HIPAA Compliance Requires Highest Email Security Standards

About University of Tennessee Medical Center

University of Tennessee Medical Center is a major medical center providing superior treatment and healthcare support to residents of the East Tennessee region, as well as offering expert care as the area’s only Level ITrauma Center. The hospital offers general, specialty and sub-specialty care in a full range of medical fields, including specialties with heart, lung, vascular, brain, spine, childbirth and cancer as well as many other conditions.

The only academic hospital in the Knoxville area, UTMedical Center is the leading resource for research, discovery and updated treatments in the community. The hospital maintains a serious environment with devotion to technological and treatment advances that provide better care for patients.

As might be expected, a significant amount of communication among doctors, patients and support staff takes place via email. In fact, there are more than 4,600 users on the UTMedical Center’s domain. Jerry Hook, Manager of Windows Systems, is responsible for upkeep and support of all email and related technologies such as anti-spam, anti-virus and encryption.

HIPAA compliance requires highest email security standards

For many years, Hook and his ITteam at UTMedical Center used an appliance for spam prevention, and third-party software for virus prevention, archiving and retrieval, and encryption. The latter makes for a particularly interesting infrastructure, explains Hook, due to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. HIPAArequires all health-care providers to ensure the privacy of protected health information (PHI). With regard to email, this typically means encryption.

“You might think that virtually all email coming out of a medical center would contain PHI,” says Hook. “But in fact, it’s only about two percent. Therefore an all-encompassing encryption strategy doesn’t make sense for us. Instead we use specialized software that, based on content, can determine when an outgoing email contains PHIand then automatically encrypts it.”

This encryption scheme worked well for UTMedical Center. But Hook and his team faced challenges in other areas; chiefly, an increasing volume of spam, an incomplete system for archival and retrieval, and a lack of a coordinated disaster-recovery strategy. Because of HIPAA, they also needed to ensure that data held in email is fully secure both in transit and in storage.

Growing spam/virus problems and email retrieval challenges promt search for solution

“We’d been using well-known anti-spam and anti-virus vendors,” recalls Hook. “Both required us to do the scans on our Exchange server, which really slowed everything down. Reliability was also an issue – we had to constantly ride the vendors to make sure we had updates. Typically, it would take a call from us about increasing spam levels or a virus problem before they would apply new policies. It was time-consuming for our staff, and the problems were becoming noticeable to users.”

With regard to email archiving and retrieval, due to space limitations on the Exchange server, the third-party software UTMedical Center used was only able to back up certain boxes. Other email was backed up only via PSTfiles. In the event email had to be retrieved from backup (whether from a server or a PSTfile), it would have been a slow, manual process. And disaster recovery was virtually non-existent.

With the maintenance due to expire on its anti-spam and anti-virus products, Hook decided it was time to investigate a change. He began researching appliance-based approaches, but was put off by the cost, complexity and potential difficulty of integrating a new system in with UTMedical Center’s encryption processes. Then a colleague suggested Mimecast.

SaaS-based approach offers high security, wide feature set, great value

Mimecast provides the only end-to-end solution for unified email management in the cloud – a fully SaaS-based solution that covers archiving, discovery, business continuity, security and policy management. More than 2,000 companies around the world have replaced multiple, on-premise point solutions with a Mimecast subscription in order to significantly reduce the risk, complexity and overall cost of email management.

“At the very beginning, there was uncertainty about putting all of our email management off-site,” says Hook. “But the feature set won us over. The initial demonstration we got from Mimecast was great – with one service, we could get a holistic and comprehensive solution for our entire email environment. We were amazed at how easy it was to administer, and because Mimecast operated in the cloud, it would be relatively easy to integrate it with our encryption solution. None of the other vendors we evaluated even came close to providing the wide feature set we got from Mimecast.”

Mimecast implementation ‘painless’ and has reduced email managment costs by 60 percent

The implementation was far simpler than we’d anticipated, says Hook. “This was a fairly big deal for our ITgroup, but I’d have to describe the implementation as ‘painless.’ The Mimecast team was just incredible. They were logging in on weekends and in the middle of the night to make sure everything went smoothly. I’ve never seen that kind of a support from a vendor.”

Mimecast enabled UTMedical Center to retire three anti-spam appliances, plus its anti-virus and archiving/retrieval software (with associated servers). “Overall, we estimate that UTMedical Center saved 60 percent on ITcosts with unified email management from Mimecast,” says Hook.

But more importantly, he reports that service to users has improved. “We established SLAs up front – such as percentage of spam and availability – and Mimecast has easily exceeded them,” says Hook. “We have not had any virus outbreaks since switching to Mimecast, and on the anti-spam front we are receiving far fewer false positives.”

“Inbound volume has dropped dramatically by a little more than 70 percent since Mimecast blocks virtually all of the spam.” says Hook. In addition, because it’s all one integrated service, Mimecast ensures the security of PHIin emails both in transit and in storage – which is crucial for HIPAAcompliance.

Administrative burden of email system reduced by 20x

Time spent on administration has been significantly reduced since switching to Mimecast, according to Hook. “In the past, I’d estimate we spent at least 40 hours a month on administration of email management, with much of that on anti-spam,” says Hook. “Since moving to Mimecast, our administrative burden has been significantly reduced. In fact, Ihaven’t had to do any administration at all in the last three weeks. I’d estimate it’s down to just one or two hours a month.”

[2021/01] University of Tennessee Medical Center
Sector: health

Analyst Report

HIMSS Report – Healthcare’s Response to the Growing Email Security Threat

This report, put together by HIMSS, pulls together research from multiple sources to help shed light on …