NetSPI Imformation Security Consulting
NetSPI Blog

Posts Tagged ‘Social media’

Mayo Clinic’s Solution for Social Media Challenges

| Thursday, September 9th, 2010

The Mayo Clinic recently launched Mayo Clinic Center for Social Media (http://socialmedia.mayoclinic.org/) intended to help train medical practitioners and patients about the use of social media to improve patient care.  While it’s easy to see how greater access to healthcare related information can be very valuable, problems with doctors and nurses posting PHI inappropriately has made news headlines more than a handful of times.  Therefore, this new development comes at a great time, just as more and more organizations are beginning to appreciate the value of a comprehensive social media strategy.

With the goal of delivering better quality care to patients, many healthcare systems are sharing EMR applications and medical data repositories and setting up interfaces between different systems.  This increases exposure of medical records to a larger group of healthcare practitioners by allowing better, faster, and easier collaboration between doctors.  With increased collaborative efforts, it’s become more likely that doctors will choose social media as the catalyst of collaborative efforts and patient information sharing.  Therefore, organizations that act as custodians of PHI, such as hospitals, clinics, and research labs, must take active steps in educating their workforce about the dangers of social media, and how these tools can be used effectively and without violating patient confidentiality or current healthcare compliance requirements.

Through the Center for Social Media, Mayo Clinic seems to approach the problem from multiple angles.  While the portal is still very young, the articles already posted address issues of creating well-designed social media policies, creating appropriate training materials, as well as provide analysis of documented cases of misuse of PHI.  Overall, I view this as a very positive development and will continue to monitor this website for insightful information about the best use of social media in healthcare.  After all, this technology is here to stay, and draconian policies of simply blocking access to Facebook from the workplace have proven to be ineffective.  The answer to these challenges clearly point to better guidance and training for the healthcare practitioners, as well as developing tools for responsible, effective, and secure collaboration.

Permalink | Email the Author | No Comments

Tags: , ,

Social Media and Corporate Guidance

| Tuesday, August 11th, 2009

One of the common themes I took away from the 2009 Blackhat Briefings was the inherent security risks associated with using social media and networking sites. (These concerns have also received some coverage in trade pubs; see, for example a recent Computerworld article: http://tinyurl.com/mc7yb8)

Using social media applications is not just a personal computing trend; they have also become integrated into our corporate cultures. Many organizations are using these sites for corporate marketing, file sharing, communications, and recruiting. In the past, the corporate policy of most organizations was not to post resumes online, use your corporate email account as your username to access a website, or post pictures from the company holiday party on a website (at least the potentially incriminating ones). Now, corporations are eager to get the word out about how great it is to work there, or connect with employees, or find out what events they will be attending, even posting opinionated blog entries such as this one. While these applications can open great new doors, they need some associated corporate guidance.

I say guidance because a more explicit security policy regarding usage of Twitter, LinkedIn, or Facebook is likely to be unenforceable. Employees may refrain from using corporate accounts for these applications, but if they like them, they will find ways to use them. Here are some basic guidance points that you may consider in your next security-awareness email.

  1. When using social media sites, be sure to use different passwords for different sites, and never use your corporate password. These sites have varying password reset controls; don’t let a breach of one account impact all your accounts.
  2. Remember, in the case of company documents, if it’s not meant for the company’s public website, it probably isn’t meant to be shared on some-one else’s–-even if they told you it is secure. Watch out for sites like Google docs or yammer.com that create a perception of privacy and security. Let your security team determine acceptable sites.
  3. There are a couple of key items that you should never post publicly, such as your birth-date, social security number, or employee ID. If the site requires such data, consider making something up or ensuring it’s not displayed in a public profile.
  4. There are certain items that companies don’t technically classify as confidential, yet keeping them a secret and off the social networking sites is a good thing. This could includes rumors, planned purchases, technology used, and projects you’re working on. Posting your job history may be OK, but for current activities, just keep it generic.
Permalink | Email the Author | No Comments

Tags: , , , ,