Case study: Memorial Hospital of Converse County turns to Mimecast to ensure regulatory compliances
“We would have needed to buy three or four point solutions from other vendors to get everything we have in Mimecast. I highly recommend their service.”Dave Patterson, CIO, Memorial Hospital of Converse County
Ranked a Top 100 Hospital by the National Rural Health Association, Memorial Hospital of Converse County is a 25-bed, critical-access hospital located in Douglas, Wyoming. Memorial’s state-of-the-art facilities, board-certified providers and patient focus combine to ensure “Advanced Medicine and Hometown Care.”
Like all health care organizations, Memorial Hospital of Converse County must comply with government mandates such as HIPAA and PCI, which are designed to protect patient and financial information. It must also be ready to present archived email records at the behest of regulators.
While the hospital had never received such a request as of 2009, CIO Dave Patterson understood that its existing email archiving and retrieval systems would make responding to an inquiry extremely difficult. The hospital had no formal email retention policy and no means of enforcement in place, instead relying on the native archiving in Exchange, which offered limited storage and search functionality. “We used PST files for archiving, and that meant that individual users determined which emails to keep,” Patterson explains. “PST files saved to the server were backed up to tape each night. Unfortunately, if a user didn’t save files to the server and their hard drive crashed, those files were gone forever.”
Memorial Hospital’s in-house legal team recommended that the facility implement both automated email archiving and encryption solutions, which would help ensure regulatory compliance. Under HIPAA, all patient information needs to be encrypted, and PCI regulations impose similar restrictions on financial data. “In the past, we’d relied predominantly on users to know when and how to encrypt, which was not the most effective approach,” Patterson says. “Our attorneys urged us to implement a solution that would encrypt messages automatically when it was required to ensure HIPAA and PCI compliance.”
Patterson and his team evaluated both appliance- and cloud-based email management solutions, and even conducted a study of multiyear storage requirements – which indicated the hospital would face thousands of dollars in storage costs annually if it continued to archive email in house.
“From a regulatory standpoint, implementing an email archiving and business continuity solution was a ‘must-have,’ not just a ‘nice-to-have,” Patterson says. “Given the amount of email we need to archive, it became quickly apparent that a cloud-based solution would be much more cost effective. Hardware-based solutions were just too complex and expensive, especially given storage costs.”
After considering two vendors who promised cloud-based email management, Memorial Hospital chose Mimecast. “Mimecast is unique in that it offers a combination of capabilities that we would otherwise have had to purchase from a number of vendors,” Paterson says. “With Mimecast, we get comprehensive services—archiving, encryption, continuity, AS/VS—for a single price point to meet all our needs. It is a tremendous value.”
Patterson reports that implementing Mimecast was seamless and that the solution is so easy to use that it was explained to employees in a singlepage document. “Mimecast has a great support staff that worked closely with us throughout the implementation process,” Patterson says. “The documentation was very clear and we’ve easily made educating users on Mimecast part of our new-employee orientation.”
Blocks spam more effectively
The hospital had used a desktop AS/AV package for years, and experienced occasional network downtime due to malicious emails, Patterson says. Memorial Hospital now uses Mimecast to block threats at the gateway. The result: lower network traffic, reduced downtime associated with malicious emails, and improved network performance.
“Our users feel empowered with Mimecast’s AS/AV capabilities, including whitelisting and reviewing/releasing questionable emails,” he adds. “It is easy to use and highly customizable.”
Ensures regulatory compliance
Mimecast helps Memorial Hospital meet important criteria for HIPAA, PCI and other government regulations. “There are substantial fines for non-compliance,” Patterson says. “Mimecast enabled us to build rules that can automatically detect whether information contained in an email or an attachment needs to be encrypted, and then do it, so the user doesn’t need to decide. It gives us real peace of mind.”
Delivers automated email archiving
Mimecast’s automated archiving allows Memorial Hospital’s IT staff to recover archived email in just seconds, so that whether Patterson’s team needs to respond to a legal request or to an employee seeking a “lost” message, archived emails are always within reach. “Before Mimecast, if we had been faced with an eDiscovery request, we would have to manually search through PST files on our tape backups – if they even existed for that user – or the user’s local inbox. It could take days or even weeks, and even then, I’m not confident our response would have been complete or accurate,” Patterson explains. “With Mimecast, we can access archived email in seconds using a simple search interface. Plus, when regulations change, Mimecast is flexible enough to accommodate our new requirements.”
Provides seamless business continuity
Since the solution’s implementation in 2009, Patterson has been confident that Mimecast would work in the event of an outage, but he didn’t have an opportunity to see the business continuity functionality in action until recently. “Our Exchange server went down and the database needed repair,” Patterson notes. “We would have been without email for the eight hours it took to resolve the problem—a lengthy interruption for a hospital—but we had Mimecast, so it was as if the email service was never interrupted at all. There was no disruption to our business, our users were extremely satisfied, and my team and I were happy that we had an alternative in place.”
Lower IT costs
Patterson and his team of four are responsible for all IT functions at Memorial Hospital, and the team has seen an improvement in their own efficiency since Mimecast was implemented. “Mimecast saves us a great deal of time, particularly when it comes to responding to requests to locate specific emails,” Patterson says. “We used to take hours or sometimes even days to respond—now we have the answer in just minutes. We’ve also virtually eliminated email downtime, and while the cost of downtime is hard to quantify, I’d estimate it’s about $500 an hour. And we’ve saved thousands in storage costs since moving our email archive to the cloud.”