In-Depth

In E-Mail We Trust

Baptist Health Care has confidence that it's safely transmitting patient data and other sensitive information through CipherTrust's secure messaging gateway appliances.

• By Michael Domingo
• 11/01/2005

Can patients' health data be transmitted over the wire safely within the rules of regulatory compliance? According to Alex Hernandez, director of advanced product development at Alpharetta, Ga.-based CipherTrust, it's entirely possible. Headed by CEO Jay Chaudry, CipherTrust developed the IronMail secure messaging appliance, which Baptist Health Care, a Florida health care provider and customer, has been using since 2001.

BHC then turned to them again when it needed to be able to safely e-mail patient data. CipherTrust came through, with the Secure Web Delivery appliance, which allows the health care provider to send out patient data via e-mail and other methods without having that data compromised. MCPmag.com editor Michael Domingo interviewed Hernandez about the company's efforts in helping BHC secure patients' health data on the Web over the years.

What went into the development of the IronMail appliance and what compelled Baptist Health Care to deploy it back in 2001?

CipherTrust director of advanced product development Alex Hernandez

Alex Hernandez: BHC deployed their original product for what we started doing development for, for security. And, then providing protection from attacks and attackers from the Internet was our first device for e-mail. Baptist Health Care was specifically trying to tackle a spam and virus problem and looked to us as a leader in that space. That's what drove their original purchase.

Baptist has been a customer since 2001. Since they're already a customer of yours, I'd believe they'd probably ask you for IT compliance solutions too.

AH: Absolutely, and for customers who have been with us for as long as they have, certainly dealing with those in-bound threats was a headache to messaging administrators for the past several years. As they're looking toward their clients, we're already handling their mail at the gateway, so we're an appropriate provider for them to ask, "What do you have for offerings on outbound compliance?" We're certainly able to deliver a solution for them as well.

That's CipherTrust Secure Web Delivery that you're referring to?

AH: It's really tied in with the IronMail gateway, where IronMail is [Baptist Health Care's] policy engine. Not only is it doing their in-bound protection from spam and viruses, from the nasties on the Internet, but it's also able to look at that out-bound content and make intelligent decisions with the policy manager over what data needs to be protected, looking at content, looking at attachment types. Specifically, their initial launch was around e-faxes, x-ray information...basically the policy manager looks at messages and decides most appropriately what needs to get encrypted. Then it utilizes what we call a Secure Web delivery appliance to deliver those messages to anyone, anywhere.

Was Secure Web Delivery developed as an add-on to IronMail?

AH: We consider it sort of like a staging server, where IronMail is handling the in-bound and out-bound mail flow. It sees something that needs to get encrypted and handled in a special Web delivery method, so it hands it to the sister appliance that sits side by side, that handles that longer-term holding of e-mails, the Web delivery, the authentication of the users, those types of tools.

Was it developed based on customer feedback or was it based on some foresight, that IT compliance was going to hit customers?

AH: A little bit of both. We've been in the gateway e-mail encryption market since our inception. We've been supporting secure SMTP, really, since day one in our product space. We've since added, and before we got to Secure Web Delivery, we added other gateway-based encryption capabilities, like server-side S/MIME, server-side PGP encryption capabilities.

But we were seeing a need for the marketplace that ability to deliver a message to anyone, Hotmail, Yahoo!, any user--not necessarily a business partner. That's where hearing customer feedback [comes in]...they saw a need for it as well, but they didn't know what they were looking for necessarily. We put our heads together and came up with a nice Web delivery model that's been very widely accepted.

There are other message security products out there that address IT compliance issues. Who is your stiffest competition, who do you go up against on a regular basis when approaching a new customer?

AH: It'd be a mix. There's certainly some open-source solutions out there. There are some solutions that are gateway-based, like a Zzyzzx, or PGP Universal or a PostX-type encryption solution. But the market space is kind of interesting, in that there's a lot of policy providers out there that can do the message scanning, and a lot of them have teamed up with gateway encryptions solutions, like PGP Universal, PostX or Voltage. We've got partnerships with those same types of organizations.

Typically, you'll see less competition on the encryption side and more competition on the policy management gateway side. The encryption solution is really being tipped more to the needs of the organization. Are they trying to deliver statements out or are they just trying to deliver e-mail messages to users? Are they looking for something lightweight, like Secure Web Delivery which we offer, or are they looking for something in-depth, being able to encrypt a statement or send out a bank statement to a user?

We offer not only our own Secure Web Delivery like Baptist Health Care is using, but we also do provide, with agreements, solutions for PGP Universal as well as Voltage.

Are you finding that new customers have no solution, or are you typically replacing something that didn't work out for them?

AH: For most of them, it's new. Very few companies jumped onto e-mail encryption early on, because they really didn't know what their needs were, what their requirements were going to be. We certainly see ourselves replacing some existing SecretSweeper or Tumbleweeds solution out there, with products with more features, with more integration with gateway functionality. A lot of them are companies trying to address an encryption need that has arisen.