Social Security To Secure Data

Like other government agencies, the Social Security Administration is attempting to convert reams of paper documents into electronic files. But much of that data consists of sensitive medical information.

To help find IT systems that will protect the more than 100 million medical records it receives annually, the agency recently completed a proof-of-concept security project, as required by the Health Insurance Portability and Accountability Act. Vendors included Dell Federal for storage, Novell for user-authorization and Web-acceleration tools, Digital Signature Trust for user authentication, and InterSystems for a relational database, says Tony Trenkle, deputy associate commissioner for electronic services.

The project also included Eruces Inc.'s Tricryption Engine, encryption software designed to help prevent trusted insiders from being able to view certain data or tamper with information. Such precautions are necessary when it comes to sharing private medical information, Trenkle says. "It's not only about the network but the data itself, and making sure it's safe externally and internally."

Tricryption Engine removes the ability for hackers--even if they crack the network from the inside--to compromise the master encryption key, Eruces CEO Bassam Khulusi says. Here's how it works: When a transaction such as a disability claim occurs, it's sent to the Tricryption Engine. The engine creates a new encryption key for that record; the key then encrypts the data and sends it to the database. The key is also encrypted and stored in a separate database.

This type of encryption includes automated key management and individual encryption keys for each transaction and is necessary for companies that handle millions of transactions, says Yankee Group security analyst Mathew Kovar.

Eruces made it possible to ensure that only those who have the authority to see sensitive data can do so, Trenkle says. "When we use medical information, it passes through a variety of hands," he says. Trenkle is taking the successful results of the proof of concept to other federal agencies. "We've proven that the technology can improve our process."