Crafting a Social Media Security Policy
Hospitals are finding it essential to use social media for educational and marketing purposes. But they must create detailed social media security policies to help ensure personal health information never gets posted, says Sharon Finney, corporate data security officer at 37-hospital Adventist Health System.
In an exclusive interview, Finney outlines how Adventist created a security policy governing its hospitals use of Facebook, MySpace and Twitter. She describes how the organization:
- Incorporated methods used by other corporations and healthcare organizations;
- Created a diverse team to fine-tune the policy and present it to the board of directors;
- Crafted an educational program for all staff members and established sanctions for violating the policy; and
- Ultilized Web filtering and data loss prevention technology to help monitor staff use of social media and prevent patient information from being posted.
Finney joined Winter Park, Fla.-based Adventist two years ago after previously serving as a technical consultant for 18 years. She has crafted a comprehensive risk management program for Adventist's hospitals and clinics.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Sharon Finney, corporate data security officer at the 37-hospital Adventist Health System. Thanks so much for joining us today Sharon.
SHARON FINNEY: Thanks Howard, I appreciate it.
ANDERSON: We want to discuss with you today your efforts to create security policies for the use of social media. So first, tell us a bit about why Adventist decided to use social media and how it determined who it would permit to use it.
FINNEY: Adventist is very progressive in its adoption of new technology both on the clinical and the business side of our organization...I don't know of an industry that is better suited to the appropriate use of social media given that the business that we are in is really about connecting people together....I mean there is just a broad spectrum of uses for this social media world.
As we looked at how social media was progressing, we started looking at the potential uses from both a business and a clinical perspective...and then we began to also look at how we would want this used in our environment, whose role or function within our organization would be appropriate for the use of this type of technology. Frankly, we evaluated it the way we evaluate every technology that we look at. Does it have a business or a clinical use in our environment, and if it does, what are those uses? What are the risks associated with adopting the technology? That is probably where social media deviates from the standard model in that it does represent some additional risks.
So that is really how we went about it. It was a very methodical, practical business approach to assessing the technology and its use and who could potentially benefit from it within our organization.
ANDERSON: So what social media options is Adventist using today and for what purposes?
FINNEY: A lot of our hospitals are starting to create their own online presence or online identity through Facebook and MySpace, and we do have some hospitals that have Twitter sites that they utilize to communicate various things to certain communities. And we are beginning to look at how we would also deploy this for education opportunities, particularly in things like diabetes education, cancer education, where it is very beneficial to not only connect the clinicians with the patients but also patients with patients.
You can use social media to create a very positive, very motivating sort of support infrastructure around those healthcare issues that those specific patients face every single day. It creates quite a collaboration on their part and a support group. So we are starting to look at how we implement Facebook or Twitter to allow those types of connections as well.
ANDERSON: When it comes to social media, what do you perceive as the biggest security risk?
FINNEY: Any technology that you implement today in any business can be misused, and I don't think social media technologies are any different. There are always going to be risks. These are very public-facing, publicly accessible sites, so there is always the risk for things to be unintentionally posted or for individuals who may not have the best interest of the group or the organization at heart to gain access to these types of sites....
Most of your security incidents today are unintentional and really more due to a lack of education about the technology that is being used. So we concern ourselves more with how do we educate people and how do we try to ensure that the sites and these types of technologies are used in the most appropriate fashion.
But I think the biggest security risk we have is personally identifiable patient information being posted out there either unintentionally...or intentionally....
ANDERSON: I understand you created a team that spent more than six months crafting security policies for social media. How did you decide who was on the team? And tell us a bit about the process of creating a consensus.
FINNEY: I've got to tell you, the creation of this policy and the implementation of this technology really forced us to bring together many different people in the same room that had not necessarily collaborated this extensively in the past, because of the far-reaching aspects of this type of technology....So those who we pulled together to initially begin to look at this were our corporate PR communications and marketing team, our legal team, members from our compliance group, risk management, data security, information systems, and then we had some individual leadership from our hospitals that also participated so that we could get a good field perspective of how this would be utilized.
So it was a fairly extensive group of people. As you can imagine, that diverse a group had many different perspectives on how this technology could be used and potentially misused in the environment. But I think that what we came up with after we hashed through it was really a good policy and a good foundation for how we proceed with developing and utilizing this technology.
The process that we really went through is a fairly standard process for us when we go through a policy development, and I utilized many different resources. I looked, of course, to the Internet. There are many organizations today that have already adopted this technology, who are already heavily vested in the use of it. Now many of those groups don't necessarily have the regulatory issues that we have to deal with, and I think that is probably one of the largest differentiators when I looked at various organizations. I looked at IBM and Hewlett Packard and Microsoft and Dell. I looked at healthcare organizations such as the Mayo Clinic and Columbia University....
So I brought together a lot of information about what those organizations had attempted to do relative to policies and standards regarding this technology, and I took sort of the best pieces of each of those and developed a draft of our policy and our standard. It is quite extensive. The policy itself is about six pages long. The standards are about seven to eight pages long. So it's not a small policy or a small standard by any means.
And then at that point I convened this diverse group of expertise and presented the draft to them. We went through and covered the draft and the standards from all those aspects of all those different groups and honed this down to a document that was very useful in our environment.
At that point, once we had achieved what we felt like was a good, solid beginning and had achieved a consensus on what we felt like all the concerns and the issues might be, we then took that and presented that to our corporate compliance steering committee and ultimately our corporate compliance board for final approval and adoption. So this was seen all the way up the chain or our organization right from management within our hospitals to corporate leadership, all the way up to our board of directors. So there was substantial support and buy-in at all levels of the organization, which I think is very critical for the adoption of this type of technology.
ANDERSON: Could you summarize some of the highlights of the security policy?
FINNEY: In our policy, we specifically state that this is not a technology or a forum that is suited for sharing of personally identifiable information of any type, whether that's healthcare related, or even your own personal information. That was one of the foundations of our use of social media: that it is not a forum for sharing that type of information. This is a forum for sharing and communicating information that is general in nature and related to healthcare today.
It is to be used to help further knowledge and understanding of...what our hospitals' product and service offerings are...and a forum for the general community to ask questions and post comments or concerns about our facilities and experiences that they've had. But it is definitely strictly prohibited for the use of sharing information that is of a personal nature, or specific to any individual patient. That is in our policy.
The standards really function as more of an "appropriate use" document, and we decided that we wanted to take sort of a "do's and don'ts" approach. First, we started to define what do we really expect people to do on these types of sites. We want people to be diligent in understanding that when you post to these sites as an Adventist employee that you are representing Adventist. You should refer to our core code of conduct and code of ethics that all of our employees are educated on upon orientation within our organization.
Then we did the standard "don'ts," such as don't ever misrepresent yourself. Realize that this is an online persona -- we define what that is in the policy and the standard....Although our policy and standard is extensive...we took a very simplistic approach to say, "Here are the things we want you to do and here are the things that are very definitive don'ts when you are functioning in an online capacity."
Frankly, these are the standard do's and don'ts that I would tell anybody, whether you're using social media from a personal perspective or professional perspective. You want to be very careful about...how you present yourself in an online capacity today.
ANDERSON: How are you going about educating staff about the policy, and did you set penalties for violations?
FINNEY: Anytime you have a policy there have to be sanctions for violations....We drove the sanctions through our standard Human Resources process. If an incident occurs...then our process for dealing with that sanction is to engage the local human resources representative, local management of the hospital, as well as corporate facilities to evaluate the situation. An evaluation has to occur about whether or not an incident was intentional or unintentional. Intent has to play a large part in evaluating the sanctions that need to be applied in any particular situation, whether it's related to social media or not.
ANDERSON: How are you going about monitoring how members of the staff are using social media?
FINNEY: Well we have several monitoring capabilities here. The first is, of course, we have our standard Internet monitoring that we do. We do that on all Internet traffic. It is...Web filtering technology that looks for a variety of key words, both in content and conceptual fashion. Does it look like confidential information or patient information might be leaving our facility? And we have the ability at that engine to look at that and take appropriate action.
We also are in the process of deploying our data loss prevention technology on our perimeter. It gives us more in-depth insight into what is passing across the Internet, and a much more proactive approach to how we deal with this....It has very extensive filtering and monitoring capabilities. But what it also provides us is the ability to take action at the point that the device sees something.
So instead of being more reactive, we are going to take much more proactive approaches, particularly where this tool identifies that it could be potentially confidential or patient information that might be passing out of the facility. That will create rules that either warn people or give them a little reminder at the point of use.
We may choose to completely block a message and notify the user or the sender of the information that they need to contact data security or information services. We may use some alerting for different types of risk scenarios. As we see what is occurring in the environment, we're going to make adjustments and we're going to tweak the monitoring of the tool.
Then lastly, we are investigating certain types of web crawling software and services that would particularly allow our marketing and PR and communications folks to crawl the web on a regular basis, look at various information being put out on the general Internet about our hospitals' products and services and those types of things. So we will most likely be implementing some of those types of technologies or services in the near future as well.
ANDERSON: Any final advice you would give to other organizations on how to address the security issues involved in social media?
FINNEY: Don't let the hype of this let you think that this is different from any other technology that you have dealt with as an organization. I think it is a very necessary tool in the business world today. It has some very distinctive qualities that make it conducive for a healthcare organization to utilize it from a community education and outreach perspective.
Organizations need to determine what their capabilities are to manage and handle a technology, because I don't think that we can underestimate either the value or the risk that this type of technology presents. Again, take a very practical business approach to evaluating it....You cannot block the use of this by individuals, patients, employees or others. They are going to use it within your walls or they're going to go outside of your walls and use it, but either, way social media is here. It is a technology that is going to continue to infuse both our personal and our business and professional lives from this point forward.
My strong advice to any organization today is to evaluate it and communicate to your employees what your expectations are from a professional perspective. Be very clear with them that this is not an intent to dictate their private or personal use of this type of media or technology, but that, from a business perspective as a representative of their organization, this is what is expected.....
I think it is much better to be proactive and communicate and educate than it is to be reactive and discipline and sanction on the back end. That is a very negative approach....
ANDERSON: Well thanks Sharon. We've been talking today with Sharon Finney of Adventist Health.
