Minimizing Social Media RisksOffering Secure Alternatives for Communication About Patients
Healthcare organizations should consider such alternatives as encrypted e-mail and texting, as well as secure websites, to help ensure staff members don't use social media to share patient information, potentially violating privacy, he says.
"Those are all solid avenues that could be used in a way to mitigate the risks of social media," says Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire.
"PHI and social media are like oil and water; they should absolutely be segregated," he says in an interview with Information Security Media Group. As a result, social media should only be tapped by healthcare organizations for sales and marketing activities, he stresses.
"It's very important for organizations to define the policies for the acceptable use of social media," he says. Hospitals and other organizations should also consider ways of blocking employees from accessing social media sites in the workplace, he adds.
"The bottom line here is that we don't want PHI getting into the wrong hands ... and getting into the social media networks," he says.
Healthcare organizations should consider monitoring social media sites for disclosures about patients, Hicks adds. Plus, they need to ensure that staff members know who within the organization should receive reports of breaches.
Importance of Sanctions
It's also critical that enforcement of social media policies be backed up by sanctions for violations, Hicks says. "It's a HIPAA requirement to have sanction policies, and ultimately it defines what disciplinary actions [can be taken against] an employee who violates the policies," Hicks says.
In the interview, Hicks also discusses:
- How policies about BYOD, such as limits on the use of smart phone cameras by workers, can be intertwined with social media policies;
- The importance of making sure business associates have social media policies in place;
- Emerging privacy and security risks involving social media.
Hicks has more than 10 years of experience in IT governance, including responsibilities specific to IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance. His experience also includes implementing and managing IT internal control programs relative to maintaining Sarbanes-Oxley, HITECH Act, HIPAA security, and PCI regulatory compliance.