Microsoft SQL Server Customer Solution Case Study

Healthcare Group Improves Availability and Security of Mission-Critical Databases

Overview “I have great confidence in deploying mission-critical Country or Region: United States Industry: Healthcare—Healthcare applications on the Microsoft Application Platform. It is providers highly scalable, reliable, and stable.”

Customer Profile Don Wood, Information Resource Management Manager, CareGroup Healthcare System CareGroup Healthcare System is the parent company of four Boston-area hospitals. CareGroup provides IT support CareGroup Healthcare System is the corporate parent of Beth and other administrative services for the hospitals. It employs 16,000 people. Israel Deaconess Medical Center, a teaching hospital of Harvard Medical School, and three other hospitals in the Boston area. Business Situation CareGroup wanted to enhance its One of its responsibilities is managing 470 databases across the auditing and encryption abilities to help enterprise, including 70 databases that house mission-critical it protect the privacy and security of 2 terabytes of information stored in 470 information used in providing patient care and setting databases running Microsoft SQL Server healthcare policies. To enhance the availability, performance, 2005 and SQL Server 2000. and management of these dispersed data sources, the Solution organization upgraded its databases to Microsoft SQL Server CareGroup decided to upgrade its database infrastructure to Microsoft SQL 2008 Enterprise. The new solution delivers enterprise-class Server 2008 Enterprise to take advantage availability of 99.99 percent. CareGroup has improved the of advanced auditing, encryption, and management features. security of its more than 2 terabytes of data with advanced auditing and encryption features, simplified IT tasks by using Benefits Policy-Based Management, and saved IT time and money  Enterprise-class availability  Enhanced data security through Data Compression and Backup Compression.  Simplified system management  Time and cost savings Situation The organization was impressed with SQL CareGroup Healthcare System is a large Server, and it appreciated the features and provider of healthcare services and medical enhanced performance it gained when education in the Boston area. It is the upgrading to SQL Server 2005. parent company of four regional hospitals, including Beth Israel Deaconess Medical Due to a mounting number of regulatory Center, which is a teaching hospital for requirements—including the need to Harvard Medical School. Other facilities safeguard patient information—and operated by CareGroup include Beth Israel business requirements for high availability Deaconess Hospital in Needham, of data, CareGroup began evaluating SQL Massachusetts; New England Baptist Server 2008 in early 2008. “We wanted to Hospital in Boston; and Mount Auburn see whether a range of new features in SQL Hospital in Cambridge, Massachusetts. Server 2008 would help us meet an ever- growing list of performance and regulatory CareGroup provides IT support for needs,” says Ayad Shammout, Lead hospitals in the group, including hosting Technical Database Administrator at more than 3.5 million patient electronic CareGroup Healthcare System. medical records (EMRs) and multiple data warehouses for reporting and analytics. Because the databases are critical for daily CareGroup hosts more than 2 terabytes of operations, an upgrade would have to be information stored in 470 databases across carefully evaluated and justified through a the enterprise. The databases are classified number of important criteria. For example, with ratings that include AAA, AA, and A— Shammout says that CareGroup wanted to ratings that indicate the importance of data maintain or improve the high availability of within a particular database and the its data while enhancing a number of key service-level agreements required to ensure database functions. These included the the availability and safety of that ability to quickly and easily produce reports information. based on audits done in accordance with various state and federal regulations, Of the 470 databases, 70 are rated AAA. including the federal Health Insurance These contain mission-critical information Portability and Accountability Act (HIPAA). such as patient account records and HIPAA includes a privacy rule that requires important medical information and safeguards for the use and disclosure of a statistics—for example, patients admitted patient’s protected health information. with the H1N1 flu virus during a specific month—that help healthcare executives Other important requirements for the and medical practitioners make important upgrade included the ability to effectively decisions. manage the databases without straining IT resources. The IT team also wanted to more For nearly a decade, CareGroup had used closely monitor database activity to plan for the Microsoft Application Platform, which hardware upgrades, and attain better included the Windows Server operating control over the effects of poorly structured system and the SQL Server 2005 and SQL user queries that could slow computing Server 2000 data management software. performance. “We experienced just databases, data files, and log files Solution without the need for application two 30-second outages CareGroup decided to upgrade all of its changes. SQL Server instances to SQL Server 2008  Policy-Based Management. New in SQL during the entire Enterprise, starting with its patient billing Server 2008, this framework helps upgrade process. Our and lab results databases. By early 2009, CareGroup set and enforce compliance the IT department had upgraded about 75 with system configuration policies that user community could percent of the databases to SQL Server are referenced by both internal and 2008. The remaining databases were external database developers. not believe that we scheduled to be upgraded throughout  Performance Data Collection. SQL conducted a major 2010. Server 2008 provides Performance Studio, which builds on the concepts of database upgrade while CareGroup runs the SQL Server 2008 Database Reports and the Performance databases on Windows Server 2008 in a Dashboard in previous SQL Server they were still connected cluster configuration. “The upgrade went versions. It gives CareGroup an and that there were only very smoothly,” says Shammout. “We integrated way to collect, analyze, experienced just two 30-second outages troubleshoot, and store SQL Server these two little ‘hiccups’ during the entire upgrade process. Our diagnostics information. user community could not believe that we  Resource Governor. CareGroup uses to report.” conducted a major database upgrade while Resource Governor to provide a Ayad Shammout, Lead Technical they were still connected and that there consistent and predictable response to Database Administrator, CareGroup were only these two little ‘hiccups’ to employee usage. CareGroup can define Healthcare System report.” resource limits and priorities for different workloads and ensure that resources are In addition, CareGroup did not have any not negatively affected by poorly compatibility issues when migrating older constructed queries or other unusual databases—those running on SQL Server workloads. 2005 and SQL Server 2000—to SQL Server  Data Compression and Backup 2008. Compression. With these features, CareGroup can store data more CareGroup immediately began taking efficiently by reducing the size of advantage of a number of new and databases and database backups. enhanced features in SQL Server 2008.  Reporting Services. CareGroup uses SQL These include: Server 2008 Reporting Services for fast browsing of reports, particularly long  Data Auditing. SQL Server 2008 reports, by taking advantage of the provides advanced auditing features that caching of initial report pages. Users help CareGroup IT administrators access it through a portal created with monitor events—such as data Microsoft Office SharePoint Server 2007. modifications or who has accessed a database—on both the server and Benefits database levels. By upgrading to SQL Server 2008 on  Transparent Data Encryption. With this Windows Server 2008, CareGroup can feature, CareGroup can encrypt entire maintain a high level of platform availability “The SQL Server 2008 and performance while delivering the Better Security with Enhanced Auditing, enhanced auditing and transparent Encryption auditing feature lets me encryption it needs to better protect its The ability to deliver audits of database data and meet HIPAA and other regulatory activity continues to be a major run an audit report in a requirements. CareGroup is also simplifying requirement for CareGroup. Not only is the process that usually system monitoring with SQL Server 2008 organization’s reputation on the line, but it management features and saving storage can also face monetary penalties if takes between 5 and 15 with compression tools. database information is not properly minutes, instead of the secured. hours or even days it Enterprise-Class Availability “If data is breached, it is not just our Shammout notes that the Microsoft reputation that’s in trouble,” says used to take in the past. Application Platform is delivering powerful, Shammout. “We can also lose money if enterprise-class levels of availability for someone hacks into our system. So for us, It is a huge time saver for CareGroup databases. “Our goal is to have the ability to quickly and easily produce a IT administrators.” uptime of 99.9 percent,” says Shammout. clean audit means a lot.” “The Microsoft platform gives us more than Ayad Shammout, Lead Technical that by consistently delivering ‘four 9s,’ or With the enhanced auditing built into SQL Database Administrator, CareGroup 99.99 percent, and sometimes close to five Server 2008, CareGroup can track all Healthcare System 9s. Since we began the SQL Server upgrade changes to tables and other data elements process, unplanned outages have been in the system, as well as monitor if—and minimal and typically last just a couple of how often—unauthorized attempts are seconds. They are so short and so made to gain access to database infrequent that users don’t even know they information. SQL Server 2008 also provides happened.” centralized auditing, which CareGroup uses to gather information on groups of Between the time that CareGroup began databases instead of requiring upgrading in early 2009 to the end of the administrators to collect that information year, the IT department experienced only one database at a time. one instance of page corruption. “This happened because we briefly lost power Shammout says the most valuable aspect and the database did not shut down of enhanced auditing in SQL Server 2008 is properly,” says Don Wood, Information the ability to look closely at everything Resource Management Manager at from database configurations to individual CareGroup. “We had a mirrored copy of the transactions, such as who is viewing a 2-terabyte database with a clean version of particular medical record or who is the page, and SQL Server 2008 restored the changing the schema of a table. page in a matter of minutes—actually, before we even noticed the error message. “We can also produce reports quickly,” he I have great confidence in deploying says. “In the past, if auditors asked for a mission-critical applications on the report on specific users and how they were Microsoft Application Platform. It is highly using a database, it could take a long time scalable, reliable, and stable.” to collect that information and put it in a spreadsheet. The SQL Server 2008 auditing “With the Data feature lets me run an audit report in a find databases and servers that might be process that usually takes between 5 and violating particular policies.” Compression feature in 15 minutes, instead of the hours or even days it used to take in the past. It is a huge SQL Server 2008 also provides tools, such SQL Server 2008, [one] timesaver for IT administrators.” as Resource Governor and Performance database is now down to Data Collection, which help the CareGroup CareGroup is also benefiting from IT department prevent problems before about 80 gigabytes, or Transparent Data Encryption in SQL Server they occur. 2008. With this feature, database files can more than 40 percent be easily encrypted without requiring any “We have a lot of ad hoc users who write smaller. That saves us code modifications from application their own database queries, and sometimes vendors. “We didn’t feel we could take full those queries are poorly designed,” money on storage, advantage of the encryption feature in Shammout says. “In the past, a badly earlier versions of SQL Server because it written query could have consumed 100 giving us more time required modification on the application percent of the computing resource, before we have to add and on the client side, which was a big blocking other users from getting to the issue for us,” Shammout says. “With SQL database. With Resource Governor, we can more hardware.” Server 2008 we have transparent target bad queries and restrict CPU encryption, so we can easily enforce the capacity and resources so they might, for Don Wood, Information Resource Management Manager, CareGroup encryption of the information in the example, consume only 20 percent of the Healthcare System database itself without making any changes computing resources. Users might see a on the application side.” slowing in performance, but no one gets completely locked out of the database.” Simplified System Management CareGroup IT administrators benefit from New and enhanced tools in SQL Server the new Performance Data Collection tool 2008 help CareGroup manage the in SQL Server 2008. This feature is used to hundreds of databases used across its provide two reports. The first gives an enterprise. For example, CareGroup is using overview of the size of a database, which Policy-Based Management to enforce helps in server capacity planning. The policy and schema across its database second shows the growth of a database infrastructure, including on work performed over a period of time, which helps the IT for the group by external vendors. department develop projections on database growth. “Managing 470 databases is not an easy job without some kind of centralized policy “In the past, we had to spend time management process,” says Shammout. developing and running custom scripts to “Policy-Based Management and related get performance information on our tools in SQL Server 2008 provide a one- databases. Data collection is now built into stop location to evaluate particular policies SQL Server 2008 so I don’t have to write against specific databases to see if there scripts from scratch to collect the are any policy violations that could create information we need to keep operations up security risks. It helps us establish and optimally running,” Shammout says. compliance-based policies and best practices for all databases and lets us easily Time and Cost Savings Shammout says IT department employees SQL Server 2008 that is helping us save are taking advantage of streamlined time and money while providing high reporting and the Data Compression and availability to critical information.” Backup Compression features in SQL Server 2008.

With Reporting Services, the first few pages of a report are cached for immediate viewing. As a result, administrators can quickly read the report without having to wait for a full download, which previously took 15 minutes or longer for very large reports.

The compression features are equally important in saving time and money for CareGroup. “For example, our patient billing database was around 140 gigabytes,” says Wood. “With the Data Compression feature in SQL Server 2008, that database is now down to about 80 gigabytes, or more than 40 percent smaller. That saves us money on storage, giving us more time before we have to add more hardware.”

CareGroup is also experiencing significant reductions in the size of database backup files. In the case of the 140-gigabyte database, its backup file used to be 130 gigabytes. It is now 26 gigabytes, a size reduction of 80 percent. “The reduction in backup file sizes made possible by SQL Server 2008 is huge for us,” says Shammout. “In the past, the process of restoring a backup file of 130 gigabytes might have taken our department six hours or more. With the improved Backup Compression in SQL Server 2008, we can keep three or four nights’ worth of backups on a local disk and, if necessary, restore a backup file in about one hour. The Data Compression and Backup Compression features are part of the large feature set in For More Information Microsoft Server Product Portfolio For more information about Microsoft For more information about the Microsoft products and services, call the Microsoft server product portfolio, go to: Sales Information Center at (800) 426- www.microsoft.com/servers 9400. In Canada, call the Microsoft Canada Information Centre at (877) 568- 2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to: www.microsoft.com

For more information about CareGroup Healthcare System, call (617) 975-6140 or visit the Web site at: www.caregroup.org

Software and Services  Microsoft Server Product Portfolio − Windows Server 2008 Enterprise − Microsoft SQL Server 2008 Enterprise  Microsoft Office − Microsoft Office SharePoint Server 2007  Technologies − Microsoft SQL Server 2008 Reporting Services This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Document published January 2010