Have you ever kept important emails in your inbox, maybe ones with attachments like your tax return or family photographs? Are there messages you wouldn’t dream of deleting, like an award nomination or a kind note from a friend?
Justin Sivils, business systems analyst lead for Michigan Medicine’s Information Assurance (IA), says many treat inboxes in that way: like digital filing cabinets. “Decisions are made, workflows are hashed out, files are sent, and people just leave it [in their email].”
The risk? Email is one of the main ways cyber criminals try to gain access to sensitive information, which can then be sold for a profit. Sivils compares it to leaving your phone in your car; it’s relatively easy to steal if a nefarious being gazes upon it through the glass. “It’s their favorite tactic. They go there because they know people use email like this.”
These brute-force attacks, Sivils stresses, get access to big files with a lot of data. “Or in this case,” he adds, “patient records.” In 2022, a security event involving patient information prompted Michigan Medicine leadership to launch a review of practices and consider ways to strengthen data protection. Among the recommendations was an email retention policy, which is standard at many institutions but new for Michigan Medicine.
Early discussions considered starting with a four-year limit that would gradually move to two years, allowing time for adjustment. After careful consideration, leadership chose to roll-out the two-year policy for all staff at once, aligning with time frames commonly used across many industries.
The new guidelines are simple. Emails older than two years will automatically be deleted. Forever. There’s no secret way to get them back. Based on analysis, Sivils notes, “Emails older than that, people tend to not look at anymore.”
After the business decision was made by Michigan Medicine, IA’s role was to help carry out the policy by ensuring they are applied consistently and correctly across the organization.
Push back wasn’t surprising. Sivils empathizes with the response and feels most just needed a sounding board. “After a conversation, they understand why they have to move their ‘[phone] out of their car’,” observes Sivils. “It was unexpected. That’s why we had such a visceral reaction.” While the response was strong, leadership chose to implement the change quickly to keep the organization safe.
For Michigan Medicine, the change is less about deleting messages and more about reducing threats. It’s a reminder that technological habits shape how vulnerable we are.
“IT changes so quickly… it’s deeply integrated into our lives. The impacts [of identity theft] are very real,” Sivils explains. “People can lose their livelihoods … with identity theft if they’re not careful.”
He continues, “For younger generations, technology has always been there. Many of us remember life before the internet at home, but for them, it’s simply part of the world. That makes it easy to forget how fast things can unravel. Security risks don’t just affect millennials, Gen Z, or boomers. Younger people are just as vulnerable. And too often, people think, ‘It can’t happen to me.’”
Now, Michigan Medicine shows a small notice when opening a message, alerting users when it will be automatically deleted. To help staff preserve important emails, Michigan Medicine offers tools like OneNote that help cataloging messages. Perfect for organizing emails you want to keep, like that heartfelt note or a file you’ll need later.
The new requirement can feel like a loss, but Sivils frames it as a gain: a chance to start fresh.
