Insurer BlueCross BlueShield tries harder to shield data

Friday, January 1, 1904

photo File Photo The BlueCross and BlueShield logos hang on the company's old building in downtown Chattanooga.

WHAT IS ENCRYPTION?Data encryption is the use of algorithms to convert normal information into a format indecipherable to all but those who have the software security keys.

Few would imagine the theft of 57 hard drives could cost so much, but nearly two years and $16 million later, BlueCross BlueShield of Tennessee is finally reaching the end of the damages caused by the loss.

The Chattanooga-based insurer recently finished encrypting 885 terabytes of archived data -- the equivalent of more than 56,000 small iPhones -- in addition to thousands of servers, computers, voice-call recordings and backup tapes.

Not counting the insurer, the theft of the hard drives appears to be a victimless crime. Except for a sense of uneasiness, no one has reported any problems related to the loss of data, although an investigation is ongoing.

But with customer trust at stake, Michael Lawley, vice president of technology shared services at BlueCross, said it was important the company go all out to deter future data loss.

"'Maniacal' would be a really good word. Our business is built off of trust, and what this is is maintaining that trust," Lawley said. "They say nothing is better than scar tissue to learn from, and we've learned from this scar tissue."

Lawley oversaw the work as encryption of the highest level was placed on almost all of the company's at-rest data, or data not being accessed. The cost is more than $6 million, he said, with the remaining $10 million paid to alert customers to the data loss and meet government regulations on handling the problem.

The investment put BlueCross' data protection ahead of any other insurer and likely ahead of any other company, Lawley said.

Harley Geiger, a health information technology specialist with the Washington, D.C.-based Center for Democracy and Technology, said all health records should be protected the same way.

"If these were encrypted, it could save millions of people from data breach," he said. "Data breaches are a common problem. My feeling is that they will continue to be a problem as we move towards greater digitization of data and that's why it's important for agencies -- and government agencies, for that matter -- to have in place strong security programs."

When data is lost, most often because of compromised mobile devices, the costs to customers can be more than identity theft and money loss. Sensitive medical information can lead to embarrassment and damaged reputations, which is why Geiger believes in stronger regulations.

"A mistake that a lot of lawmakers and businesses make is that economic hardship is the only thing," he said.

Lawley wouldn't be surprised if government regulations caught up to what his company has already done.

"If you look at where we believe the industry is going, we believe it's going to converge in an encrypted environment," he said. "We're ahead of the curve."

Geiger stressed that encryption alone sometimes isn't enough to protect data. If encryption keys are held on the same computers being encrypted, or if employees aren't properly trained, leaks are still possible.

But Lawley is confident BlueCross is taking the necessary steps and doesn't expect his company will have the same problem twice.

"We have employed some of the best security professionals in the industry," he said. "As the world evolves and the threats evolve, we have to evolve as well."