"Funny but this patient came in to cure her VD and get birth control," according to a Facebook post from a temporary employee of Providence Holy Cross Medical Center in Mission Hills, Calif. It accompanied a picture of a medical record that included the patient's name and date she was admitted, according to local television and newspaper reports late last month. Upon finding out, the hospital promptly launched an investigation and took measures to ensure the temp wouldn't be working there again.
Clearly, this incident demonstrates that social networking sites such as Facebook can be a venue through which employees can commit HIPAA privacy violations. Social networking sites also can cause security headaches for health care CIOs, too, with spyware and viruses associated with them.
These and other factors are leading some health care organizations to implement Web traffic monitoring software to improve security as well as employee efficiency.
Users will find a way to get to social media
Attorney and health care social media expert David Harlow, of The Harlow Group, said blocking social media sites doesn't always make sense, especially in this era when hospitals set up their own Facebook pages and Twitter feeds for marketing purposes. "Social media hygiene," or setting up do's and don'ts in a health care social media policy -- along with training and enforcement for those policies -- can be effective in teaching employees how to avoid malware as well as respect patient privacy.
"The individual in Los Angeles who shared patient information inappropriately via Facebook is likely to share it using other channels (including in-person communications)," Harlow told SearchHealthIT.com in an email.
Even when IT departments don't allow sites such as Facebook inside network firewalls, smartphones give employees another means of communicating via social networking sites while on the job, Harlow added. "Shutting of the Internet will not solve that problem. Addressing this issue as a policy, training and ultimately an HR issue will go a long way towards controlling it."
Web traffic monitoring: The long arm of the CIO
Providers are considering Web traffic monitoring software for three business reasons -- to keep employees from wasting company time on personal sites, to assure network security and to track and improve HIPAA compliance.
McKenzie (Tenn.) Medical Center implemented SpectorSoft Web traffic monitoring about a decade ago, upgrading from the CNE version to 360 about six years ago. SpectorSoft 360 logs employee Web site visits, email, IM, chat and searches in internal applications such as electronic health record (EHR) systems. It also includes a keylogger, which tracks what users type.
The monitoring system helps the IT department enforce its Internet usage policy for the productivity and security reasons listed above, and also supplements the health care organization's legal EHR in lawsuits, adding screen shots and other documentation details to the patient record that McKenzie's EHR application can't provide.
"We block Facebook and MySpace here in the clinic. Nobody can get to it," said Don Page, IT manager and security officer for McKenzie, which employs 30 providers -- many of them specialists -- and 300 employees overall.
At first, McKenzie wanted solely to limit employees' personal Internet use. Page's analysis determined during a two-week, before-and-after comparison that blocking social networking sites and certain others -- such as bank sites, where many employees had been paying bills on company time -- saved the medical center $18,000. Better yet, it improved adherence to clinic's Internet usage policy because it acted as a deterrent.
Now, Page said, the monitoring system is more of a tool for HIPAA compliance investigations. In early January, McKenzie had six open investigations of potential violations; SpectorSoft 360 Web usage audits can "exonerate or condemn" employees during such investigations. HIPAA investigations are precipitated by complaints to the HIPAA officer, who follows up with IT to ask for screen shots or activity logs for the period in question.
"With all the compliance [initiatives] that are coming out, and the teeth they're putting into HIPAA, it's become more important to us to prove that we can monitor this and we can address these HIPAA concerns in a factual and a decisive manner," Page said.
It also helps track entry points for malware. Image searches on Google -- many of them accessed unintentionally during the course of patient care -- are the biggest culprits, he and assistant security officer Nathan Hacker report.
There's one other way Web traffic monitoring can save money. Because SpectorSoft 360 can capture and log screen shots of physicians' activity within the EHR system, it can help draw a more complete and visually sequenced picture of how physicians arrive at care decisions. Currently, Page said, McKenzie is negotiating with liability insurers to reduce premiums because the monitoring system can be used to reinforce providers' claims that they followed typical practice guidelines while defending themselves in negligence cases.
War stories justify need for Web traffic monitoring
When Page and his colleagues discover a violation, the employee's Internet access is shut off until the IT department drops by for a visit to discuss the activity, with a reminder that personal Internet use is forbidden. After a while, most employees give up trying to circumvent Web traffic monitoring, especially when IT staff shows screen shots and keystroke logs that reveal passwords they entered for sites such as their online banking accounts.
However, during Hacker's weekly sweeps of the traffic logs, he still runs into situations McKenzie needs to address.
- One provider used company time and resources such as printers to run a home makeup-sales business from her office.
- A physician who is a college football fan spent hours reading news sites for his favorite team.
- Searches for what Hacker describes as "inappropriate material" (read: porn). Page said one provider who repeatedly searched for such sites mended his ways when Page uncomfortably threatened to review, in person, screen shots of the material he had been browsing. "He didn't want to see that," Page said. "He hasn't done it anymore."
The HIPAA violations they uncover, Page and Hacker said, mostly involve family members -- divorcees checking medical (especially OB-GYN) records of ex-spouses and their new significant others, or rivals within extended families -- and sometimes neighbors an employee might know, as well as local newsmakers such as car accident victims or people in the obituary reports. Parental checks of patients whom children are dating also are popular employee justifications for HIPAA violations.
Employees who knowingly commit HIPAA violations try to fly under the monitoring system's radar by searching the EHR system by provider, birth or appointment date, or some other means that doesn't involve looking up patients by name or patient number.
With all the compliance [initiatives] that are coming out…it's become more important to us to prove that…we can address these HIPAA concerns in a factual and a decisive manner.
Don Page, IT manager and security officer, McKenzie (Tenn.) Medical Center
The most challenging case, Page said, involved an employee looking not at individual patient records but at a physician's schedule -- which includes synopses of which patients have appointments, and why they're coming in -- to illicitly track a particular patient. The IT staff knew the employee was up to something unrelated to his own patient docket and figured out the pattern by following screen shots over time.
"No matter how they search it…there's no way around [the monitoring]. It captures everything a person does," Hacker said. McKenzie's monitoring system, he added, can take screen shots as frequently as once a second or can be customized to take a shot at a particular user action, such as left-click, right click or "Enter" keystroke.
Employees get the hint when they see Web traffic monitoring evidence
While Web traffic monitoring might not have been a popular choice at the time of its implementation years ago, there's no pushback from employees now, Page said. It's even part of new-employee orientation, where McKenzie presents the Internet usage policy as a way to protect the employee from getting into trouble with malware or running afoul of compliance mandates.
Page said McKenzie's Internet usage policy does allow employee access to the bill-paying sites, Facebook and others that are blocked, but only during breaks at four computers located in the lunch room, which are connected to the Internet via an outside DSL account separate from the McKenzie network. It's helped the facility balance its needs for security and productivity with employees' wants and needs.
"They can do whatever they want to on those computers, it's not an issue," Page said. "But while they're on the clock and they're on our secured network, then they have to adhere to the policies we have for them to earn a living, to take care of patients and to address business concerns we have."