The Wall Street Journal this week featured a front-page article entitled: “How an Email Rant Jolted a Big HMO”, a story about a whistleblower email at Kaiser Permanente.

One Friday last fall, a junior staffer at the healthcare giant released an email tirade to all of the company’s employees, highly critical of Kaiser’s executive management team and their handling of the HealthConnect project.

I am not going to comment on the contents of the email or the complicated dynamics and ethical dilemmas surrounding whistleblower tactics. Regardless of the validity of the claims, the Kaiser story highlights an important issue – companies must do more to better protect their email infrastructure from being highjacked by unauthorized (mass) communications.

Most companies still greatly underestimate the risks of unmonitored and unguarded email. The possible exposure reaches from legal risks due to harassment claims and regulatory liabilities, to direct economic impact and shareholder loss caused by leakage of confidential data or dissemination of unofficial, insider information. In Kaiser’s case, the impacts were manifold:

“After the message hit, Kaiser sprang into action to assess the damage and figure out a response. Since the missive was sent on a Friday, it went unread by many employees who had left for the weekend. Kaiser’s IT staff scrambled to delete it before workers returned to their desks — but with little success. By Monday, the mass mailing had reached an estimated 120,000 computers at the company. It had also leaked into cyberspace.”

“One stock analyst says that Kaiser’s tribulations could alter the competitive landscape for IT vendors.”

“That article prompted the California watchdog agency that oversees managed health care to send Kaiser an inquiry letter in January about HealthConnect’s reliability.”

There is one detail of the story that I found particularly troubling. The employee went through quite some effort to gain access to the firms address list. Like many companies, Kaiser doesn’t allow its users to simply send email to all employees by disabling send-all access. Instead, the employee installed an address-harvesting program on his company computer (while probably violating numerous IT policies) and built his own mailing list.

The simplicity of this workaround shows that better security mechanisms are required. Companies need to deploy solutions that prevent this type of user behavior by providing comprehensive monitoring and enforcement for email and instant messaging.

Technorati Tags: email risks, email monitoring, policy management, kaiser permanente

If you are new here, you may want to subscribe to my RSS feed. An RSS Subscription will deliver new Blog posts automatically to your computer.
Thanks for visiting!