1) How serious was this email security breach? Why did the Kaiser Permanente leadership react so quickly to mitigate the possible damage done by the breach?

2) Assume that you were appointed as the administrative member of the crisis team created the day the breach was uncovered. After the initial apologies, what recommendations would you make for investing the root cause(s) of the breach? Outline you suggested investigative steps.

3) How likely do you think future security breaches would be if KP did not take steps to resolve underlying group and organizational issues? Why?

4) What role should the administrative leadership of KP take in ensuring that KP Online is secure? Apart from security and HIPAA training for all personnel, what steps can be taken at the organizational level to improve the security of KP Online?

Cite references for your answers from other breach instances that have occurred.

introduced an P Online). Members can use KP on refills, obtain health care service information, ods at nolasinagre od golondos II ns bed 19van and ellit! wobssM ne in patient forums. INFORMATION SYSTEMS CHALLENGE ROYA AUS 2MT3Y2 HOITA BORM In August, there was a serious breach in the security of the KP Online pharmacy refill applica- tion. Programmers wrote a flawed script that concatenated over eight hundred individual e-mail messages containing individually identifiable patient information, instead of separating them as intended. As a result, nineteen members received e-mail messages with private information about multiple other members. Kaiser became aware of the problem when two members notified the nization that they had received the concatenated e-mail messages. Kaiser leadership considered this incident a significant breach of confidentiality and security. The organization immediately took steps to investigate and to offer apologies to those affected.low el meer TI z wobse adT orga- On the same day the first member notified Kaiser about receiving the problem e-mail, a crisis team was formed. The crisis team began a root cause analysis and a mitigation assessment process. Three days later Kaiser began notifying its members and issued a press release. and OT alliH The investigation of the cause of the breach uncovered issues at the technical, individual, group, and organizational levels. At the technical level, Kaiser was using new web-based tools, appli- cations, and processes. The pharmacy module had been evaluated in a test environment that was not equivalent to the production environment. At the individual level, two programmers, one from the e-mail group and one from the development group, working together for the first time in a new environment and working under intense pressure to quickly fix a serious problem, failed to ade- quately test code they produced as a patch for the pharmacy application. Three groups within Kaiser had responsibilities for KP Online: operations, e-mail, and development. Traditionally these groups worked independently and had distinct missions and organizational cultures. The breach revealed the differences in the way groups approached priorities. For example, the development group often let meeting deadlines dictate priorities. At the organizational level, Kaiser IT had a very complex organizational structure, leading to what Collmann and Cooper (2007, p. 239) call "compartmen- talized sensemaking." Each IT group "developed highly localized definitions of a situation, which created the possibility for failure when integrated in a common infrastructure."" vib mas difeed alldug pal or tbotssel (HM) danse BAC more dhe Kis tee 02dine galv M CASE 14: BREAC ING THE SECUR OF AN INTERNE PATIENT PORTA MORBUO *MOITES QUOC