Fortune 50 Retailer Faces HIPAA,
Consolidates Data Center

Challenges

This Fortune 50 retailer provides its own health insurance program for employees. The insurance division is consolidating disparate IT systems into a central health insurance data center and needs to keep the operations compliant with the Health Insurance Portability and Accountability Act (HIPAA). In particular, the HIPAA Privacy Rule compels companies to protect and report all access to patient information. This retailer already had directories, external VPNs, firewalls, access control and user provisioning solutions. The combination still didn't solve its core requirement: see, control and prove to auditors who had access to what health insurance data center systems and when.

Solution

This retailer recognizes what it calls the technology elegance of the TNT solution. TNT was able to plug right into the retailer’s complex IT environment and provide identity-based auditing and control capabilities that satisfied the HIPAA requirements. By establishing pervasive identity across all users, groups, workstations, servers and applications, this retailer is also managing ongoing consolidation of other IT systems into the central data center. The TNT solution expands the application of identity to include devices, assets and applications, while enabling the easy creation and management of new identities for incremental users and systems.

Because the company had combined multiple disparate networks and systems in its insurance data center, it first needed to figure out just what it had and how users and systems were interacting. The company first engaged the TNT Identity Audit Services team to deploy TNT solutions and tools to identify 1,700 servers, thousands of applications, and millions of user connections and interactions among them. The company automatically collected data for several weeks (saving thousands of manual hours), using the comprehensive data to match real-world data center transactions with policy. This information helped the company establish automated access control policies in the I-Gateway for all users, workstations, servers and applications across the data center. This bottom-up approach to access control policy led to a faster and more accurate deployment than a top-down approach that would not have been based on actual operations.

The insurance division maintains two primary connections to the health insurance data center. The retailer liked the simple deployment of the TNT Identity solution, with one I-Gateway inline behind the switch on each connection. The I-Gateways are operating in high-availability configuration that also works in conjunction with the redundant router and switch architecture. A single I-Manager Web-based application manages both I-Gateways and lets the administrators set policy and report interactions for the entire data center from a centralized workstation.

The solution helped this retailer simply answer HIPAA’s core compliance question: Where are your users going? The retailer can clearly report all interactions of specific users and groups by name. The I-Manager also generates reports of connections with servers and interactions with applications, both by user name and originating workstation. And it reports all attempted connections by unauthorized users or systems without identities that the I-Gateway dropped.

Benefits

• Saved millions of dollars by addressing HIPAA compliance during the data center consolidation, avoiding costly retrofitting to effect compliance later
• Saved millions more by automating HIPAA audit data gathering—replacing manual processes often identified as the most costly component of compliance
• Engaged the TNT Identity Audit Services team to establish manageable policy and access control, even as the data center grows
• Prevented costly public exposure of confidential patient health information, which protects against fines, legal costs and crisis control