Outsourcing - Processing of Sensitive Information
San Francisco Gate
Kaiser exporting privacy
David Lazarus 
May 14, 2003

Oakland's Kaiser Permanente reported some mighty impressive numbers the
other day -- quarterly profit of $301 million on revenue of $6.2 billion.

Even so, the health care provider is quietly outsourcing costly computer
operations to companies in India, and workers in Northern California are
worried that their jobs could be next to go.

Moreover, Kaiser's 8.3 million members and thousands of other employees may
have additional reason for concern. Included in the information being made
available to Indian techs-for-hire are:

-- Patients' medical data, including lab results and drugs being taken.

-- Members' personal information, including financial records and home
addresses.

-- Payroll information for 135,000 Kaiser employees and 11,000 physicians,
including salaries, benefits and Social Security numbers.

"It's a disaster waiting to happen," said Beth Givens, director of the
Privacy Rights Clearinghouse, a San Diego nonprofit. "After all, who
regulates these companies in India? People should be extremely wary of the
possibility of fraud."

Kaiser tech workers voiced similar worries. "If I was a patient, I'd be
really worried about my information going offshore," one told me. "And
employees should be worried about their Social Security numbers. Think of
the potential for identity theft."

To be fair, many U.S. companies out-source high-tech and customer-service
operations both at home and abroad. Half the Fortune 500 is said to make use
of India's well-educated, English-speaking and significantly lower-paid
workforce.

Within five years, according to a recent study, Indian outsourcing firms
will comprise a $21 billion industry, employing 1.2 million people.

Yet it's one thing for telecom giant SBC, for example, to out-source online
tech support for Internet subscribers, and quite another for one of
America's largest health care providers to open the door on members' and
employees' medical and financial records.

Garry Hurlbut, Kaiser's vice president of information technology, stressed
that the company's data will remain in Kaiser's own computers. But he
acknowledged that nearly a half-dozen Indian outsourcing firms will have
remote access.

"A lot of others were doing offshore work before we got interested," Hurlbut
said. "We're only working with the most reputable companies."

He added that overseas technicians are granted only limited access to
systems depending on maintenance required. However, access will increase in
the future as more of Kaiser's tech operations are transferred abroad.

"We're trying to move a good part of system maintenance offshore and free up
employees for new opportunities," Hurlbut said.

At least 160 tech workers so far have been reassigned to new gigs within the
company as a result of the outsourcing. To date, no one's gotten the ax.

Still, workers at Kaiser's Walnut Creek computer center are increasingly
anxious about their future. "Morale is very low," one worker said.

Employees' concerns have been exacerbated by the fact that nearly three
dozen Indians from one outsourcing firm -- New Delhi's HCL -- are now at the
computer center learning the various systems.

Kaiser workers have been instructed by supervisors to make time over the
next few months to train the Indians in nearby conference rooms. The Indians
will then go home and train others at their firm.

"They're very quiet, very polite," one worker said. "But they're not dumb.
They know what's going on."

I'm not suggesting that Indian techies are less reliable or trustworthy than
their American counterparts. Dell Computer, for one, is so pleased with its
Indian partners that the company has moved the bulk of its tech support to
the subcontinent.

What I do take issue with, though, is the growing trend of American
companies shipping jobs overseas for the sake of saving a few bucks. The
U.S. unemployment rate climbed to 6 percent last month.

Customer-service representatives at call centers in the United States make
as much as $12 an hour. Their Indian counterparts, who frequently are told
by employers to conceal their whereabouts from callers, make about a third
of that amount.

According to an internal memo distributed to Kaiser tech workers, an
American contractor might charge the company up to $85 an hour, while an
Indian outsourcing firm can do the same work for as little as $20 an hour.

"We must operate as a business as well as a caring organization," the memo
says. "By gaining access to highly trained professionals at a greatly
reduced rate, Kaiser Permanente can become better stewards of our members'
dollars and get a better return on our investment in technology."

It adds: "Although there are no long-term guarantees, (Kaiser) is not
planning to eliminate employee positions due to our use of offshore
resources."

Claire Holmes, a Kaiser spokeswoman, said that affected workers are given 90
days in which to find a new position within Kaiser. If no such position
opens up, she said workers will be offered severance packages based on the
amount of time they've been with the company.

"Everyone feels trapped," one worker told me. "We have to cooperate with
what management is doing because there's no other IT work out there. But we
know our jobs are on the line."

Holmes was more upbeat about the situation.

"Nobody likes to be forced into change," she said. "But we're pretty happy
with the results at this time."
Computerworld (05/05/03); Verton, Dan

IT professionals attending last week's Techno-Security Conference
expressed concerned about the security risks of U.S. companies
outsourcing software development and other essential IT services to
countries where labor is cheaper. Attendees were especially concerned
with the outsourcing of IT work to China, which has a reputation for
economic espionage directed toward U.S. technology, as well as to
Southeast Asian countries that are known to shelter terrorist
networks. "Whether you like it or not, our national secrets are
already being preserved by people who built these parts of the core
infrastructure, and they're not U.S. citizens," conceded Oracle chief
security officer and conference panelist Mary Ann Davidson. She also
pointed out that there is no reason to think that American workers
pose any less of a security risk. Northrup Grumman chief information
assurance officer Tim McKnight recommended that companies make a
sizeable financial investment to deploy a comprehensive system for
ensuring the trustworthiness of offshore outsourcers. As a former
security officer at Cisco Systems, he saw firsthand how the company
sent teams overseas to monitor outsourcers' activities and carry our
risk assessments. Most conference attendees expressed doubt that
software companies are able or willing to make thorough background
checks of foreign coders. The fact that few U.S.-based companies check
the backgrounds of their own staff makes such an attitude typical,
said Alta Associated CEO Joyce Brocaglia.

http://www.computerworld.com/managementtopics/management/outsourcing/story/0,10801,80935,00.html


http://www.computer.org/computer/sp/articles/sch/
http://www.wallstreetandtech.com/story/inDepth/WST20030619S0004
http://asia.cnet.com/itmanager/project/0,39006404,39123587,00.htm