BUPA

Company: ProtekCustomer: BUPASubmitted by: ProtekDate: October 2002In a sector where security and confidentiality is paramount, leading medical provider BUPA has called upon Protek to develop a security solution that will guarantee safe transmission of sensitive data between doctors, consultants and hospitals.Since the 4th century BC, when the Hippocratic Oath was first created, medical practitioners have sworn to respect and uphold their patient’s confidentiality. Yet hundreds of year’s later technology has provided medical organisations with a dilemma. Being able to send a patient’s record in a matter of minutes to another hospital can be vital in ensuring that patient receives the treatment they may urgently need. But emailing and transmitting over public networks such as the Internet carries the risk that these records, and even the organisation’s internal systems, can be accessed by unauthorised and unscrupulous users – breaching patient privacy, enabling data to be changed and even drug requisitions re-addressed.

For leading medical services provider BUPA the solution has been to call in the experts to implement a secure messaging and data transmission infrastructure. Protek has tailor-built a solution that will enable BUPA to electronically share and transmit confidential and sensitive data between its hospitals, centres and other healthcare organisations without any risk of breach or misuse.

Transmitting confidential data over insecure networks

BUPA is a global provider of private medical healthcare insurance and services, with four million members in 180 countries worldwide, and is the UK’s leading independent health and care organisation. Operating since 1947, BUPA’s first hospital opened in 1979, and today the organisation employs over 42,000 employees across five operational headquarters and a network of 350 hospitals, medical and screening centres and care and retirement homes.BUPA has long been a user of email and electronic transmission as the quickest and most cost-effective way to send medical information between its distributed locations and other healthcare bodies such as the NHS.

However, BUPA had recognised the risks of sending highly sensitive information, such as patient records and clinical data, over a public network such as the Internet without having a secure messaging infrastructure in place. It also realised that an experienced hacker could even use such transmissions to penetrate its internal operational systems.Terry Skinner, Business Systems Manager at BUPA, said, “Maintaining patient and consultant confidentiality is at the heart of any healthcare organisation and a responsibility that BUPA takes seriously. On the one hand we needed to use electronic transmission and emailing because the quicker patient information can be transmitted to consultants and doctors the sooner that patient gets the right care. However, we have to ensure that patient records, and our own operational systems, are protected.

“BUPA asked six vendors to tender for the contract to equip its operations with an enterprise-wide secure messaging solution. The organisation had determined that it wanted to deploy a Public Key Infrastructure (PKI), and short-listed four vendors for detailed evaluation that offered recognised industry-standard and proven PKI technology.Skinner said, “Protek stood out from the others because of its years of expertise in delivering security products for the government and the military. As an independent vendor they didn’t have a secret agenda either – they were able to tailor-make the solution we needed from best-of-breed, proven products yet give us the ease of dealing with one single supplier.”He added, “Protek’s technology resources, experience and expertise instilled us with confidence that they would deliver a thorough and professionally managed implementation of an high security solution for BUPA.”

Protecting sensitive information and internal systems

Protek worked closely with BUPA to enable the organisation to define policies that dictated which employees are permitted to send and receive emails and data files and the type that is acceptable.

These policies are stored within the directory of the messaging infrastructure’s core x500 server to control access and ensure information is distributed only to verified users. Any incoming message that does not comply with these policies cannot be opened, and outgoing messages are automatically checked for compliance before being sent. The Protek solution also routinely scans all emails for viruses.Data encryption, certification authority and PKI technologies built into the overall system’s infrastructure ensure that all information is encrypted before transmission. All messages and files sent retain their integrity and confidentiality and the origin of incoming transmissions can be authenticated. This ensures that all messages and information transmitted are impervious to unauthorised access and repudiation, while at the same time protecting BUPA’s internal systems from security breaches behind an effective firewall.

Deployment at every UK BUPA centre

With the pilot phase of the project complete and as business needs are identified Protek is assisting BUPA with the deployment of the solution across its operations. Once achieved this will enable BUPA to transmit sensitive medical data and confidential patient records between personnel within a hospital, between different BUPA locations and with other healthcare organisations safe in the knowledge that the messages and files cannot be accessed or corrupted.Skinner said, “This is a mammoth undertaking at BUPA and will take many months to deploy fully. The pilot alone was forecast to take 12 months – but with Protek at the helm we completed it in just nine months. This included Protek thoroughly testing the entire infrastructure to ensure there were no gaps in security and no conflict between the various technology components.

“He concluded, “What made this possible was Protek’s ground-up understanding of security – it’s what they live and breathe. Consequently there are very few issues they have not encountered before and which they can’t resolve. I expect the full implementation to be managed by Protek in the same way as they masterminded the pilot – carefully planned, professionally undertaken and smoothly achieved.”