Posted by: Jenny Laurello
BYOD, HIPAA, HITsm, Social media
Q&A with Jeani Park, senior director of Product Strategy at SpectorSoft, which specializes in computer, mobile device and Internet monitoring
1. What security challenges do social networking sites like Facebook and Twitter present in the health care setting?
Health care organizations are required to comply with mandates like HIPAA and the HITECH Act that dictate what types of personal information must be kept private. As more employees embrace social networking sites like Facebook and Twitter, the danger of confidential information becoming public increases. For example, in a high-profile incident last year, an employee at Providence Holy Cross Medical Center posted pictures of a patient’s medical record and mocked the patient’s condition. When several of the employee’s Facebook friends informed him he was violating HIPAA, the employee became defensive instead of removing the offensive material.
Violations may be more subtle – sometimes employees may not realize they’re breaking hospital regulations. One such example involves nurses who were eager to leave after 12-hour shifts. Before doing so, they had to access multi-tenant computers to update patient records and notes for the next shift. Instead of waiting, they sent the information via Facebook or LinkedIn on their mobile devices to the nurse handling the next shift. While more convenient than waiting, these nurses had violated HIPAA regulations and hospital procedures.
2. How does BYOD exacerbate security and regulation challenges?
Workers are more connected than ever with the increased adoption of mobile devices and the rise of Bring Your Own Device (BYOD). Since employees can work from virtually anywhere, they are more engaged. Physicians are also using tablets, laptops and other devices when treating patients to gainquick access to vital information. While BYOD has many advantages, it also creates unique challenges. For example, people are usually less cautious when sharing information in an informal setting. While chatting on Facebook , an employee may be more forthright compared to work correspondence. Or they may not pay attention to their surroundings while discussing sensitive information in public via their smart phone or tablet.
Mobile devices also present more opportunities for user error. Caregivers who text, check Facebook and Twitter may be engaged in other activities. As a result, the chances of accidentally sending information to the wrong recipient – either exposing confidential information or ensuring that time-sensitive data isn’t sent to the correct person – increases.
Employees using mobile devices and social networking sites are more vulnerable to identity theft. Many employees routinely share information identifying their employer, department, work hours and even details about their boss or patients.
BYOD amplifies many of the security and privacy challenges facing health care organizations. Employers may have limited visibility into their employees activities couldn’t on their own devices. Creating policies that dictate acceptable use is also tricky when they relate to an individual’s private device.
3. What are some best practices for governing use of social media in the workplace?
Some health care organizations have taken a firm stance against any participation in social network sites during work hours. Some hospitals and health care organizations have prohibited employees from logging on Facebook while at work. Others have created special terminals for personal use during employees’ lunch breaks.
Some best practices include:
- Create risk profiles of your employees, contractors and partners. These profiles, which are based on activity and the individual’s role, help determine what employees might be more likely to share confidential information or violate critical regulations.
- Monitor employees’ activities on social networking sites such as Facebook and LinkedIn.
- Monitor all organization-provisioned devices including laptops, desktops, smartphones and tablets.
- Provide training for employees that outlines key compliance regulations and security risks such as data theft, fraud and identity theft. Share best practices for sharing information on social networking sites.
- When employees engage in improper behavior, use it as an opportunity to stress the organization’s regulations and expected behavior.
With BYOD, monitoring becomes increasingly complex. Health care organizations need to monitor communications and use of protected health information. However, organizations don’t want to save data an employee may be looking up regarding their own personal health care records or billing information.
The juxtaposition of “having” to monitor, record and store data and having huge risk exposure for monitoring, recording and storing other data means that actions/access/applications/data must be handled differently on the same device. There are a number of ways that organizations can avoid monitoring and retaining information that violate their compliance or corporate mandates. These include:
- Creating policies that don’t capture information or screen snapshots if certain information in contained therein such as social security numbers, salary data or private health information.
- Run monitoring products only on applications, systems or data that is explicitly specified to be monitored. For example, sandbox corporate applications on mobile devices and only run monitoring products on the user activity that is sandboxed.
- Create screen log-in notices reminding employees they are logging into and using corporate-owned devices and that all activity and subsequent data they access and use on these devices is subject to monitoring.
- Block access to websites, systems and applications that contain sensitive data that companies don’t want to see or manage
4. How should employers track employees’ social network usage and address concerns?
Organizations utilizing user activity monitoring can track and record employees’ actions in real-time. With user activity monitoring, organizations can monitor, capture and analyze all user activity on the employee’s device, including chat and instant messaging and websites visited. Organizations can also set up keyword alerts that trigger a notification when certain phrases or data is entered on the employee’s system.
User activity monitoring also enables organizations to achieve a broader perspective of employees’ actions. By analyzing their actions in context, employers can gain deeper understanding of what the employee was doing. In some instances, employees accused of a HIPAA violation have been re-accused after their employers have reviewed the transaction records.
5. What are the benefits of social media usage? How can health care organizations better harness its power?
Twitter, Facebook and other social networks present incredible opportunities to build and participate in communities, engage with key constituencies and increase awareness. In the health care setting, social media platforms are an avenue for promoting programs, highlighting good news and responding to questions patients and the surrounding community. Employees can also serve as powerful ambassadors. An engaged, knowledgeable employee reflects positively upon her employer. Hospitals and health care organizations hoping to harness the power of social media should work closely with employees discussing best practices and outlining the types of information that should never be shared in social networking or in general. By doing so, organizations can reduce potential social media mishaps. As social media continues to take hold, it’s not realistic to completely crack down on all forms of social networking. While employees may not go on Facebook at work, many will still be active on the site during their off-hours and regardless of where they are, sharing confidential patient information is a serious issue.