Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →
Case Study

10 Million Members. Six PKI Gaps. One Healthcare PKI Rebuild.

How Encryption Consulting designed and implemented a two-tier Microsoft PKI for Texas’s largest health benefits provider to meet HIPAA Technical Safeguard and FIPS requirements and close critical security gaps.
10 Million Members. Six PKI Gaps. One Healthcare PKI Rebuild.

Customer Profile

Texas’s largest health benefits provider, serving ~10 million members through 150,000+ physicians and 500+ hospitals. Offers individual, employer, Medicaid, Medicare Advantage, dental, and vision plans, with over a century of service in clinical care and community health.

Industry

Healthcare & Health Insurance

Engagement Type

PKI Implementation & Infrastructure Deployment

At a Glance Outcome

10M

Members protected under the new PKI infrastructure

150,000+

Physicians and practitioners secured across the network

HIPAA & FIPS

Compliance standards met through HSM key ceremony

2-Tier

Microsoft PKI architecture deployed with offline Root CA

The Enterprise

Challenges

As the client's digital services expanded, six weaknesses in their hybrid PKI environment came into focus: an exposed Root CA, unprotected private keys, missing governance controls, and gaps in resilience planning.

Root CA online, domain-joined, and exposed

An online, domain-joined Root CA exposed to network threats, privilege escalation, and domain compromise, against industry and compliance norms.
01 INFRASTRUCTURE

Private keys stored in file system, not HSMs

Root and Issuing CA private keys sat in an encrypted file system instead of HSMs. Leaked keys or a compromised server would expose them.
02 KEY SECURITY

No key custodian matrix or separation of duties

No custodian matrix on Root or Issuing CA. A single admin could change keys unsupervised, raising insider-threat and unauthorized-change risk.
03 ACCESS CONTROL
Six gaps, one trust chain. Every weakness traced back to the same Root CA, so the fix had to start there, then rebuild outward.

Encryption Consulting Assessment Team

PRE-IMPLEMENTATION ASSESSMENT | ENCRYPTION CONSULTING · PKI SERVICES

Our Offered

Solutions

The engagement ran four workstreams across four phases: assessment and design, build and implementation, functional testing, and knowledge transfer.

Capability 01

PKI Architecture Design & Planning

Assessed the crypto environment (SSL/TLS, S/MIME, client/server auth, code signing) and finalized the design, tasks, and timelines with the client.

Capability 02

HSM Integration & Key Ceremony

Ran a HIPAA/FIPS key ceremony, moved Root and Issuing CA private keys into tamper-proof HSMs, and stood up a custodian matrix for multi-party key approval.

Capability 03

Two-Tier Microsoft PKI Deployment

Deployed a two-tier Microsoft PKI (offline Root + two subordinate CAs) with CAPolicy.inf, PathLength, and shortened validity, plus NDES/WAP mobile issuance, OCSP, and self-signed controls.

Capability 04

DR Planning & Knowledge Transfer

Delivered PKI documentation (architecture, key ceremony, CP, CPS) and a DR/BCP with backups, redundancy, and failover; ran knowledge-transfer on PKI and DR operations.
The result was a compliant, resilient, and scalable PKI infrastructure, purpose-built to protect the sensitive health data of millions of members and support the organization’s growth for decades ahead.

Encryption Consulting Assessment Team

ENGAGEMENT SUMMARY | ENCRYPTION CONSULTING · PKI SERVICES

The Overall

Business Outcome

With the two-tier Microsoft PKI in place, the client closed the structural vulnerabilities, met HIPAA and FIPS requirements, and now has a security foundation that protects 10 million members and scales as the organization grows.

01

PKI trust chain fully secured

Offline Root CA, HSM key storage, and a custodian matrix closed the prior exposure, cutting insider threat, misconfiguration, and unauthorized access to member health data.
02

HIPAA and FIPS compliance achieved

Key ceremony, HSMs, CP/CPS, and two-tier architecture met HIPAA and FIPS requirements; documentation and knowledge transfer enabled independent operation.
03

Lifecycle control and resilience established

Shorter validity, self-signed guidelines, lifecycle tracking, and NDES ended expiration outages and simplified mobile provisioning; DR/BCP ensured fast recovery and continuity.

Discover Our

Latest Resources

Education Center

All You Need to Know About DevSecOps Scaling 

DevSecOps scaling extends automated security across every team and pipeline. Learn the benefits, challenges, six steps, tools, and 2026 compliance drivers.

Read more
Case-Studies

White Paper

The Cert Wars: The Race Against Expiry

One expired certificate (cert) can bring operations to a halt. Discover how to prevent outages and manage certificate expiry before it impacts your business.

Read more
Case-Studies

Video

The 2029 Convergence: Why Microsoft, Google, and Cloudflare All Chose the Same PQC Deadline

Explore expert insights on cybersecurity, PKI, and post-quantum readiness, with practical guidance to strengthen security and future-proof cryptography.

Watch Now
Case-Studies