Molina Healthcare Uses Data Masking To Protect Patient Information

It's the sort of problem that keeps IT managers awake at night. Your company is using service providers for critical data analysis or processing but is required by regulations to keep portions of individual data records confidential. How do you make sure both things happen? If you're Molina Healthcare, a managed-care organization based in Long Beach, Calif., you turn to software that replaces sensitive, patient-identifying information with fake data when the database is replicated for shipment to an outside agency, then remaps the fake data back to the real information when the processed database is returned.

Nitin Gotmare is Director of IT for Molina. He says that the company had used home-grown apps and manual data redaction for databases that needed to be sent to outside service providers. The problem Gotmare faced was growth; the company was expanding its Medicare/Medicaid-based service business quickly and could no longer depend on manual redaction to keep up with the necessary work flow. He says, "We've grown a lot in the last three years, and we needed to automate processes while staying compliant."

When the company began to think about solutions to replace the manual and home-grown processes, they turned to staff memory and recommendations. Gotmare says that nearly everyone had a recommendation in common. "All of us heard about Dataguise in some context somewhere, so we got in touch with them when we needed a solution. We didn't want to spend a ton of money in this environment, and there are other products that cost a lot of money. We wanted to be managing something in a reasonable limited way and achieve the results we wanted," he says.

Allan Thompson is EVP of Operations at Dataguise. He says that Dataguise has a pair of products that, together, can provide data masking for sensitive data in production and non-production databases. According to Thompson, "We can find [sensitive data] under Oracle, SQL Server, and MySQL and tell the production team where the sensitive data is, then apply templates to hide the sensitive information. This way, when you pull databases for testing, migration, et cetera, we can define the sensitive portions and allow for data masking on those parts." He continues, "Over 90 percent of organizations we talk to use sensitive data for testing and shipping to partners. We say we'll tell them where the information is, and anytime the information is pulled out we can mask the data making sure that customers, partners, and employees are protected. The data we replace it with is realistic data, but it's meaningless, and will not allow the identities to be known or stolen."

Thompson says that Dataguise has been offering software since May 2007. The basic premise is that the software can go after and discover all the large-volume sensitive data, both on the production and non-production side, that an organization must keep in order to do business. The discovery of the sensitive information, through DG Discover, allows an organization to understand which databases contain sensitive data. The data masker, DG Masker, can then make the data going into non-production databases useless in terms of personal information, either by filling the fields with single characters or by generating realistic-looking but meaningless data to go into the field.Gotmare says that Molina currently has its Dataguise implementation in testing and pre-production stages, and will be rolling into production in the next few weeks. The initial production procedure involves a vendor that needs information but not PHI (personal healthcare information). He says, "We're using Dataguise to allow full functionality while not exposing any of the patient information. Phone numbers, social security numbers, et cetera are all completely changed or changed to exes. The process functions normally but the data is secure."

Molina's management made the decision to integrate Dataguise into the company's IT infrastructure using internal personnel, rather than turning to an outside integrator. Gotmare says, "It's not at all laborious to integrate. We have all Microsoft SQL Server databases, and the integration with Dataguise is very easy." He says that Dataguise provided training for Molina's database administrators, with an emphasis on maintenance and administration, and the administrators reported that the software was easy and not at all difficult to migrate into a new environment. "Mostly it's a front-end product that's not complex to look at or work with--that's the feedback I got from our technical guys," Gotmare says.

Gotmare says that he anticipates using Dataguise software in a number of additional situations going forward. "It exactly provides what we need. They might come out with different interface, or something, but for now [Dataguise] meets all our needs," he says. DG Masker and DG Discover are available for $24,995 each. A soon to be released dashboard application for managing search results and data masking operations will be available for an additional cost.