Texas center encrypts with NeoScale

To comply with federal legislation as well as internal policies requiring that patient data be protected, the University of Texas Health Science Center at Houston is encrypting and storing all types of data in one central place.

The Health Insurance Portability and Accountability Act, enacted in 1996 to safeguard personal health information among other things, was certainly the main driver in storing data in a more secure manner, said Kevin Granhold, the university's director of server and desktop services. But he said they also have to deal with Social Security numbers, credit card numbers, student information and grades, health research, and other sensitive information.

"As we started looking at trying to comply with different legislation and internal policies, one of the things I had to take into account is storage of data and looked at the whole storage infrastructure from backups to local-attached stuff to our [storage-area network] environment," Granhold said.

After consulting with a storage engineering company, university officials decided that encrypting, managing and consolidating most, if not all, data on its SAN was the best route. Granhold's department chose Milpitas, Calif.-based NeoScale Systems Inc., a 4-year-old company that specializes in enterprise storage security, and its CryptoStor appliances that connect to the SAN. NeoScale was selected for its performance and price. Each appliance costs about $35,000.

"We are complementing front-end defenses with storage-centric solutions," said Scott Gordon, NeoScale's vice president of marketing. "The appliance sits in the data path. Data passes through [the appliance], which is in clear text unencrypted and we encrypt it."

Encrypting the data is not unique, Gordon said, adding that the product does not diminish network performance, with only nominal latency and strong key management -- the creation, transmission and maintenance of a secret key.

The process is seamless to customers, he said. "They didn't have to learn about classifying data," he said. "They didn't have to understand what identifiable patient data was. They didn't have to worry about whether their spreadsheet that had Social Security numbers in it was compliant with legislation or not."

Granhold said he also doesn't have to worry about a drive going bad because the data on it is encrypted. He said he's read stories about re-circulated drives that have appeared in other places with readable data still intact.

The university's project took about four months and was completed last winter at a cost of $400,000. It included a new tape library, new back-up software encryption devices and upgraded drives in the SAN, some management software, Fibre Channel devices, and additional hardware.

However, Granhold said he doesn't see a massive migration toward this solution. Bureaucracy and lack of funding are some of the reasons. "I don't see a lot of organizations breaking down the doors to get this implemented," he said. "I think they should be and I think eventually they will be. We're just trying to stay ahead of the curve and do things before we're told we have to."

Gordon said he does see strong growth for NeoScale in the health care, law enforcement and government sectors. Although cost is a consideration, he said, the alternative for organizations may be worse.

"Price is relative to the risk of failing an audit to losing data to failing compliance [and facing] fines and imprisonment," he said.