Dealing With Social Media 'Nightmare'

Adventist Health creates detailed policies
Dealing With Social Media 'Nightmare'
Social media "are a data security person's worst nightmare," says Sharon Finney, corporate data security officer at Adventist Health System. So Finney and her team spent more than six months crafting security policies for limited use of the new media.

"Social media are not secure; they were not meant to be secure," Finney says. "They were designed to share information openly. They don't discern what is confidential. They are a new jump-point for malware."

Nevertheless, the 37-hospital system determined that social media could play an important role in its marketing and education efforts. So Finney worked with a multi-disciplinary team to create policies for using new media, ensuring the organization does not violate the HITECH Act's tougher HIPAA privacy and security rules.

"My job is to make sure private information doesn't reach social media," Finney says.

Limited users

Adventist identified a set of users "that have a legitimate business reason" to access social media. These included those who work in marketing, public relations, human relations and education. It also reviews requests for others to use social media on a case-by-case basis.

The organization also set penalties for violating its policies. For example, an intentional act of misusing or breaching patient information results in immediate dismissal.

In crafting a social media policy, Adventist borrowed from the policies of such companies as IBM, Hewlett-Packard and Microsoft, as well as universities, Finney says.

Automated alerts

Adventist determined which social media uses it would monitor, devising a list of 37 "do's and don'ts." It created automated alerts for six critical factors. "If someone is blogging using foul language, for example, we wanted an alert for that," Finney says.

The organization is using a number of technologies to monitor social media. These include a data loss prevention system, Internet use monitors and a content management system. It plans to use a Web crawler to "dig in and find out what others are saying about us," she adds.

The 37-hospital system also created an incident response plan. "I've educated our management team that we will treat a social media event as a security incident," Finney says.

Finney's made her comments May 11 in Washington, D.C., at the conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by the HHS Office for Civil Rights and National Institute of Standards and Technology.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.