Controlling e-mail chaos

The hospital relies on e-mail to transmit patient test results to doctors, coordinate the schedules of residents and staff, and send intensive-care unit alerts to the pagers of physicians and nurses. Physicians, residents and others use e-mail to collaborate.

“E-mail is a mission-critical application here,” says Jim Brady, e-mail administrator at Cedars-Sinai.

While it’s not news that e-mail has become a crucial part of business, what has changed is the sheer quantity of valuable business information that is being shared and stored exclusively as electronic mail.

“E-mail has taken over as the dominant way that employees and organizations exchange information. In the past, e-mail was how information about a meeting or the company picnic was distributed. But today, e-mail is the way all employees transact real business,” says Randolph Kahn, founder of Kahn Consulting Inc. in Highland Park, Ill.

But mixed with all of that critical data are volumes of junk mail and worse: spam, viruses, personal notes and potentially offensive content. Along with cuts in productivity, there are the risks of corruption, deletion or theft of corporate e-mails containing valuable business data, as well as the accidental leakage of embarrassing or legally damaging content. E-mail can also put a company in jeopardy of lawsuits or fines for not complying with government and industry regulations.

According to IT managers and industry experts, there are three key technologies that few organizations can be without: antispam and antivirus defenses for screening incoming mail; outbound filtering and encryption to evaluate and protect outbound content; and archival software to ensure that e-mail containing intellectual property or addressing topics covered by government or industry regulations are retained in case of future need.

Organizations need inbound e-mail filtering software to catch spam, viruses and other junk mail before they clog or damage servers and desktops. Spam and virus protection usually starts at the network perimeter, either provided by an outsourced service provider or installed at the organization’s Internet gateway. It’s also a good idea to have antivirus software on e-mail servers and desktops, to guard against bugs on floppy disks, CDs and USB drives.

The 12,500 e-mail users at Cedars-Sinai are protected by IronPort Systems Inc.’s e-mail security appliance installed on the hospital’s e-mail gateway. The IronPort device has its own virus and spam filters, as well as Sophos PLC’s Anti-Virus and Symantec Corp.’s Brightmail AntiSpam software.

Because spammers have learned to evade traditional content-based spam filters, products like Brightmail combine multiple technologies, including heuristic analysis of the content, filters to detect URL masking, and reputation-based filtering of mail from suspect servers. IronPort also uses a reputation service to catch spam and viruses.

“If a piece of spam comes in from an IP address with a known bad reputation, it gives it a bad score,” explains Brady.

In the past, Brady’s team employed a spam filter that deleted mail tagged as spam. But staffers complained that legitimate e-mail was being lost. With the current approach, spam is quarantined on the appliance and users get a list of suspected spam e-mails that they can opt to save, delete or ignore. To block viruses at the gateway, the hospital uses Sophos antivirus software on the IronPort appliances, as well as IronPort’s SenderBase Network service. SenderBase collects data about Internet e-mail traffic in an effort to find new virus outbreaks.


Jerry Hook, a systems manager at University Health System Inc. in Knoxville, Tenn., uses CipherTrust Inc.’s IronMail to scan e-mail sent by the hospital’s 4,200 employees. The antispam product’s Compliance Profiling engine allows Hook to define outgoing content that’s unacceptable or that requires encryption. The software can block or encrypt messages, depending on content and policy.

“Patient health information has to be encrypted before it’s sent over the Internet, according to HIPAA,” says Hook, referring to the U.S. Health Insurance Portability and Accountability Act. “We have a dictionary specific to HIPAA that CipherTrust uses to scan Internet mail.”

Encryption has been slow to take hold. A report from IDC reveals that companies have not made much use of it, even though many e-mail products include encryption capabilities. But the increase in privacy regulations is fueling interest in encryption technologies. Of course, IT managers can’t block or encrypt messages that don’t go through the corporate e-mail system.

To prevent employees from sending e-mail out via their personal accounts, drug research firm Kalypsys Inc. in San Diego blocks certain e-mail protocols and Web sites, including Internet Message Access Protocol, Post Office Protocol, Hotmail and Yahoo Mail. Kalypsys uses Websense Inc.’s Enterprise URL and protocol-blocking software, as well as individual port blocking. The main reason for preventing the use of personal e-mail, says John Graf, associate director of IT at Kalypsys, is to protect the company’s intellectual property.

“Our hope is that if any intellectual property is taken and sent, we’ll at least have a record of that,” explains Graf. “If we ever defend a patent, we can trace how it got out of the company.”

The days when the IT department could merely purge the e-mail server of all messages over 60 days old, without regard to their value, are long gone. Retention of records, including electronic ones, is a legal requirement for business and government alike. According to a 2005 study by Enterprise Strategy Group Inc., e-mail has become the most frequently requested type of business record by courts and regulators. The report, “Digital Archiving End-User Survey & Market Forecast 2006-2010,” found that 77 per cent of firms involved in an electronic data discovery request have been asked to produce e-mails as part of a legal or regulatory proceeding.

Kalypsys archives all inbound and outbound messages in Quest Software Inc.’s Archive Manager. Graf says archiving is valuable not only in order to defend a patent, but also to stay in compliance with FDA rules, the Sarbanes-Oxley Act and other regulations that require the retention of e-mail.

Companies often have irreplaceable business documents — contracts, partnership negotiations, possible new product strategies — stored as e-mail. If those messages and attachments are not archived in a centrally managed location, the odds are high that they’ll be deleted or simply lost in the local storage of hundreds of company desktops.

“IT departments that blow away the contents of the e-mail systems create liability and risk and prevent the company from actually running its business,” says Kahn, adding that he has seen a surge in companies implementing e-mail retention policies and systems over the past two years. Even routine e-mail messages can become quite valuable as a repository of the company’s working knowledge base.

Hildreth is a freelance writer in Waltham, Mass. You can reach her