A Federal agency under the Department of Health and Human Services (HHS) provides direction and technical guidance for the administration of the Federal effort to plan, develop, manage, and evaluate health care financing programs and policies. Along with the Departments of Labor and Treasury, the agency also implements the insurance reform provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Agency is in possession of vast amounts of medical data and patient records for each person enrolled in the Medicare program, spanning a time frame of several years. As a result of recent mandates, specifically OMB M-06-16 and FIPS 140-2, it was absolutely critical that they find a solution that would comply with these mandates and allow them to continue exchanging sensitive data with numerous business partners.

Each month, the agency transmits thousands of tapes/CDs containing sensitive medical and patient data to hundreds of endpoints, including research labs, universities, and large business partners, including other Federal, State, and local governments. Data is placed on a tape or burned onto a CD directly from the mainframe and sent to partners with operating platforms ranging from z/OS® mainframes to Windows® desktops.

The agency faces two major challenges when trying to send sensitive data to partners: 1) many of the institutions they are sending data to do not have an IT support staff; and 2) they do not have the funding to purchase a decryption tool.
Due to the mixture of platforms and end-user expertise, it was essential that the recipient community react favorably to the chosen solution and adapt it into their processes. The agency required a cost-effective solution that could take the disparate mix of partners and IT environments into account and extend a solution that would be easy to deploy and use. The solution also required the secure, efficient exchange of critical business information with little to no interruption at the origin or endpoint(s).

The agency provided PKWARE with an overview of additional requirements they were seeking in a data encryption solution. They needed a solution that could:

• Encrypt data onto mainframe tapes
• Create CDs and DVDs on the mainframe, as well as Solaris® and Windows server systems
• Utilize the mainframe encryption coprocessor
• Support the AES encryption standard
• Decrypt all encrypted files on mainframe, as well as Solaris and Windows server systems
• Provide free decryption software to trading partners, or create self-extracting files
• Provide contingency capabilities, enabling files to be decrypted by the agency in the event that a user’s key or password is unknown
• Support data compression before or during encryption—the resulting file shall not be larger than the source file
• Support encryption using either PKI certificates or passwords, determined on a case-by- case basis

The agency investigated a variety of solutions, SecureZIP®/PartnerLink was the clear choice, meeting all of their requirements.

SecureZIP/PartnerLink was deployed at three data centers on multiple mainframes and on multiple open systems environments (UNIX®, O/S®, and Windows). It provided the lowest risk, highest performance, and the easiest integration and support options for the agency’s existing infrastructure, allowing daily operations with partners to continue without interruption.

PartnerLink allows the agency to distribute an unlimited number of SecureZIP Partner licenses, at no cost to their partners. Being a “no cost” solution furthered partner acceptance and eased the adoption process. The agency can now effectively protect the data at the file level, making it impossible for anyone except authorized personnel to access, whether the data is at rest or in transit. And, they are able to extend their security policies, regardless of the number of endpoints or computer environments involved in the exchange.

In addition to meeting the agency’s critical need of securely exchanging data with partners, SecureZIP also met each of their other requirements. Because SecureZIP is transport independent, it is capable of encrypting data onto mainframe tapes as well as other forms of data movement (i.e. CD, DVD). SecureZIP will create the encrypted .zip archives that then can be transferred to the media of choice via the standard method of writing.

The agency was looking for a solution that would utilize the mainframe encryption coprocessor as well as support the AES encryption standard. SecureZIP provides a cross-platform security solution that offers encryption, digital signing, and authentication, both outside and within the IBM® hardware cryptographic environments. It also supports the AES encryption standard.

While SecureZIP allows for encryption of data exchanged with partners, it also provides for the use of an unlimited number of contingency keys which can be added to any encrypted .zip file created on any platform. These contingency keys provide access to the encrypted archives should the primary key or passphrase be lost or compromised. And, SecureZIP supports the use of PKI certificates that comply with the X.509 certificate standard; and, passwords or passphrases can be added in conjunction with digital certificates.

SecureZIP/PartnerLink provided the Agency with a solution that met all of their requirements and eliminated the exposure risk of exchanging sensitive personal information with partners. They are extremely pleased that not only are they exchanging information securely with current partners, but PartnerLink allows them to extend the same solution to new partners as they are added.