Loyal improves data protection, platform performance with Always Encrypted with secure enclaves for Azure SQL Database

Cryptography and customer success

Loyal provides a healthcare technology platform that helps unify the business of healthcare with patient experiences. The company partners with health systems across the United States, including medical centers, not-for-profit systems, children’s hospitals, and cancer institutes, to deploy solutions that can enhance patient experiences and overall health outcomes. As part of its commitment to protecting the privacy and security of patient data, Loyal uses Always Encrypted with secure enclaves in Microsoft Azure SQL Database, a client-side encryption technology available to SQL Server and Azure SQL Database customers.

“Always Encrypted helps provide peace of mind,” says Shane Gallagher, Software Engineer at Loyal. “Our customers choose us because of our expertise in end-to-end patient engagement and our skill at developing highly secure solutions that require access to sensitive patient information.”

Security by design is an ethos that serves Loyal’s customers well. The company designs and engineers its platform solutions to help its customers thrive in a highly regulated healthcare industry where data breaches, ransomware, and cyberattacks can severely affect patient outcomes. It deploys security measures such as access controls, authentication, and Secure Sockets Layer (SSL) encryption to protect its business and data. The company also recognizes that these measures, like all cybersecurity methods, have limitations and vulnerabilities that determined attackers will try to exploit. For example, although access controls can prevent unauthorized access to data, they can’t protect against data breaches by internal employees with access to sensitive data. That’s where Always Encrypted is useful.

Always Encrypted with secure enclaves

Always Encrypted is a security feature of SQL Server and Azure SQL Database that provides advanced, column-level encryption capabilities. With it, sensitive data can be encrypted and decrypted transparently with minimal changes to the application code. This technology separates the column encryption key and column master key, storing the former outside of the database. A client driver encrypts sensitive data before passing it to the database and only decrypts data retrieved from encrypted database columns at the client. 

Secure enclaves enhance the Always Encrypted feature, providing additional protection for Loyal’s database security and adding functionality for more robust data engineering. Sensitive data is kept in a secure enclave, a trusted execution environment with specific hardware requirements, and it must be configured beyond what’s necessary for a standard Always Encrypted implementation. Loyal is also evaluating a software-based implementation of secure enclaves, called VBS enclaves, that doesn’t require special hardware and reduces the limitations of that hardware. VBS enclaves are available in existing hardware offerings at no extra cost. Loyal believes that the investment is worth it and values the additional performance benefits and data engineering functionality it’s gained. “Implementing Always Encrypted with secure enclaves was a no-brainer for us because we get lower latency and an order of magnitude better performance on much larger volumes of data,” says Britton Powell, Director of Engineering at Loyal.

Loyal uses Always Encrypted with secure enclaves to extend the functionality of its development environment and data operations and take advantage of additional security benefits. With secure enclaves, Loyal runs database operations in an isolated environment that’s protected by hardware-based security features. If a database administrator or other privileged user gains access to the operating system or database, they still can’t view sensitive data—only authorized users with appropriate permissions and encryption key access can view the data. “We can now interact with data without exposing patient information in plain text,” says Gallagher. “Our development teams can write scripts that call the encrypted data without the friction of other encryption methods.” 

Implementing Always Encrypted with secure enclaves at Loyal was a straightforward process. The development teams implemented it into their existing database schema and applications without significant challenges. The required application changes were minimal, and developers were able to quickly modify their applications to work with Always Encrypted.

Loyal now exceeds data security and management measures that laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require of health systems and providers to protect patient data. And by engineering its healthcare solutions using advanced encryption methods and data protections, the company can build trust and deliver more value to its customers through data engineering and security principles.

“While there’s no HIPAA data requirement to use Always Encrypted, sharing this engineering initiative with our customers is a simple, easy win for everyone,” says Powell.

Faster development, fewer blockers

In addition to the advantages that its customers gain from advanced encryption, the Always Encrypted implementation positively affected Loyal’s software engineering and product development. It helped transform how the company’s development teams think about data security, leading to more secure and effective data engineering and software development practices. “We used to have to pull all the data to a client-side application before we could perform any segmentation or parsing,” says Gallagher. “Now, we can perform actions on the SQL Server side and extract a specific segment of encrypted data without pulling a million patient records across the wire.”

With Always Encrypted with secure enclaves, Loyal’s web applications can make data calls using its Patient API service without additional code or configuration settings. Users who don’t have access to the encryption keys can only view encrypted values, helping prevent accidental disclosure of sensitive patient information without stifling development productivity or adding database management workflows. “We’re now confident about having patient data going through different applications over different network calls,” says Gallagher. “There are services we wouldn’t be able to offer our customers if we didn’t have confidence in Always Encrypted and the capabilities it provides.”

Building trust with performant protection

The significance of data security in the healthcare industry can’t be overstated. Trust is crucial at a time when ransomware and high-profile data breaches are top of mind. Data is more secure by design when it’s encrypted in transit and at rest and stored in a centralized location rather than by different apps that interact with the data. The challenge is to balance security with performance and productivity so that Zero Trust measures don’t impair innovation.

By prioritizing data security in product development, enhanced platform performance, operational efficiency through data engineering, and technology like Always Encrypted, Loyal has taken a significant step in building a successful and trustworthy healthcare technology brand. In doing so, it’s providing the healthcare industry with an innovative model for building trust that patient privacy and security are paramount for better business results and patient outcomes.

“We now have a lot more power to innovate because we can run more queries on encrypted data and perform functions that we couldn’t otherwise do without Always Encrypted with secure enclaves,” says Gallagher.

Find out more about Loyal on Twitter and LinkedIn.