With more than three million policyholders, VGZ is one of the largest health insurance companies in the Netherlands. VGZ has been providing health care insurance for more than fifty years now. The company is part of VGZ-IZA, a joint venture between Zorgverzekeraar VGZ and IZA Nederland. VGZ and IZA offer all forms of health insurance in the Netherlands.
In 2005 VGZ decided to equip mobile workstations with McAfee Endpoint Encryption security software. The specific reason for this decision was an audit carried out by De Nederlandsche Bank, which recommended that sensitive personal information on portable media, such as notebooks, should be stored in encrypted form.
Notebook users inside VGZ can be roughly divided into two categories: field staff, and administrators on stand-by for remote management. In principle nobody is allowed to store data locally on hard disks at VGZ, but an exception has been made for these two user groups. Both of these groups are often on the road, and they need ongoing access to business and customer information while they are away from the VGZ office. There is also an increasing number of people working from home, which means that the user group for notebooks at VGZ will continue to grow in the coming years.
Marco van de Veen, ICT security consultant at VGZ says, “We want to be sure that confidential data will not be misused in the event of loss or theft of a notebook. Our field staff store sensitive information on their laptops, such as offers and customer data. When they visit companies where the employees are covered by group insurance, they have to take personal data with them such as names, addresses, place of residence, and group and individual insurance numbers. All this information is confidential and must be handled with the utmost care.”
As an organization, VGZ is not obligated by law to secure the sensitive data recorded on notebooks. This does not mean, however, that VGZ cannot be held liable if confidential information is released to the public at large. “There have been numerous examples in the media of stolen laptops with sensitive information that could be immediately accessed. Laptops disappear from every organization and we are no exception in this regard. We see it as an important task, and our own responsibility, to protect customer data against possible misuse by third parties. I also feel that the potential damage to the company image caused by the loss of such data far outweighs the investment that is needed to secure it,” van de Veen says.
VGZ carried out a survey to evaluate the available options for data protection. As a health insurer, VGZ was looking for a proven technology that was recognized by Gartner and the business community, whereby the reliability and support of the supplier would play an important role in the final choice. The product also had to be centrally manageable, easy to use, provide several levels of encryption, and have a minimal impact on the performance of the notebooks. From all the comparative tests that were carried out, McAfee Endpoint Encryption emerged as the best alternative.
VGZ began by equipping 150 laptops with McAfee Endpoint Encryption. As a result of the subsequent increase in notebook usage, this number has since risen to 350, and McAfee Endpoint Encryption is now installed on all VGZ laptops as standard procedure.
VGZ encountered virtually no resistance during the roll-out of McAfee Endpoint Encryption inside the organization. According to van de Veen, this can be partly explained by the clarity with which the necessity for McAfee Endpoint Encryption was communicated internally.
"We want to be sure that no improper use is made of confidential data in the event of loss or theft, and that all the information on our notebooks is automatically stored in encrypted form. McAfee Endpoint Encryption is ideal for this task."Marco van de Veen
ICT Security Consultant, VGZ
“At first data protection is always regarded as an inconvenience. In the case of McAfee Endpoint Encryption, the product encrypts the hard disk immediately after installation, taking several hours (depending on the quantity of information) to do so. This leads to a delay in the system. After installation of the software is complete however, you hear only satisfied reports. This is because users no longer have to worry about the security of data when the notebook is switched off. A serious problem has been eliminated,” says van de Veen.
Users do not experience any inconvenience from McAfee Endpoint Encryption. “In Windows XP it is also possible to encrypt files, but this requires action by the user. We want all the information on hard disk to be encrypted automatically, and McAfee Endpoint Encryption is ideal for this purpose,” adds van de Veen.
In the coming months, VGZ plans to equip a further 300 laptops with McAfee Endpoint Encryption. An increasingly large group of employees is able to dial in from home, and VGZ is growing as a result of various take-overs, including Trias.
Apart from McAfee Endpoint Encryption, VGZ has also acquired McAfee software for the securing of smartphones and PDAs. VGZ plans to deploy this new equipment within the year, and the company wants to be sure of full and immediate protection.
Collaboration with McAfee
The relationship between VGZ and McAfee is a remarkably good one. “The speed of action, ready availability, flexibility and short lines of communication are characteristic of McAfee. If a problem arises or I want to organise a new course, a single phone call is all that is required. This explains why no insurmountable problems arose during the pilot and installation period. McAfee is an excellent partner to work with,” concludes van de Veen.
The Personal Data Protection Act (WBP; Wet Bescherming Persoonsgegevens) stipulates when organizations have to protect their data. Data are subdivided into risk categories for this purpose. The easier it is to associate the data with a particular person, the higher the risk category. Address data, for example, is designated as risk category 2. This means it is recommended that the data be stored in encrypted form, but it is not compulsory. If a system also contains information about clinical syndromes (risk category 3) the organization is obliged to store that information in encrypted form. Risk category 0 data is information that is freely available to all, such as the information found in the telephone book. The highest risk category is 4, which includes state secrets.