Dealing With Social Media 'Nightmare'Adventist Health creates detailed policies
"Social media are not secure; they were not meant to be secure," Finney says. "They were designed to share information openly. They don't discern what is confidential. They are a new jump-point for malware."
Nevertheless, the 37-hospital system determined that social media could play an important role in its marketing and education efforts. So Finney worked with a multi-disciplinary team to create policies for using new media, ensuring the organization does not violate the HITECH Act's tougher HIPAA privacy and security rules.
"My job is to make sure private information doesn't reach social media," Finney says.
Adventist identified a set of users "that have a legitimate business reason" to access social media. These included those who work in marketing, public relations, human relations and education. It also reviews requests for others to use social media on a case-by-case basis.
The organization also set penalties for violating its policies. For example, an intentional act of misusing or breaching patient information results in immediate dismissal.
In crafting a social media policy, Adventist borrowed from the policies of such companies as IBM, Hewlett-Packard and Microsoft, as well as universities, Finney says.
Adventist determined which social media uses it would monitor, devising a list of 37 "do's and don'ts." It created automated alerts for six critical factors. "If someone is blogging using foul language, for example, we wanted an alert for that," Finney says.
The organization is using a number of technologies to monitor social media. These include a data loss prevention system, Internet use monitors and a content management system. It plans to use a Web crawler to "dig in and find out what others are saying about us," she adds.
The 37-hospital system also created an incident response plan. "I've educated our management team that we will treat a social media event as a security incident," Finney says.
Finney's made her comments May 11 in Washington, D.C., at the conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by the HHS Office for Civil Rights and National Institute of Standards and Technology.