their information over the phone to company employees or enter their data themselves via a Web site. The information is then stored electronically to be retrieved by the member or other authorized persons at a later date. Because of the sensitivity of this data, MedicAlert needed to ensure that its Web portal was secure while remaining user-friendly and flexible.
A nonprofit company, MedicAlert employs 120 people, about 90 of whom provide customer service. These employees must ensure that emergency responders, hospitals, and doctors can access the data on behalf of the members.
“We are a relatively high-tech company,” says Martin Fisher, vice president of information technology. “We first put up our Web site in the early 1990s.” However, Martin notes that the company’s Web architecture needed an update to better protect the vast amount of information being stored and to allow customers greater flexibility in who could access that information.
Two years ago, Martin and his team of four IT professionals—two full-time and two part-time employees—began searching for new Web access management software. The team had several criteria. First, they wanted a solution that could allow customers to enter comprehensive data into the system. They also needed a system that could assign various levels of access for different users. And because they comply with various state and federal mandates, stringent security was a must.
Martin and his team looked initially at four possible solutions. They determined that only three of them could handle the scale of the project. Of these, one was eliminated as too expensive and another was dropped from consideration because it was open-source, which would require the company to do more work.
The final option was a suite of software programs from CA SiteMinder, headquartered in Islandia, New York. It proved to be a good solution. CA Site-Minder is proprietary software that MedicAlert would purchase and then maintain on its own, though the software provider would be available to troubleshoot if necessary.
MedicAlert liked CA Site-Minder in part because it was well known in the industry. “We had gone with new products in other applications and were not always satisfied,” says Martin. “We wanted a name-brand product from a company that had been around, had a good reputation, and could devote resources to our needs.”
Though cost was not a primary concern, Martin notes that, as a nonprofit, MedicAlert did not have unlimited funds. “SiteMinder was appropriately priced for our use,” he says. “The purchase price was less expensive than other competitors, and the support costs are much less than the open-source solutions.”
MedicAlert members carry information cards and MedicAlert bracelets, which contain information critical for treatment decisions, including the toll free number to reach MedicAlert’s customer service team. The team is authorized to provide updates or additional information regarding the members’ conditions, such as allergies and medications, to authorized professionals, including doctors, nurses, first responders, or police officers.
Customers who want to enter their health information via the Web are given an electronic health key. The device connects via a USB reader. Members can enter the information onto the device and plug it into the computer. When members connect with the MedicAlert Web site, the device will synchronize their records.
The new software allows members to organize their secure data in a number of ways. For example, a member who recently underwent a hip replacement can move all of the pertinent files into one folder, thus giving easy access to the doctors involved in that specific operation.
The product allows the company to secure customer data through a comprehensive set of cryptographic algorithms. In addition, the CA SiteMinder’s Web Access Manager helps MedicAlert control access to its Web site. Anyone who accesses data stored by the company must go through this ID management program.
The software maintains all authentication information and authorization policies for all user types, including customers, partners, and employees. This ability to centralize security solutions across organizational boundaries allows MedicAlert to offer various levels of service offerings and access without compromising security.
For example, the company has joined with the Alzheimer’s Association to offer a program designed for those suffering from the disease. Under the Safe Return Program, Alzheimer’s patients can access all of their data, but their children can also be given limited access as proxies in case the members are not able to give authorization because of memory lapses.
Under federal law, MedicAlert does not have to comply with the Health Insurance Portability and Accountability Act (HIPAA). However, it does meet all of the HIPAA requirements. “We feel that health data is as important if not more important than financial data,” says Martin. “Common sense dictates that we protect members’ data to the maximum extent possible.”
That it was already meeting HIPAA requirements served the company well when it was required to comply with similar state regulations, including California’s Confidentiality of Medical Information Act. To help ensure that the company meets these regulatory demands, it is rolling out an audit program—included in the SiteMinder software suite—next year.
Martin notes that the company’s well-known bracelets have served to protect people around the world for the last five decades. Now, with a new approach to technology in place, he hopes that enhancing the company’s identity and access management controls helps further its mission.
(For more information: Sumner Blount, Director of Security Solutions, CA; phone: 508/628-8599; e-mail:[email protected])