|
The healthcare industry is especially vulnerable to computer security risks, including data breaches that expose confidential and sensitive information. The U.S. Department of Health and Human Services (HHS) recently began posting data breaches online. When a breach affects more than 500 patients, practices and other health care entities -- or their business associates -- are required to notify the HHS Office for Civil Rights (OCR) and the media. HHS then posts a list of these breaches online.
HHS started listing the breaches on its website in February, then updated the list in April. The 64 reported incidents affected 1,243,815 individuals.
Of course, this is the tip of the iceberg. But the HHS reporting requirements and public disclosure of breaches demonstrates the pervasive security risks -- and how failure to control them can result in costly public relations, legal and other costs.
In the past few years, social media has added an entirely new dimension to data security risks. Although an all-out prohibition might seem to be the simplest way for hospitals and other healthcare providers to deal with the security risks of employee use of social media, it is not necessarily the wisest approach.
The technology does introduce numerous risks, including the possibility that an employee might speak on an organization's behalf without approval or even post sensitive or classified information inappropriately. Also, ill-intentioned actors might pose as social network friends to obtain such information -- what's known as social engineering. And as many people have learned, social networks can be a source of malicious code.
However, the benefits of the technology are becoming more apparent every day. Private and public organizations are finding that social networks facilitate both personal networking and massive customer and citizen outreach. They provide good venues for getting feedback from customers and constituents (via Facebook and Ning, for example), locating subject-matter experts (via LinkedIn and others), and for communicating with communities large and small (e.g., Twitter and wikis).
Given that value, healthcare organizations should not resort to blocking all access to social networking or only allowing access by a small number of public relations and marketing experts. The good news is that it is possible to mitigate the risks through a combination of policy, training and technology.
Here are four steps to consider:
1. Ensure existing employee codes-of-conduct policies cover social networking. A good start is to update your organization's computer-use policy to indicate whether it is acceptable to use social networking only for work or for work and personal activities. However, organizations also need a broader policy covering what activities an employee (or contractor) can do on behalf of the business entity, as well as tight controls regarding access to sensitive information, particularly information that is governed by regulatory requirements such as HIPAA. If existing policies are updated to include scenarios related to social networking, the organization must get the word out and incorporate the new policies into its employee training.
2. Train end-users on the benefits, risks, policies and goals for social networking. It is important to communicate to employees and contractors the organization's goals for social media -- and what their role will be. Much as you would work with an executive to prepare for a press briefing or high-profile speaking engagement, you should explain the goals of social networking, who has the authority to speak on the organization's behalf, what actions and activities are appropriate, and whom to contact with questions and issues.
3. Create official profiles for the organization, subsidiaries and key executives on the major social networking sites. This should be done even if those profiles will not be used, and they can be marked as such. This will help head off the creation of fake accounts used for impersonation.
4. Implement technical controls that address how social networking can be used and what content can be posted. Unfortunately, most technologies claiming to help mitigate the risk of social networking can only turn a particular site on or off. Some of these tools may be able to allow social networking for a particular user population in the network, but unfortunately they still allow any content to be posted. To be able to allow the organization to gain the value of social networking while mitigating the risk of inappropriate posting of sensitive information or exfiltration via social engineering, a technical solution that understands the context, as well as the content, of each social networking communication transaction is required.
Social networking is here to stay. All organizations, public and private, can and should find ways to maximize its utility. A sound security policy is central to that effort.
Tami Stein is senior product manager at Fidelis Security Systems, a Waltham, MA-based technology security company.
|