Add to collection(s) Add to saved
  1. Social Science

Social Media Whitepaper

advertisement 
DRAFT
Version 3
November 11, 2010
HIPAA COW
SECURITY NETWORKING GROUP
CONSIDERATIONS ON SOCIAL MEDIA IN THE HEALTHCARE WORKPLACE
Disclaimer
This whitepaper is Copyright  2011 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”).
It may be freely redistributed in its entirety provided that this copyright notice is not removed. It
may not be sold for profit or used in commercial documents without the written permission of the
copyright holder. This whitepaper is provided “as is” without any express or implied warranty.
This whitepaper is for educational purposes only and does not constitute legal advice. If you require
legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state preemption issues related to this whitepaper. Therefore, this form may need to be modified in order to
comply with Wisconsin law.
****
Introduction
Social media and social networking occupy a significant and quickly growing portion of internet
use. The purpose of this document is to supply information that an organization could use in
their risk analysis. Here, we identify sources of risk related to social media and provide ideas on
how to mitigate those risks.
Much like any new technology, social media will find a place in the healthcare organization.
Chris Murphy writes in Information Week “A year ago, just 42% of InformationWeek 500
companies used wikis, blogs, or social networking to reach out to customers, suppliers, and
partners. This year, that figure shot up to 72%, in one of the most dramatic one-year moves
we've ever seen in our InformationWeek 500 data. Back in 2008, only around one-third used
wikis and blogs for external collaboration1”. The job of healthcare security professionals is to
assure that these tools are well used while at the same time protecting from the risks associated.
Table of Contents
1. Definitions
2. Social Media Uses
3. Social Media Risks
4. Legal Issues
5. Policy Choices
6. References
7. Appendix A: sample risk analysis
8. Appendix B: links to model policies
Key Definitions (with examples)
1
http://www.informationweek.com/blog/main/archives/2010/09/social_net_malw.html;jsessionid=GTXEEXS1O3WBJQE1GHRSKH4ATMY32J
VN?print=truehttp://www.informationweek.com/blog/main/archives/2010/09/social_net_malw.html;jsessionid=GTXEEXS1O3WBJQE1GHRSK
H4ATMY32JVN?print=true
© Copyright 2010 HIPAA COW, Page 1
DRAFT
Version 3
November 11, 2010
Social Media: social media is the general term used to describe any number of tools intended to
facilitate the public sharing and discussing of information. Facebook, MySpace, LinkedIn,
Twitter, YouTube, AIM, etc, are all social media tools, although they are of different types
Social Networking: social networking is a subset of social media, and is generally considered to
include web-based tools for posting and sharing personal information. Facebook and MySpace
are the two best known social networking sites, although there are many others
Professional Networking: another subset of social media, professional networking sites are
similar to social networking sites, except they are focused on the sharing of business or
professional information (as opposed to personal). LinkedIn is a key example of a professional
networking site.
Chat / Instant Messaging: generally, utilities that allow real-time communication between two
or more people using the Internet (including video, audio, and file transfer capabilities, as well as
standard text). Chat / IM utilities may either be web-based or require an installed client, and are
available on any device that has the ability to connect to the Internet, including cell phones,
computers, etc. Twitter, AOL Instant Messenger (AIM), Yahoo Messenger, etc, are all
considered to be instant messaging
Blogs / Wikis: interactive websites for posting information on the Internet.
1. Blogs (from the original web-log) are generally less formal, and have fewer controls over
access and content. They are commonly set up and used by individuals to share their
personal thoughts, opinions, and beliefs. Blogger.com and blogspot.com are well known
blog sites.
2. Wikis are more formal and have somewhat tighter controls, being used mostly as
collaborative tools for gathering and disseminating information. Wikipedia is the best
known wiki site.
Media Sharing: as the name implies, these are websites used for uploading and downloading
media file, including video, audio, and/or pictures. The files are stored on the server hosted by
the site. YouTube is the best known video/audio sharing site. PhotoBucket and Shutterfly are
examples of photo sharing sites.
Peer-to-Peer (P2P): similar to media sharing, except these utilities create a dedicated connection
between two computers over the Internet, and allow files to be transferred directly between them.
The files are never stored on an Internet server. Napster is/was the best known utility of this type
Social Media Uses
Social media has moved from home use to an enterprise tool. Its potential cannot be estimated at
this time, but based on adoption rates, it seems likely that some or all of the technologies are
poised for continued and rapid growth. Some uses that are obvious today include advertising and
fan pages. It is easier to set up than a web page for small practices. Many sites share basic
© Copyright 2010 HIPAA COW, Page 2
DRAFT
Version 3
November 11, 2010
health information. For a generation that grew up using social media, it is an obvious tool for
posting and finding employment. Corporate information, reminder notices, customer and vendor
contacts, investment information, weather-related closures are all additional examples of things
which can be done with this family of technologies. The introduction of smaller, more mobile
platforms such as iPhones and Droids is certain to increase the flow of hybrid, evolutionary
applications, designed to benefit the enterprise, the client/patient or both. Other applications can
only be imagined.
For all the potential good, there are many risks associated with the use of social media. These
are well documented, and in the case of the newer devices and technologies are only just
evolving. Remembering back only a few years, computing was done on a larger and less
portable device. The risks of today and tomorrow will not only be based on the applications
themselves, but on the smaller and more portable devices we find them running on.
Pictures of patients in emergency rooms get posted to Facebook. This happened to an accident
victim at a hospital in Lake Geneva2.
Patients have been discussed by their care givers. Names may not have been used, but still
references to a patient in a certain room or a description of the patient or why they are being
treated may still provide enough information to identify individuals.
Negative comments can get posted about patients, co-workers, providers, working conditions,
salary and benefits, or administration. A potential risk that should not be overlooked is that on
many sites anything can be posted regardless of truth. These postings may include information
that may be protected under HIPAA, or can affect your brand, reputation or good name. While
you may be able to block or remove posted content, you will have no control of where it may
have been copied to or who it was seen by. A disclosure or incident may have occurred which
will require time and resources to address, even though your organization may have had nothing
to do with posting it in the first place.
Time gets wasted or work does not get done. Individuals spend time using social media tools
when they should be doing things work related.
A recent article in MLO reported the story of an individual who frequently called in sick when
co-workers thought that she was not really sick. They searched her Facebook account and found
postings concerning all the fun she was having on days when she had called in sick3.
The speed at which individuals can post to social media sites allows individuals and corporate
executives alike to post without thinking through what is being posted. If the individual took
more time to think about what they were posting, it is quite possible that they would not post the
information.
Note that these issues are not substantively different from cafeteria or hallway conversations that
we have been training healthcare workers about for decades. The difference is that social media
2
3
http://www.wisn.com/news/18796315/detail.html
C. Anne Pontius, Addressing Management Issues, MLO October 2010, 26
© Copyright 2010 HIPAA COW, Page 3
DRAFT
Version 3
November 11, 2010
postings stay around forever and can be spread literally over the entire world. (Interestingly,
“going viral” is a term that is used to convey the explosive growth in popularity of a particular
blog, posting or social media offering.) Very few overheard conversations could do that.
There are two ways that individuals can use social media. They can log on using hardware
owned by the organization. That is relatively easy to control. Web filtering software can be
used to block or limit access. The alternative is to use their own hardware. Posting can be done
either at home or on internet enabled telephones.
Social Media Risks
Social media has many advantages, but it has many risks, too. According to a report from
NetworkWorld4 here is their top ten social media risks list:
1. Social Networking Worms
2. Phishing Bait
3. Trojans
4. Data Leaks
5. Shortened Links (for linking to malware)
6. BotNets
7. Advanced Persistent Threats
8. Cross-Site Request Forgery
9. Impersonation
10. Trust
Cybercriminals are having success by committing crimes using social media. Here is a typical
cybercriminal attack scenario using social media as the primary tactic:
Step 1: The criminal will try to find compromised Facebook accounts or attempt to
compromise Facebook accounts themselves. The reason that they do this is to impersonate
the real Facebook account owner to attempt to deceive the owner's friends into providing
personally identifiable information (PII); or trick victims into downloading malicious codes,
which allows the criminal to take control of victims computers or spy on them to capture
their sensitive data like bank account numbers, their company logons, etc.
Step 2: The more friends that the actual Facebook owner has, the more targets that the
criminal has to try to steal their sensitive data. The cybercriminal will look at all of the
owner's friends to find these examples of data:
1.
2.
3.
4.
5.
4
Family last and first names
Birthday
Past and present addresses
Phone numbers
Work info
http://www.networkworld.com/news/2010/071210-social-network-threats.html
© Copyright 2010 HIPAA COW, Page 4
DRAFT
Version 3
November 11, 2010
6. Medications or medical conditions
7. Places that they do business
8. Basically criminals look for any data that will eventually get to valuable information
that can be resold in the underground economy
Step 3: The cybercriminal will spend weeks, months and even years attempting to gain
sensitive information or take control of victim’s computers; or use the victim's computers to
gain access to other potential individual or company victims.
In order for Covered Entities to protect the organization's, employee's and patients' sensitive
information from criminals the Covered Entity needs to conduct a risk assessment and
implement controls to mitigate the risks from social media. Attachment "A" provides a sample
risk assessment of some of the risks associated with social media. Note: The sample social
media risk assessment is only a sampling of some of the risks. The intent of Attachment
"A" is to provide you a starting point for your overall social media risk assessment.
Legal Issues
“It’s quite clear; we don’t have a Facebook page." Supreme Court Justice Stephen Breyer on
the need for the high court to adapt to the changing world of social media.
There is little, if any case law that can serve as precedent related to social media in the healthcare
organization. Certainly, an individual who posts patient identifiable information to their personal
pages would be liable for their own actions. The question that needs to be addressed is which
situations the employer would also be liable. Employers will need to include the subject of
social media when they train their staff about privacy requirements of patient data. As with any
training, this must be properly documented. As demonstrated by the Pachowitz case (Pachowitz
v. LeDoux, 2003 WI App 120,265 Wis.2d 631,666 N.W. 2d 88), even when training has been
completed and properly documented the organization may still be liable.
Legal discovery of e-mail and other documentation is possible when done on an organization’s
own network. When the data is stored on any one of the available social networking sites, legal
discovery at best would be very expensive if it is even possible.
Policy Choices
When an organization is writing a policy related to social media, several choices must be made.
For internal networks social media can be blocked completely, allowed for specific departments,
or allowed throughout. Blocking for all requires that certain sites be put on a list that is never
allowed. The organization will need to identify who will determine which sites to block. If
certain departments are granted access to social media sites the organization will again need to
determine which sites will be allowed and which departments. The most obvious example of a
department that needs access to social media sites is a marketing department, but that department
still needs to be limited. If all sites are allowed, the organization will need to clearly state when
and how and for what purposes they can be used. While it is obvious that some sites because of
© Copyright 2010 HIPAA COW, Page 5
DRAFT
Version 3
November 11, 2010
their nature (pornography or hacking sites) must be blocked, final decision on blocking or
allowing social media sites probably belongs with senior management. Any department that
feels that they have a need should state a business case to allow access.
For access on devices not owned by the organization and done on an individual’s personal time
the organization needs to state that anything posted follows the same confidentiality rules that the
individual has agreed to as part of their terms of employment. Use of personal devices,
including smart phones and cameras within telephones, in the work place must be limited to
break time and family emergencies. Photographs of patients should never taken without written
permission.
Any policy relating to social media should include a reminder that staff must not post personal
information, either about their work situation, or their patients.
......
References
1. http://en.wikipedia.org/wiki/Social_networking
2. http://socialmedia.wikispaces.com/A-Z+of+social+media
3. http://www.livingstonbuzz.com/2009/02/24/social-media-glossary/
4. http://www.converstations.com/blogging_glossary.html
5. http://onlinebrandmanager.org/social-media/social-networking-glossary/
6. http://socialnetworking.lovetoknow.com/Social_Media_Terminology
7. Lake Geneva incident: http://www.wisn.com/news/18796315/detail.html
8. http://socialmedia.mayoclinic.org/
9. http://www.informationweek.com/blog/main/archives/2010/09/social_net_malw.html;jse
ssionid=GTXEEXS1O3WBJQE1GHRSKH4ATMY32JVN?print=true
10. Fired Google Engineer: http://www.csoonline.com/article/614581/engineer-fired-forprivacy-violations-google-says?source=CSONLE_nlt_update_2010-09-16
11. http://www.informationweek.com/news/globalcio/interviews/showArticle.jhtml?articleID=227300404
12. http://www.csoonline.com/article/619221/6-facebook-twitter-mistakes-that-can-get-youfired?source=CSONLE_nlt_update_2010-09-28
13. http://www.csoonline.com/article/584813/10-security-reasons-to-quit-facebook-and-onereason-to-stay-on14. http://www.csoonline.com/article/601614/brand-protection-and-abuse-keeping-yourcompany-image-safe-on-social-media
15. http://www.darkreading.com/authentication/security/privacy/showArticle.jhtml?articleID
=227500908&cid=nl_DR_daily_2010-09-29_html
16. http://www.networkworld.com/newsletters/sec/2010/092710sec2.html?source=NWWNL
E_nlt_security_strategies_2010-09-30
17. Ohio Medical Society guide: http://www.osma.org/files/documents/tools-andresources/running-a-practice/social-media-policy.pdf
18. http://www.itworld.com/offbeat/123789/nine-inch-nailed-trent-reznor-sticks-it-facebookzuckerberg?source=ITWNLE_nlt_thisweek_2010-10-14
19. C. Anne Pontius, Addressing Management Issues, MLO October 2010, 26
© Copyright 2010 HIPAA COW, Page 6
DRAFT
Version 3
November 11, 2010
20. http://www.infoworld.com/print/140361
21. http://www.informationweek.com/news/smb/security/showArticle.jhtml?articleID=22790
0160&cid=nl_IW_daily_2010-10-19_html Facebook sharing user detail
22. Link to NetworkWorld Top Ten Social Media Risk List:
http://www.networkworld.com/news/2010/071210-social-network-threats.html
Authors
 Principal authors: Jim Sehloff, Lee Kadel, Larry Boettger
 HIPAA COW Security Networking Group
Appendix A: Risk Analysis
Threat/Vulner
ability Source
Identification
Social
Networking
Worms,
Trojans, Bots
and other
Malicious
Codes
Likelihood of
Threat/Vulner
ability
Low
Impact
Magnit
ude
Analysi
s Score
High
Overall
Risk
Determin
ation
Level
Low
Preventive
Controls
1. Behaviorbased
malware
controls on
every
workstation
2.
Information
Security User
Awareness
Training
Detective
Controls
Corrective
Controls
1. Behaviorbased
malware
controls on
every
workstation
1. Incident
Handling
Procedures
2. Regular
Vulnerability
Assessments
2.
Management
Responses to
Vulnerability
Assessment
Results
1. Incident
Handling
Procedures
Phishing
Attacks
Low
High
Low
Information
Security User
Awareness
Training
Regular
Social
Engineering
Testing
2.
Management
responses to
Social
Engineering
Testing
Results
© Copyright 2010 HIPAA COW, Page 7
DRAFT
Version 3
November 11, 2010
ePHI and
other
Sensitive Data
Leaks could be
posted on
employee's
social media
pages
Inconsistent
messages
could be
posted about
the
organization
A
cybercriminal
could
impersonate
other people's
social media
pages and
attempt to
deceive
friends of the
impersonated
account
owner
1. Social
Media Policy
Low
Low
High
High
Low
Low
2.
Information
Security User
Awareness
Training
Social Media
Policy: Only
certain
groups are
allowed to
post company
information
Regular
monitoring
of
organization'
s social
media
presence
1. Social
Media
Procedures:
Information
is proof-read
and
approved
before being
posted
High
Low
2.
Information
Security User
Awareness
Training
Sanction
Policy
2. Regular
monitoring
of
organization'
s social
media
presence
1. Social
Media Policy
Medium
Sanction
Policy
Regular
Social
Engineering
Testing
Management
responses to
Social
Engineering
Testing
Results
Social Media Risk Assessment
Column Name
Definition
Threat/Vulnerability Source
Identification
These are primary threats/vulnerabilities that could impact the
organization if controls are inadequate
© Copyright 2010 HIPAA COW, Page 8
DRAFT
Version 3
November 11, 2010
Likelihood of the threat/vulnerability occurring based on nature of the
threat/vulnerability and existence and effectiveness of current
controls. Likelihood Definition:
Likelihood of
Threat/Vulnerability
High = The threat/vulnerability source is sufficiently capable, and
controls to prevent the vulnerability from being exercised are
ineffective.
Medium = The threat/vulnerability source is capable, but controls are
in place that may impede successful exercise of the
threat/vulnerability.
Low = The threat-source lacks capability, or controls are in place to
prevent, or at least significantly impede, the threat/vulnerability from
being exercised.
Impact Magnitude Analysis
Score
If threat/vulnerability occurs, damage that could affect organization's
ability to meet stakeholder's, customer's and employee's interests
Impact Definition:
High = Exercise of the threat/vulnerability (1) may result in the highly
costly loss of major tangible assets or resources; (2) may significantly
violate, harm, or impede organization's mission, reputation, or
interest
Medium = Exercise of the threat/vulnerability (1) may result in the
costly loss of tangible assets or resources; (2) may violate, harm, or
impede an organization's mission, reputation, or interest
Low = Exercise of the threat/vulnerability (1) may result in the loss of
some tangible assets or resources or (2) may noticeably affect
organization's mission, reputation, or interest.
Overall Risk Determination
Level
The Overall Risk Determination Level is arrived at by calculating these
factors:
- Likelihood of threat/vulnerability
- The Impact Magnitude Analysis Score
Risk Determination Level Definition:
High = There is a strong need for corrective measures. An existing
system/process may continue to operate, but a corrective action plan
must be put in place as soon as possible.
Medium = Corrective actions are needed and a plan must be
developed to incorporate these actions within a reasonable period of
time.
Low = Management must determine whether corrective actions are
still required or decide to accept the risk.
Preventive Controls
These are controls that exist that attempt to prevent the
Threat/Vulnerability
Detective Controls
These are the controls that exist that attempt to detect the
© Copyright 2010 HIPAA COW, Page 9
DRAFT
Version 3
November 11, 2010
Threat/Vulnerability if it occurs
Corrective Controls
These are the controls that exist that attempt to correct the
Threat/Vulnerability if it occurs
Appendix B: Links to model policies
Kaiser Permanente: http://xnet.kp.org/newscenter/media/downloads/socialmediapolicy_091609.pdf
Mayo Clinic: http://sharing.mayoclinic.org/guidelines/for-mayo-clinic-employees/
Ohio State University Medical Center: http://www.scribd.com/doc/27663931/Ohio-State-UniversityMedical-Center-Social-Media-Participation-Policy
Sutter Health: http://www.sutterhealth.org/employees/social_networking_policy.pdf
M. D. Anderson Cancer Center: http://www2.mdanderson.org/cancerwise/policies-and-guidelines.html
University of Maryland Medical Center: http://www.umm.edu/resources/web_comments_policy.htm
Sentara: http://www.sentara.com/Policies/Pages/SocialMediaPolicy.aspx
Vanderbilt University Medical Center:
http://www.mc.vanderbilt.edu/root/vumc.php?site=socialmediatoolkit&doc=26923
AHIMA document:
http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048693.hcsp?dDocName=bok1_04
8693
© Copyright 2010 HIPAA COW, Page 10
DRAFT
Version 3
November 11, 2010
Generic policy 1: http://mashable.com/2009/06/02/social-media-policy-musts/
Generic policy 2: http://www.slideshare.net/luciodiasribeiro/social-media-policy-sample
On Line Database of policies: http://socialmediagovernance.com/policies.php?f=4
List of sample policies: http://socialmediagovernance.com/policies.php
© Copyright 2010 HIPAA COW, Page 11
Related documents
NIST 800-30 Risk Assessment Steps
NIST 800-30 Risk Assessment Steps
The foremost goal of the information security function should be to
The foremost goal of the information security function should be to
Executive Level Security Caliber Security Partners is a different kind
Executive Level Security Caliber Security Partners is a different kind
ex_buisness_expansion
ex_buisness_expansion
Review Questions
Review Questions
Review Questions - Cisco Networking Academy
Review Questions - Cisco Networking Academy
Risk Assessment-Security Plan
Risk Assessment-Security Plan
Chapter 11: Policies and Procedures
Chapter 11: Policies and Procedures
An extended misuse case notation
An extended misuse case notation
Download
advertisement