It may be based in the coastal swath between the cities of Los Angeles and San Diego, but SoCal’s County of Orange government is no small-time operation. With approximately 24,000 full-time and contract employees and 43 county agencies and commissions, the county sends out a significant amount of e-mail—a high percentage of which includes confidential information and attachments that, according to federal law, must be protected. To comply, the county turned to two solutions that monitor e-mail content, as well as encrypt and divert sensitive messages to a password-protected county Web site.
Tony Lucich, chief information security officer and enterprise architect for the county, says that previously, “some individual agencies had their own exchange servers, as well as some which shared the county’s central exchange server.”
He goes on to explain that “at that time, data encryption was limited to attached files and left to the discretion of the individual county employee who could use a Micro-soft code to password protect the file. That worked okay for files, but a lot of times it’s easier to put the data about a person, or maybe even their medical records, into the...e-mail. So that information didn’t get encrypted.”
The first step in the compliance process, conducted three years ago, was a survey of the various county agencies that were affected. For example, the county’s health and social service agencies frequently needed to share personal medical information about clients with outside doctors and healthcare providers. As per the Health Insurance Portability and Accountability Act (HIPAA), this information had to be encrypted when sent via e-mail. At the completion of the survey, Lucich and his team had a full understanding of which types of information needing protection were emanating from which county entities. With that information in hand, the search for solutions began.
The solution had to support a federated hub-and-spoke model, where all e-mails passed through the county’s central servers. In addition, the solution had to be extremely user-friendly.
About the federated model, Lucich says, “We’re not a centralized county—very few counties really are. The agencies have historically been what I call ‘silos of aggression,’ where healthcare didn’t talk to social services, which didn’t talk to probations… but a federated model, where all the e-mail traffic routes on a spoke to the county’s IT hub, and then outward on another spoke, gets people to leverage the best of a common solution” and is one step in breaking down the silos of aggression.
It also prevents what occurred in the case of one county agency, which purchased its own encryption solution. The software worked well internally, but none of the county’s outside partners could decrypt and read those e-mails.
Lucich recalls that the IT team found that some products “were very cumbersome. They required the user to do a lot, and we didn’t want that to be the case.”
Lucich says that no one solution entirely did what was needed, but ultimately they settled on two products that could work in tandem: Secure Mail (previously known as Iron Mail) by McAfee of Slough, Berkshire, England; and Voltage SecureMail by Voltage Security, Inc., of Palo Alto, California.
“At the hub, we have the McAfee Secure Mail and the Voltage SecureMail installed together,” he explains. The Secure Mail is used as a policy engine, while the Voltage SecureMail performs the encryption. The policy engine scans the mail to see if it contains keywords related to information types requiring encryption.
If the policy engine finds that an e-mail must be encrypted, it turns it over to Voltage SecureMail, which encrypts the contents and sends the recipient a new e-mail that contains a Web link. “It takes them to a county government site where the recipient either logs in or must register to view the unencrypted message,” he says, adding that a full third-party penetration test was conducted on the system before it went into use in early 2008. “It was bullet-proof,” Lucich states.
Installation, he says, was almost as simple as plugging in the two box appliances and their redundant backups. Programming consisted of routing the e-mail traffic from all the agencies through a bridgehead to the IT center.
Training was done in house for the administrators in the various agencies. “We did an in-service training of agency administrators every Wednesday for a few months. That way, they were able to learn to administer their tier…. They only had to be trained on how to administer their section of the rules. They didn’t have to be trained on maintenance or other issues.”
For the average employee, training was “almost zero,” Lucich says. They can encrypt their own e-mails if they desire by clicking a desktop icon, they can type “secure” in the subject line, or they can leave it for the policy engine to route it to the Voltage SecureMail.
Lucich held one town-hall-style employee meeting and demonstrated the process using two laptops on either side of the meeting room, sending mock e-mails with various types of HIPAA and other regulated information. “Only the few who are really tech-challenged asked for additional help,” he states.
Speaking on the cost of the solution, Lucich says, “It turned out to be substantially less costly for the county because it is a single, centralized, federated model solution. Therefore, we got the best pricing, because we lobbied for the highest amount of licensed users. Installation cost almost nothing and support costs are minimal.”
Lucich adds that, “We haven’t had any technical issues related to the vendors. We’ve had a few related to the county.” For example, he says that a change in the county’s e-mail address-assigning protocol resulted in some employees with the same name being assigned the same e-mail address.
“Both vendors came together and worked together,” to resolve issues, says Lucich. “This was really helpful.”