social networking policy · 1 social networking policy date: july 2014 version number: 0.6 review...
TRANSCRIPT
1
Social Networking Policy Date: July 2014 Version number: 0.6 Review Date: June 2016 If you would like this document in an alternative language or format, please contact Corporate Services on 01595 743069. CEPOL017
2
NHS SHETLAND DOCUMENT DEVELOPMENT COVERSHEET*
Name of document Social Networking Policy
Registration Reference Number
CEPOL017 New √ Review
Author Drew Berry / Ralph Roberts
Executive Lead Ralph Roberts
Examples of reasons for presenting to the group
Examples of outcomes following meeting
Professional input required re: content (PI) Significant changes to content required – refer to
Executive Lead for guidance (SC)
Professional opinion on content (PO) To amend content & re-submit to group (AC&R)
General comments/suggestions (C/S) For minor revisions (e.g. format/layout) – no need
to re-submit to group (MR)
For information only (FIO) Recommend proceeding to next stage (PRO)
*To be attached to the document under development/review and presented to the group Please record details of any changes made to the document on the back of this form
Proposed groups to present document to:
ISG
APF
Staff Governance Committee
Date Version Group Reason Outcome
16.01.13
0.1 ISG General comments and suggestions PRO
31.01.13
0.2 Area Partnership Forum General comments and suggestions General comments and suggestions
21.02.13
0.3 Staff Governance Committee Approved with the addition of guidance to staff on fair and responsible usage, plus a flowchart on how to request a departmental/service presence
Approved with amendments
18.02.14
0.4 SMT Final review of minor changes before onward communication
26.02.14
0.4 ISG For agreement and to ask Clinical Governance Committee as parent committee to approve
PRO
29.04.14
0.4 Clinical Governance Committee
For Final Agreement Approval (MR)
16.07.14
0.5 SMT For minor revision as requested at CGC (Roles & Responsibilities )
Approval
16.07.14
0.6 - Include amendments from final discussion at SMT
Final Version
3
DATE CHANGES MADE TO DOCUMENT
05.02.14
General tidy up including updating of policy names
Additional text re appropriate/fair usage of NHS Shetland networks
Addition of Appendix A – Requesting a social media presence
07.07.14
Addition of Roles & responsibilities (feedback from CGC)
Development of procedure for approval of departmental use of Social Media (Appendix A)
16.07.14
Final revision to Appendix A to clarify responsibilities for use of Social Media
Emphasised need to ensure all potentially affected staff groups considered when considering use of a Social Media site for NHS services
4
Table of Contents 1. Introduction 6
2. Purpose of this policy 6
3. Roles & Responsibilities 7
3.1 Executive Responsibility 8
3.2 Director of HR & Support Services 8
3.3 Directors 8
3.4 Line Managers 9
3.4 Staff 9
4. Social Media 10
5. Business use of social media 10
5.1 Benefits and concerns 10
5.2 Benefits of Social Media 11
5.3 Key Concerns of using Social Media 11
6 Personal conduct when using Social Media 12
6.1 Participating online for a work-related purpose: 12
7. Private use of social media 13
8. Review, monitoring & Evaluation 16
Appendix A 17
Requesting an NHS Shetland Social Media Presence 17
Appendix B 19
Harnessing Online Social Networking within NHS Scotland: Benefits and Risks 19
Purpose: 19
Executive Summary: 19
PART A 20
1 Online social networking and Scottish Government Strategy 20
1.1 Transactions that support self-management 20
1.2 Communications with the NHS and access to trusted advice 20
1.3 Access to health records and patient networking and support 21
2. Current position 22
3. Better to harness than simply block 22
4. Social Circumstance: Internal or external OSNs? 23
5. What are the first wave OSN applications for NHS Scotland? 27
5.1 Business continuity communications 28
5.2 News and announcements 29
5.3 Understanding and monitoring public opinion 29
5
5.4 Public education and health campaigns 31
5.5 Professional network support 31
5.6 Patient support groups 32
5.7 Transactions support 32
PART B 33
6 Security risks and mitigation plans 33
7 Risks to the organisations through own usage of OSN 33
7.1 Site sabotage and hijacking 33
7.2 Legal risks through official OSN interactions 35
7.3 Information leakage as a result of inadequate permissions 36
7.4 Content management issues 36
7.5 Risks relating to staff usage of OSN in the workplace 37
7.6 Importance of malware into health systems 38
7.7 Capacity and time-wasting issues 40
8 Risks relating to OSN usage by NHS employees outside work 41
8.1 Capturing credentials for malicious purpose 41
8.2 Social engineering to obtain information 42
8.3 Putting up offensive or inappropriate content 43
8.4 Personal ID theft and safety risks 45
8.5 Wider privacy issues 46
9 Conclusions 47
Figure 1: Health board strategic positioning of internal and external OSN Tools ..... 22 Figure 2: Summary of first wave applications for OSNs in eHealth .......................... 27
6
1. Introduction NHS Shetland is committed to embracing new technology to support the principles of NHS Scotland‟s Quality Strategy and our local Communications Strategy. One of the fundamental principles of the NHS Scotland Quality Strategy is about: ‘Putting people at the heart of our NHS … our NHS will listen to peoples’ views, gather information about their perceptions and personal experience of care and use that information to further improve care.’ Good quality, timely, effective and equitable communications are at the heart of achieving this. We need to provide the right information in the right format at the right time so that people have the information they need in the format they want, and that they have the means of having their say. New technology includes the use of the internet and social media as a means for developing and promoting services and engaging with the public. This includes the organisation‟s public website and the use of social media tools which enable the organisation to communicate with patients and members of the public who are not easily reached by other means. NHS Shetland has started evaluating social media such as Facebook with some departments. It is important that staff are aware of these communications channels and can highlight their availability to patients and service users. It is also important that when staff are able to access social networking sites for work-related purposes there are clear guidelines in place regarding this access.
2. Purpose of this policy
The purpose of this policy is to ensure that employees have adequate information and clear guidance to enable them to use social networking sites in their work and private lives appropriately and in a way that ensures that their personal and professional reputation and that of NHS Shetland is never compromised. Our objective in drafting this policy is to
7
advise on how social networking sites can be harnessed to improve communications with service users, and also to establish parameters which eliminate any potential harm to employees and the organisation from inappropriate use of social media sites. NHS Shetland employees are accountable for their actions and activities when using social networking sites and are expected to observe at all times the standards, conduct and behaviour outlined in the following policies, guidance and legislation: Data Protection Act Equality Act 2012 NHS Code of Practice on Protecting Patient Confidentiality Eliminating Bullying and Harassment Policy Managing Conduct Policy Code of Conduct New start IT forms In addition staff must recognise the risk of breaching the regulatory or professional codes of conduct that applies to their professional bodies. NHS Shetland recognises the importance of ensuring that staff have the information and guidelines they need to enable them to use social networking sites in their private lives without compromising their personal or professional reputation and the reputation of the organisation. When on-line, all NHS Shetland employees are required to maintain the standards of conduct expected of them and are accountable for their actions and activities when using social networking sites. Application of this policy should be considered in conjunction with all other relevant organisational policies.
3. Roles & Responsibilities Responsibility for this policy sits with a number of individuals. Ultimately, each member of staff should take responsibility for their own use of Social Media.
8
3.1 Executive Responsibility Overall responsibility for the policy lies with the Chief Executive. The CE will ensure the policy is developed and kept up to date. The Corporate Services office will provide final sign off for any new proposal to introduce the use of Social Media within NHS Shetland.
3.2 Director of HR & Support Services The Director of HR&SS has responsibility for 2 key aspects of the policy:
i) HR Policies The Director will ensure that NHS Shetland‟s HR policies are compatible with and support the implementation and use of this policy where appropriate.
ii) IM&T Support The Director (through the Head of IM&T) will ensure that NHS Shetland‟s IT Infrastructure will support the appropriate use of social media and where necessary the required monitoring of the use of NHS infrastructure for social media. The Director will ensure appropriate security is in place on NHS systems to protect the organisation‟s data from the implications of staff accessing and using social media. The Director will also ensure appropriate updated guidance is provided on the developing use and technology associated with social media.
3.3 Directors Directors are responsible for agreeing with their managers any proposal for the use of social media within their area of service responsibility. The Director should ensure that the reason, benefits and risks associated with using social media have been appropriately identified and managed.
9
3.4 Line Managers Individual managers are responsible for ensuring any issues associated with their staff‟s use of social media is, where necessary, appropriately managed using the Board‟s Human Resources (HR) policies. Managers are responsible for the appropriate use of social media by their department or service in relation to their service‟s needs. This will include agreeing with staff whether and how this might be used, evaluating the impact and benefits and ensuring that any risks are identified and managed. Managers should also ensure that all staff potentially impacted by the use of social media in a particular service are appropriately engaged in the development of social media use and are aware of their responsibilities (this may include staff from other departments/services as appropriate). Managers are responsible for ensuring arrangements are in place for the ongoing evaluation and monitoring of any social media used within their service. (For guidance on the use of social media by the service please see section 5 and Appendix A).
3.4 Staff Individual members of staff are responsible for their own use of social media. This should be in line with the guidelines incorporated within this policy. Staff should be aware that inappropriate use of social media will be managed using the relevant HR Policies.
10
4. Social Media
Social media is a general term used to describe internet and mobile tools and forms of publishing which integrate technology, telecommunications and social interaction or discussion between an author and active readers. Examples of social media include, but are not limited to:
Online forums
Blogs and Micro-Blogs
Social News, ,Sharing, and Bookmarking
Social Networks
Podcasts
Photos
Videos and Webcasting
Real-time web communications (chat, chat rooms, video chat, instant messaging)
The most commonly used social networking services are Facebook, Twitter, LinkedIn and YouTube. However this policy is not limited to those services.
5. Business use of social media
NHS Shetland recognises the benefits to the organisation of using social media and networking sites to promote and develop services and communicate with patients and members of the public. This may include a department establishing a social networking site to enable them to fulfil this role. Consent for any social media presence that is developed in the name of NHS Shetland must be sought from the Corporate Services Department. A checklist of considerations before making a request is attached at Appendix A. This is not an exhaustive list, and depending on the type of request, there may be other issues which need to be thought through in conjunction with Corporate Services/IM&T before a social media presence is established.
5.1 Benefits and concerns There are a range of benefits surrounding the use of social media, however it is not always the most appropriate option. Consideration
11
needs to be given to the overall communication strategy, business need and resource levels.
5.2 Benefits of Social Media
Increases access to audiences and improves accessibility;
Enables citizen engagement and encourages partner and stakeholder relationships;
Greater scope to refocus communications partner and stakeholder relationships;
Improves long-term cost effectiveness of communications;
Improves credibility;
Increased speed of public participation including feedback and input;
Reach of specific audiences on specific issues; and
Reduces the dependence on traditional media channels.
5.3 Key Concerns of using Social Media
Staff need to be empowered to engage;
When this policy has been approved and adopted, existing restrictions on access to Social media sites from the NHS Shetland network will be removed, however this could result in inappropriate use or misuse of social media;
Staff need to be aware of the policies that make clear what staff can and cannot do (specifically this document and the Code of Conduct covering all staff members);
Consideration needs to be given to the governance of sites and content; and
Staff need to be aware of guidelines – and clear about the distinction between engaging as an individual or as representative of the organisation.
In addition read Appendix B, Part A and Part B. This provides a wider perspective on the use of Social Media within an NHS context.
12
6 Personal conduct when using Social Media In working hours, staff should only access social media and networking sites through the NHS Shetland network for work purposes. This is important for the reasons outlined below:
Data streaming that is not for work related purposes (e.g. catching up on the previous evening‟s TV) is bandwidth intensive and has the potential to detract from core clinical and administrative systems. The only data streaming usage acceptable through the NHS Shetland network is for relevant work and educational purposes.
Posting comments or being visible on-line during working hours, even if it is in a staff member‟s designated break period, has the potential to cause reputational damage, as external observers will not recognise break periods from working times.
Personal social media usage on NHS Shetland premises has the potential to display on screen inappropriate materials that can be seen by others.
6.1 Participating online for a work-related purpose:
Be professional. You are a representative of NHS Shetland and in certain networks you might be the sole voice;
Be transparent. Wherever possible, disclose your position as a representative of your organisation. It you are talking about your work, use a disclaimer;
Be clear about your aims. What story you are trying to tell, to whom and why;
Be responsible. Be honest. Abide by your organisational and IT code of conduct, HR and Social Media Policy.
Be helpful. When you gain insight share it with others where you can;
Be credible, be accurate, fair and thorough. Stick to your area of expertise;
Be Judicious. Liable, defamation, copyright and data protection laws apply;
Be integrated. Wherever possible, align online with offline communication;
Be inclusive. Make every effort to be accessible and connect with all relevant communities;
13
Be personable. Participating online is not about delivering staid corporate messages. It is about conversations between individuals and should be treated that way;
Be respectful. Pause and think before posting. When disagreeing with other opinions, keep it appropriate and polite;
Be careful. Never give out personal details like your home address or phone number;
Be responsive. Visit the online spaces where you have a presence regularly and respond positively and promptly to conversations;
Be willing to learn from others;
Be creative. New tools means new approaches; and
Be accountable. Online participation is a multi-stakeholder process where everyone is accountable for their own actions.
Remember: participating online results in your comments being permanently available and open to being republished in other media. You may attract interest in you as an individual, so proceed with care whether you are participating in a professional or personal capacity. If you have any doubts, take advice from your line manager. Photographs taken in clinical or public areas that are intended for inclusion on social media sites must have a valid business or clinical context and must not compromise patient, visitor or staff privacy under any circumstances.
7. Private use of social media
Social networking sites enable people to maintain contact with others. However, through the open nature of such sites, it is also possible for third parties to collate vast amounts of information about you, your family, colleagues, and personal/professional life. Whilst communication through social networks may be considered to be a personal matter, this is not the same as it being private. In a lot of cases, written conversations inside these networks can be found through search engines such as Google. Even in cases where only your contacts can see what you write, there is a likelihood that one of them will forward what you say and make it visible to a wider audience. As a result, personal conversations within social media networks should be considered public rather than private. Consider the following when using social medial for personal use;
14
You are personally responsible for any content you publish;
Understand your online privacy settings – check your settings and understand who can see the information you publish and your personal details. However in general, nothing written on social meda sites is truly private, regardless of any privacy settings you may have set;
Follow your organisational and IT code of conduct and this Social Media Policy;
If you do talk about work you do for NHS Shetland you should make it clear that you are speaking for yourself and not on behalf of NHS Shetland. Use a disclaimer such as „the views expressed here are my own and do not necessarily reflect the views of my employer‟;
Do not let your personal use of social media interfere with your job; and
Think about what personal digital strategy is i.e. in what way you are engaging with social media as an individual, what networks are you appearing on?
All staff should be mindful of the information they disclose on social networking sites, especially when they:
identify their association with their employer;
discuss their work in any way;
can be identified as a staff member by other means (for example, by mentioning “ working at a NHS Shetland location”)
NHS Shetland has a reputation to uphold and the public must be able to trust staff‟s integrity, confidentiality and values. To this end, individuals should consider carefully whether they identify themselves as a member of staff by revealing their place of work and/or occupation). Employees must not:
engage in activities on the internet / social medial which might bring NHS Shetland into disrepute;
post information relating to patients and/or patients relatives;
post video or images taken on health premises;
post offensive or obscene information or material;
disclose privacy marked or commercially sensitive information;
disclose their work email address or work telephone numbers on personal social networks;
15
use the internet / social media in any way to attack or abuse colleagues;
refer to or comment about colleagues, patients or the service in an abusive or harassing manner;
knowingly join networks or conversations with patients/service users or their relatives where a direct patient / employee relationship exists;
post comments, videos or photos that reveal some form of work-related misconduct, for example „tweeting‟ about feigning illness or avoiding work;
in the course of understanding their duties as an employee use any of the organisation‟s social media networks to express personal views which NHS Shetland would not wish to be connected with.
NHS Shetland employees must be considerate of their personal and professional boundaries when accepting or requesting to join a social network that may include colleagues, patients or relatives. If staff are in any doubt as to how this would impact on a specific situation they should seek advice from their line manager. NHS Shetland will not proactively monitor an employee‟s social networking activity and does not intend to be prescriptive about how employees should conduct themselves in their private lives. However all internet activity by staff on the NHS Shetland network is logged and stored. Where concerns regarding usage, or material is brought to the attention of the organisation which may be considered to be inappropriate, NHS Shetland will investigate in line with the appropriate policy or legislation, for example, Managing Conduct, Eliminating Bullying and Harrassment Policy, Data Protection. Internet logs may be used as part of any investigation. The organisation understands that employees may wish to use their own mobile devices while they are at work. Employees must limit their use of social media on their own equipment to their official rest breaks, such as their lunch breaktimes and must not connect their own equipment to any of NHS Shetland‟s communication networks, including the physical network and the NHS Shetland staff wifi. Staff may connect their personal devices to the NHS Shetland „guest‟ wifi. As outlined at Section 5 above, staff should be mindful of posting comments or being visible on-line during working hours, even if it is in a staff member‟s designated break period, as external observers will not recognise break periods from working times.
16
8. Review, monitoring & Evaluation
This policy will be monitored and review every two years or sooner in light of any legislative changes or national NHS changes. Individual managers (Directors) are responsible for ensuring the evaluation of any NHS Shetland social media presence within their department/directorate.
17
Appendix A
Requesting an NHS Shetland Social Media Presence
Any member of staff or department considering the use of Social Media should follow the following steps STEP 1: Consider how Social Media would be used
Please give consideration to the following points / Appendix B
Who are you trying to reach, what platform do you intend to use (eg Facebook, Twitter) and is your proposal the most appropriate medium?
How frequently do you intend to publish information?
If people can comment on the information you publish, have you given thought to how / if you can / should moderate this and be explicit about moderation on your social media presence?
How will you set up and thereafter access the social media account? Who will have rights to publish new information, and update existing information?
How will you respond to positive & negative feedback?
How often will it be checked and who will do this in your absence?
How will you evaluate its impact?
How will you communicate to colleagues so they can signpost interested service users?
What engagement should you have with staff, patients, patient groups / carers in developing the Social Media presence (including staff who might be affected from other departments / services)
Does this have the support of the Departmental manager and relevant Service Director
If you would like to discuss any of the above please feel free to discuss this with the Corporate Services office / and or IM&T department.
18
STEP 2: Discuss and Agree proposal with Line Manager / relevant Director
STEP 3: Submit proposal for ratification by Corporate Services Department Once you have an answer to the points above and have the support of your Line Manager / Director request a social media presence through Corporate Services: Telephone: 01595 743064 or email [email protected]. Your request will be reviewed in line with the Board‟s overarching Communications Strategy and, if required, discussed with IM&T. Co-ordinating requests for Social Media sites through Corporate Services gives the organisation a complete picture of the various communication channels in use and allows Corporate services staff to respond effectively to media enquiries about information on the social media sites.
(Further national advice / issues for consideration is outlined in
Appendix B)
19
Appendix B
Harnessing Online Social Networking within NHS Scotland: Benefits and Risks
Purpose:
The aim of the two companion papers is to show how NHS Scotland can Harness online social networking (OSN) to support the eHealth strategic aims in 2011-2014, to outline the key risks to the organisation and finally how to put mitigation plan in place.
Executive Summary:
OSN‟s can be used for internal as well as external facing purposes: within organisations there are already Sharepoint-type tools which have OSN functionality and it needs to be clear at the outset how usage of external OSN fits into an overall corporate knowledge retention strategy. Usages of OSN to engage with the public via transactions, knowledge/information services and patient data access brings eHealth closer to achieving „patient portals‟. Other first wave – and low risk purposes – to which OSN functionality can be used are: business continuity communications, news and announcements, understanding and monitoring public opinion, public education/health campaigns, professional and patient network support, The main security and legal risks to the organisation and to individual employees can be reduced to an acceptable level if boards tackle OSNs in a strategic manner (i.e. not leave it to lone enthusiasts) and out in place a realistic manner (i.e. not leave it to lone enthusiasts) and put in place a realistic mixture of governance, guidance/training and technical/security measures.
20
PART A
1 Online social networking and Scottish Government Strategy
Online citizen participation is a key plank in Scotland‟s Digital Strategy and specifically in eHealth there is an aim to create an environment that gives patients the ability to equip themselves with the information they need to monitor and manage their own health care as far as possible.1 An important question is how far online social networking will bolster rather than hinder work in these areas ?
1.1 Transactions that support self-management
There is enormous potential to use the web for patient transactions such as health appointment bookings, data checking, 3-perscriptions etc. IT investment in these areas is often considerable in order to ensure that the web space can be secure, easily accessible and well managed. OSN can be used at design, release and steady state stages to ensure that there significant investments hit the mark (i.e. are not solutions looking for customers). Online health transactions, like OSNs, rely on very subtle two-way trust-based interactions. Getting these transactions right, as online banks and shops have found, is very difficult and a lot can be learned from OSNs.
1.2 Communications with the NHS and access to trusted advice
At the moment virtually all the NHS Scotland online activity falls within this category. There remains the need for high quality trusted content, like NHS Inform for example, that is controlled by the host and „pulled‟ when required by the site visitor. This preserves the integrity of the announcements, sign-posts, news and medical information in a way that non-official channels which allow interaction/editing cannot (e.g. wikis, blogs and company-sponsored medical advice pages are often misleading) ______________________________
1eHealth Strategy 2011-2017 published September 2011 (with a refresh due in 2014); The Digital Future: A Strategy for
Scotland (March 2011)
21
However, NHS sites are increasingly used to communicate in real time and OSNs can be an important part of in an overall channel strategy and inform policy (see below). Similarly, hosting or participating in knowledge sharing – which requires interactive tools – is an important part of the medical self-management aim. One of the interesting side effects of the social networking growth is that relatively old tools such as email, SMS and desk-top web conferencing are taking on a new lease of life. The NHS therefore needs to be re-appraise how these often over-looked channels can be used for patients interaction. Whereas some clinical Telehealth purposes require considerable investment (hardware, special rooms, robust connections etc) there are probably many more routine „keeping in touch‟ type sessions which could be carried out with lower costs consumer-type applications and equipment.
1.3 Access to health records and patient networking and support
There is a growing demand for self-access to clinical data in addition to the established routes (e.g. Data Protection subject access requests). Evidence from pilots such as My Diabetes My Way that allowed access to clinical information has shown that a) the service is greatly valued; b) clinicians simply do not have the time to go over all data and c) patients do not always understand what is being said during visits to hospitals and like to mull over written evidence. It is likely that having access to own data online (provided the right data fields are chosen and it is done securely) can improve the success rate of both eHealth transactions and the information/knowledge services: e.g. being able to check and update medication/allergy details could help with e-pharmacy applications and accessing clinical correspondence may induce patients to look at the right online advice guide on NHS Inform. All these areas – transactions, information services and patient data access – can be integrated together to form virtual patient web-spaces. A landing page hosted by NHS Scotland could be personalised and provide sign-posts to one or more favourite patient web-spaces (e.g. for a long –term condition). Secure authentication could then be used where patient data is being accessed.
22
Understanding and harnessing OSN (in terms of technical design, content and human behaviours) can bring NHS Scotland closer to realising this vision.
2. Current position
Some health boards are already using OSNs as an additional e-channel for communication (e.g. placing news and announcements onto Facebook or Twitter). But the full potential of OSNs, which is based on interactions and not static content, has yet to be exploited by public health organisations for the following reasons: OSNs are by their very nature a „home grown‟ phenomenon and almost ungovernable. Virtually all of the innovation and momentum has come from individuals (and increasingly the „third sector‟) rather than state bodies, corporations or universities. In fact public sector and corporate participation – if handled clumsily – can seriously back-fire if it is perceived to be an attempt to undermine the democratic spirit of OSNs. In turn, health officials, accustomed to controlling messages and their own online content are understandably wary of setting foot into this legal mire. Some of the recent impetus for OSN usage by public bodies has come from politicians; but there have been some spectacular failures (e.g. wiki/blog sabotage) which have left many bruised and unsure about what they should do, if anything, in the online networking space. Any lingering doubts about the dangers of OSN are often confirmed by the weight of security and legal opinion (universal blocking may seem the safest approach).
3. Better to harness than simply block
Some health boards encourage the use of popular social media on their public-facing web site and then block OSN usage within the work-place(and fail to promote internal social networking tools). If employees are not informed of the often good reasons behind this seemingly contradictory approach then it can cause friction between staff and IT departments. Similarly, there are examples of the „scattergun‟ approach (where engagement with OSNs is seemingly random and without real purpose). OSN continues to grow at an exponential rate especially in the mobile application space. There needs to be a more strategic and consistent approach to using OSNs in eHealth. It needs to be clear that carefully
23
targeted involvement with OSNs can bring a variety of solid practical benefits (i.e. is not just a matter of seeming to look modern). The security risks of OSN are very real (and discussed in part B) but far more likely to be mitigated when OSN is part of an overall plan and not left to enthusiasts who „go it alone‟ against a backdrop of general hostility.
4. Social Circumstance: Internal or external OSNs?
The focus of this paper is on external - or citizen driven – online social networks (e.g. Facebook, Twitter etc). But it is worth stressing at the outset that there is a considerable amount of social networking potential within NHS organisations. Any OSN strategy needs to ascertain the width of the social circle. Fig 1 illustrates different concentric circles for a fictitious health board and the appropriate tools that might be used to meet the business and security requirements (after a risk assessment). Figure 1: Health board strategic positioning of internal and external OSN Tools
Chosen OSN tools Social circumference Justification 1) Sharepoint Core board staff All staff to use this for
internal networking: data held on internal network to RESTRICTED level
2) Extranet/external Sharepoint
Staff in core department and selected staff in other boards
Selected staff invited in; governance over documents uploaded Possible accreditation to PROTECT
24
3) Communities of Practice or e-library
Staff in core department wishing to network with NHS staff across Scotland
NHS sponsored space which allows content upload to particular communities
4) Huddle/Yammer etc Staff doing a wide consultation exercise with suppliers, charities third sector etc
May be a fee for a hosted service (data held in UK); closed spaces for each project. Can be accredited to PROTECT if necessary with right design.
5) Facebook Specific staff in board wishing to communicate with public or test public opinion.
Free open to all site; technically there are closed spaces but data may be hosted abroad; protective marking and few of the controls that exist in internal environment.
Without such planning an organisation could end up with a mismatch. There are for example public bodies that use Internet-based OSNs as the de facto internal knowledge sharing tool even when Sharepoint-type tools (which increasingly have powerful OSN functionality) have already been purchased.2 This means that existing investments are not being exploited and staff get confused as to where is the „official‟ internal place to share ideas. And in reverse there are organisations contemplating investment in external instances of KM tools or extranets to allow networking across sponsored public bodies when a cheaper off-the-shelf networking service hosted by Yammer or Huddle for example would suffice. ________________________
2 Scottish Government does not endorse and particular product/company. Sharepoint is fairly ubiquitous across
boards and often part of an enterprise agreement. There are other players such as Alfresco.
25
The key benefits to internal online social networking tools include:
People finding: able to find the right people their skills and whether they are available for assignments etc. This is more than just a corporate directory.
Instant messaging and communications: often messaging is tightly integrated into the networking application so that a person can move seamlessly from reading content to responding via email, voice, communicator etc
Profiling: tools now log the behaviour of the user and build up a profile (e.g. who are your contacts; what you have in common with other people, what assets you most often ?).
Blogs and wikis: content generated by users: and allowing feed-back etc: This can range from formal (e.g. chief executive weekly summary instead if emails) to very informed (staff views).
Virtual community building: creating communities of interest which cut across normal organisational boundaries (e.g. diversity groups, policy areas, career homes etc).
It is note-worthy that a high proportion of NHS staff are using external OSNs for all of the above because there is simply nothing on offer within the organisation with the same level of functionality and because they belong to professional and special-interest communities (that go far and beyond to professional and special-interest communities (that go far beyond the confines of a single NHS board or practice). A clinician may for example use a professional OSN like Doctors.net.uk to find a colleague who does not appear on an official directory that is out of date; he may then open a free web-mail account with the same OSN and contribute to a discussion group. There is a growing recognition that routinely putting non-document based content, news and views onto external rather than internal online networks can undermine an organisation‟s knowledge retention strategy. But given the current financial climate there is far less scope for investment in corporate networking and knowledge management tools. The organisation is then faced with two options:
a) Doing without internal tools and being resigned to the fact that staff will use external ones in their own time (there may even be an attempt to discourage or block their use in the workplace)
OR
26
b) Attempt to harness OSNs by giving all or certain staff access to at least some of them (subject to clear codes of conduct) and even endorsing heavier participation in selected sites that are deemed to be in the interests of the organisation.
The main advantages of taking the latter more pragmatic approach are:
The burden of hosting data and running a service is undertaken by a third party
Often the OSN functionality is far richer and user-friendly than any off-the-shelf product an organisation might procure itself. Much of the cost of products like Sharepoint relates to the configuration (e.g. search engines, look-and-feel, templates, keeping versions up to date etc). Internal tools can soon look rather dated compared to what staff are using at home.
The social reach is far greater that with internal tools; officials wishing to collaborate with others across multiple bodies on different IT networks (e.g. for NHS boards to work together on projects). This cuts down on emails, phone calls and ad-hoc data sharing methods.
The main disadvantages are:
There is a lack if control over the management of content; the data is being hosted by a company at a location over which the public body has little or no control (e.g. may even be outside EU).
Security and legal risks (discussed in section 7) that result from the content, the social interactions and malware.
Although resources may be saved by not hosting services internally, consumption of OSN can create service and capacity issues (e.g. staff using bandwidth hungry applications such as video streaming over infrastructure not designed for it)
Knowledge and information leakage; staff may upload key documents, corporate records and knowledge onto the external OSNs in preference to internal corporate tools. Such behaviour creates compliance risks (e.g. FOI/DPA) and deprives the organisation of content it owns.
Putting together a clear action plan to support knowledge sharing using OSN internally (and between partner bodies) often means that the organisation is then well placed to exploit OSN for interaction with the public at large. Lessons will have been learned in a relatively safe
27
environment and more staff will have become familiar with OSN functionality.
5. What are the first wave OSN applications for NHS Scotland?
The purposes to which OSNs can be used for interaction with the wider public are vast so there needs to be focus on the first wave of applications which a) are relatively low risk from security/compliance angle; b) create maximum impact from very little outlay and support and c) can be used as a launch pad for more ambitious usage of OSN in the future. When considering how to deploy OSN the following must be considered at the outset:
Does the OSN offer something which existing channels cannot? (e.g. wider social reach).
Is OSN going to be mixed in with existing channels? (i.e. will reinforce or could it potentially conflict with messages from official web-sites).
Will existing OSNs be utilised rather than building new ones? (i.e. if the latter then there needs to be a unique selling point that only the NHS can offer, such as transactions or access to own data).
What resources are in place to generate or monitor content: (i.e. there is no point in putting up content if no one in NHS is actually monitoring the responses or doing analysis).
Does the OSN purpose require staff outside e-communications to have access to the web-sites? (i.e. if policy makers are blocked from accessing the sites then they will not be able to engage with those they need to).
Has a risk assessment been carried out which will take into account any security or legal concerns?
The implications of using OSN criss-cross organisational boundaries so it is vital that there is adequate participation from Corporate Communications, IT, security and HR teams. Any OSN small project team needs to focus as far as possible on requirements rather than products at this stage.
28
Figure 2: Summary of first wave applications for OSNs in eHealth
First wave OSN category Examples Benefits over existing channels
Business continuity communications
Severe weather events: Flu epidemics
IT systems may be down; social reach for anyone with web-enabled mobile phone
News and announcements
New Facility opened Followers on OSN who may never want to visit official web site
Public education/health campaigns
Stop Smoking Content is embedded among user-tips, tone is more light hearted and less censorious
Understanding and monitoring public opinion
Plant story on new eHealth application
Test the water; gather intelligence before making big investments
Professional network support
Nurses, GPs Provides content on regulations that may effect community
Patient support groups Cancer charity Provide sign-posts to NHS inform; GPS location finder for help
Transactions Support Bookings OSN content induces people to use the booking system
Patient data access support
Diabetes clinical correspondence
Would otherwise have to send hard-copy or email (which may be less secure)
Public health data collection
Elderly perception of Care/anxieties
Collect early evidence prior to investing in more traditional research
5.1 Business continuity communications
OSNs can be used to get key messages out quickly to a wide audience during emergencies. The winter of 2010/11 in Scotland was the worst for 40 years leading to the closure of public buildings and schools. Some NHS boards used Twitter micro-blogs or announcements on Facebook to inform the public about the availability of services.
29
Traditional channels (such as bulk emails, telephone calls or updating front web pages) are not always option if there is a disaster and IT systems are down. Micro-blogging could also be used to connect with employees as part of continuity pan. Using OSNs in this way is also a good way of getting „followers‟. Most citizens may follow NHS tweets for the first time during bad weather but can be encouraged to maintain contact afterwards provided tweets remain relevant (e.g. for significant virus outbreaks rather than a avalanche of routine updates on services). The health organisation can also monitor reaction and feed-back contained in messages/tweets in order to gauge the effectiveness of its emergency response (e.g. customers suggesting that a road that provides access to a hospital is now open or complaints). Some boards are Twitter „followers‟ of public organisations such as the Meteorological Office which enables them to aggregate and then condense lots od new-feeds relevant to their own audience.
5.2 News and announcements Boards can upload subtly different news and announcements onto OSNs than mainstream channels such as official web-sites. NHS Lothian have used Twitter to show when the minor injuries clinic might be more appropriate for some cases than Accident and Emergency. This not only informs the public but can potentially help boards to free up resources by funnelling patients to the best place. The more informal nature of OSNs means that boards can put announcements which would not normally make the front page of an official health board web-site (such as health charity and other community events) but which foster good relations and „social presence‟. The vital nature of OSNs means that word can get around more quickly than other channels (companies call it „guerriall marketing‟).
5.3 Understanding and monitoring public opinion
The fundamental difference between normal e-communications via official web-sites and OSNs is that the „funnel is reversed‟: i.e. more communications are coming in than going out. Each official health-related „tweet‟, video-clip or news item on Facebook will generate far more of response than was the case with traditional web feed-back forms. The key questions is how can the voluminous, un-moderated and often anonymous conversation threads be monitored, captured and used for practical purposes?
30
Correcting factual inaccuracies It is not the place for officials to enter into public debates. But there are cases where OSN conversation strings highlight straightforward inaccuracies (or even myths). Virtually all of the discussions boards relating to eCare for example repeated false-hoods (e.g. that this was a state data-base on children by the back-door). Such misunderstanding on influential sites such as Netmums (which has 1m+ members) can seriously impair the ability of health bodies to roll over and get public acceptance of new tools and services. A news story which aims to correct a myth can be placed into OSN for a as part of an overall communications plan. Alternatively, there could be a „hot seat‟ session where for a limited time-slot a senior official (or minister) might host a question and answer session. This is safer than entering into conversation strings already initiated by citizens (i.e. could be construed as state interference or even political opinion shaping),
Straw-poll canvassing The un-controlled and anonymous nature of OSNs, mean that they cannot as yet really replace formal public consultations and statistical analysis. But OSNs can offer a quick and easy way to „test the water‟ before making significant investment in new services or creating new policies. The proposed Healthier Twitter for example can allow ministers to give flag ship policies an airing. Too many web 1.0 applications in the early 2000s have been designed by IT professionals and officials „in search of customers‟. If for example a very large (albeit un-scientific) sample of tweets and conversation threads gave overwhelmingly negative views on the functionality of a proposed e-health patient access application then it might give rise to investing in further public consultation to check this prior to making significant investment in a service which might not take off (e.g. because there is not enough trust in the authentication proposed or concerns about erosion of privacy). Sites such as Patient Opinion and dash-boards on hospital Facebook sites are already collecting patient experiences. The Patients Rights (Scotland) Act 2011 specifies that NHS bodies should „encourage patients to give feedback or comments, or raise concerns or complaints, on health care‟.3
Data Collection
31
In the US it is increasingly common for third sector organisations to ask for „data donation‟: that is where members of OSNs volunteer their data for non-for-profit research. Many patient advocacy groups and clinicians are working for example to capture data on off-label drug use via anonymous contacts on OSNs. Though the data collected is less scientific than from traditional routes, its value lies in the fact that it comes from segments of the population who are dispersed or hard to reach (e.g. people who would not normally admit to taking a drug for non-approved purposes). NHS organisations could normally admit to take a keener interest in this type of methodology (without actually attempting to do medical data collection via OSN themselves) or choose to do data collection in a very low risk area (e.g. a request for elderly people in a territorial board to send in anonymously their top three concerns for the coming winter). This could provide a spring-board for more targeted research. Similarly, those working in public health surveillance can use data from OSN - along with geo-spatial coordinates – to build up an early impression of disease outbreaks.
5.4 Public education and health campaigns
OSNs can be incorporated into wider public health campaigns. „Tweet what you can eat‟ (healthier eating), „quitter twitter‟ (give up smoking), „helping those, helping others‟ (Blood Donation) are just some of the blogs/discussion for a set up by boards. The advantage of OSN here is that the official content is mixed in with tips and self-help sent in by the public. The informal and less censorious tone can be more accessible than some poster/web-site campaigns. _____________________
3 Section 14 Encouragement of patient feed-back
5.5 Professional network support
As discussed in Section 4, external networks can be used where there are no internal OSN tools (e.g. nurses working in a board may be encouraged to use a particular respected OSN in preference to others to prevent knowledge being dispersed too widely). But health boards also need to be engaged with professional groups. The news stories and communications here can be tailored differently from those to the wider population) e.g. emphasis on a change in regulations that affects the membership). Care does need to be taken here as many professional groups jealously guarded their independence and may have views at odds with government policy. NHSonline.net for example states clearly
32
that it has no affiliation to NHS or Department for Health (England) and “therefore not subject to censorship by these organisations”.
5.6 Patient support groups
There has been an explosion of interest in „medical support sites‟. More than two thirds of all health-related searches start at search engines (e.g. Google a health condition in order to find a support group). The quality varies enormously from respected charities to commercial companies (basically marketing tools dressed up as OSN) to sites set up by one individual on a kitchen table. NHS Scotland already provides high quality advice (e.g. NHS Inform) and sign-post to support groups. On the whole it does not make practical sense for the NHS to complete with or duplicate these existing groups. Many have grown up over years and have a strong brand. The question instead is how far the NHS should activity engage with any of these existing OSNs by sponsorship, providing content and two-way interaction. If OSNs are chosen carefully there are many mutual benefits: members of the OSN can be informed about new health services in a given area (e.g. via post-code) and links can be placed to comprehensive advice on official web-site.
5.7 Transactions support
Where there is a stronger case for the NHS to build its own OSNs is where it is in conjunction with health transactions and patient data access (i.e. something which no other organisation or charity can offer because it does not have the data). My Diabetes My Way pilot is a good example because the unique selling point has been access to own clinical correspondence (with authentication linked to Citizen Account) alongside more standard OSN functionality. OSNs can be harnessed as a means to encourage use of online health tools. Gaining public confidence in „official‟ tools is an important part of any eHealth strategy. In NHS England for example there are OSN pilots aimed at the 18-24 age group which promote Chlamydia testing. The idea is that interactive content will a) encourage the target group to get tested and show how it can be done; b) allow users to give feed-back or air anxieties which can then lead to the NHS re-designing the functionality.
33
PART B
6 Security risks and mitigation plans
Security is usually cited as the main reason why health boards are reluctant to adopt OSNs (even for the lower risk purposes described above). Much of the generic guidance produced by the OSNs themselves tends to be broad-brush and does not make the distinction between organisational risks and risks to individuals using them in their personal life. Just asking employees to “be responsible” and use “common-sense” is not enough as many of the risks are subtle and affect even the most security-aware individuals. The aim of part B is to:
Examine the subject within the NHS Scotland healthcare context
Take „security‟ in the widest possible sense; to include associated legal and reputational issues
Identify the key risks to the health organisation and risks to staff acting as individuals in work and home environments (and where there are overlaps)
This paper is not designed to be a definitive list of „do‟s and don‟ts‟ (such a simplistic approach is impossible given all the variables in 22 boards). The aim instead is to highlight the practical steps boards can take to reduce risks to an acceptable level through better governance, staff awareness/training and where possible technical measures.
7 Risks to the organisations through own usage of OSN
The following risks relate to the organisation‟s own usage of OSN and where staff are using OSN in the work environment:
7.1 Site sabotage and hijacking
Organisations need to think carefully about how they would deal with their OSN pages/profiles being attacked and either taken offline or taken over. As the content is hosted by a third party (with no contractual commitment) there is little that can be done other than attempting to close down the whole space. At the moment OSNs are just one very minor channel for communications, but as usage increases the organisation will need to cope with the following scenarios:
34
Take –over/spoofing: someone manages to log into the official NHS OSN account and remove content or even write spurious content which purports to be official. If this goes undetected or cannot be taken down quickly then it could seriously undermine services, communications and public trust (e.g. spoof ministerial/executive tweets or false allegations about staff/boards etc).
Loss of service: the OSN could simply fail for any number of technical reasons. This could be problematic in situations where a particular site has become a key plank in a communications process (e.g. weather warning/site closure alerts reliant on Facebook/Twitter rather than phone).
Hactivism is a relatively new phenomenon: this is where attacks are made primarily to prove a point rather than for monetary gain. The NHS had not so far been top of the lists of targets (although Lulzsec group did hack into NHS web-sites to highlight vulnerabilities) but this could soon change if Scottish health services reform or new services become controversial (e.g. closure of health centres, back-tracking on policy commitments for services etc).
Counter measures
Governance Decide on a channel strategy (i.e. where OSN fits into communications/services. Assume sabotage will happen at some point so put in place a plan of action for dealing with it (e.g. how you can inform customers through a more trusted channel such as official web-site hosted internally that there is a problem and correct the spoof content). Find from OSN the process for dealing with the problem (e.g. will it be minutes or days before a sabotage is corrected?) and whether there is any OSN moderation.
People/Guidance Training for the OSN engagement team on how to write content which is less likely to generate attacks (e.g. avoid overtly political or lecturing tones).
Technical It should be assumed that OSN is not robust for essential communications and alternative trusted channels will need to have greater resilience at a time of emergency (e.g. is the board‟s email exchange server, web-server etc able to cope when everyone is working at home due to snow?)
35
7.2 Legal risks through official OSN interactions
The whole point of OSNs is to be „interactive‟ but this does not necessarily mean interaction with each individual that places content onto the NHS site. When individuals place a question, makes a factually inaccurate remark or appear to be in distress there is a natural instinct on the part of officials running the OSN profile/site to answer. Bur there are some significant problems here for the organisation:
Once you start answering personal queries/remarks/threads then there will be an expectation that this is a full-blown enquiry and answer service. Boards may not have the capacity to do this and it could conflict with existing channels.
OSNs operate at a much faster pace than traditional routes. This can bring many advantages (e.g. dealing with quick enquiries online, giving sign-posts where to find help and therefore cutting down on the volumes of phone calls/letters to boards) but it can also pose legal and safety problems when it starts to touch the clinical arena. For example, a user on a Blood Transfusion/Board Safety OSN page might ask for what seems simple advice. But the organisation exposes itself to legal problems if its reply – given by a non-specialist to an anonymous person in a hurry – is later perceived to be wrong by the recipient,
Counter measures
Governance Be clear at design phase how the organisation will interact and deal with queries etc (e.g. policy not to deal with any individuals but a block answer?), who will do the interactions (e.g. only specially trained staff?) and subject areas which are out of bounds (e.g. not to touch on clinical areas unless a special clinical hot seat is created?).
People/Guidance Training for OSN engagement team on how to answer questions; knowing how to put up „sign-posts‟ in preference to giving advice on the hoof.
Technical Find out how moderation works; how long content is being kept for by the OSN, how anonymous is sign-on/registration, how can organised groups create false accounts to create traffic that disrupts the service.
36
7.3 Information leakage as a result of inadequate permissions
Where an NHS organisation uses a public OSN it is generally assumed that all the information places there is unclassified and does not therefore require site permissions (i.e. if you are going to put up content you expect everyone to see it). But as OSN use in public bodies takes off there may be a perceived need to segment the data according to user group to create semi-private spaces (e.g. drug addiction support OSN user group to log into one separate area). This approach is already used in the professional group OSNs (e.g. organisations create their own Yammer/Huddle space or bubble). But the organisation needs to consider the impact if the permissions simply fail:
Faults in the biggest OSNs has led to permissions or privacy settings not working; this has allowed personal data – which the user expected to be open only to specified users – being made available to everyone (which can mean millions of subscribers). An NHS online site in England that stores CVs recently failed leading to personal data being available to the whole NHS community until it was fixed.
Counter measures
Governance When using public OSNs ensure that all information is unclassified; use segmentation of information (e.g. creating lots of user groups/profile pages) for administrative ease rather than as security permissions. (i.e. assume everyone can see it). In the case of OSNs for corporate use seek advice from security if it is to be used up to PROTECT (e.g. accreditation to this level is possible with certain sites).
People/Guidance Inform all staff that although information is unclassified this does not necessarily mean that it is disclosable for the purposes of FOI.
Technical Monitor permissions failures in OSNs; so as to report back to the business.
7.4 Content management issues
When using OSNs there is very little control which can be exerted over the lay-out and ownership of content.
37
Advertisers for medical products and services will try any means to give the impression of „official‟ endorsement, including placing content adjacent to NHS material.
In many cases the ownership of all content becomes the property of the OSN. The public body does not have an automatic ability to take content down (even if it is offensive or in direct conflict with NHS advice). In fact taking content down can prove to be counter-productive in some cases.
Where an OSN is used for professional purposes (e.g. staff knowledge sharing tool) care needs to be taken that sensitive internal documents are not uploaded and that version control is not lost (e.g. un-redacted board minutes going up on an OSN with redacted version on the official NHS website).
Counter measures
Governance Needs to be clear who is able to upload documents and a process to ensure that the documents are final and approved for public dissemination. Write copyright statements (e.g. ownership of documents is still with NHS).
People/Guidance Training of OSN engagement team; making clear that the type of content is different from standard official web-sites. Focus on shorter informal bursts rather than monologues.
Technical Agree retentioning policy for corporate OSNs (i.e. if it is assumed that records are held in organisation then the OSN copy content can be deleted quickly when no longer used). Check in advance the OSNs advertising policy and controls over layout.
7.5 Risks relating to staff usage of OSN in the workplace
When an organisation has adopted OSNs there is the obvious need for a group of staff to be able to see and interact with those sites. In a tightly controlled environment this might just be a handful of external communications experts or a team of policy staff monitoring content. But the larger the group with access (e.g. the whole organisation) the more there is the risk of staff crossing the professional lines:
In theory when an NHS OSN profile/page is launched there are in effect two groups of organisational users: a) those in the OSN
38
engagement team who can officially update and reply to content posted by those outside the organisation and b) those within the wider organisation who may be able to look at content but should not interact. But such a neat distinction is not always easy to maintain; many in the latter group may choose to put up content which might conflict with the official line. There could then be an unseemly online debate between two sets of officials relating to health services or policy.
Access to the whole OSN (e.g. Facebook) then gives staff the technical ability (though not necessarily the permission) to use that site for personal purposes at work. This brings with it all the risk to the employee outlines below.
Where the employee acts using NHS computing resources (rather than at home) there is a greater legal liability to the organisation. This risk is not new (i.e. staff have long been able to send inappropriate email from web-based accounts while at work if the sites are not blocked). But the spontaneous nature of OSNs, and their reach to millions of people, means the impact is far greater. For example if libellous, offensive or criminal content is posted while at work the organisation is likely to be dragged into any litigation. Even if NHS login/email address is not used to sign into the OSN, the IP address can still be traced back to the board.
The offensiveness of material is generally higher in a work context. For example several clinicians have been disciplined in Glasgow for posting them online. The images taken in a different context – such as at home – may have seemed innocuous bit because the staff were on duty it affected the reputation of the profession and the organisation.
7.6 Importance of malware into health systems
Usage of OSNs significantly increases the likelihood of malware (such as viruses, trojans and worms) being imported into NHS networks even where robust anti-virus (AV) measures are in place. This type of importation is indiscriminate (i.e. NHS is not usually the subject of the targeted attack but has picked up malware in general circulation). Malware can go un-detected for months (as AV software tends to scan known objects rather than unknowns) and can shut down whole networks. The reasons for this are:
39
Many OSNs use third party messaging/chat applications (which run on servers which the OSN has no control over). Such applications are a weak spot from which attacks can be made on the user‟s PC/network. Many distributed „Botnets‟ (where multiple PCs are in effect „taken over‟ to perform malicious attacks) rely on PCs having access to such applications. This contrasts with the current position where staff who use messaging/chat applications (e.g. Microsoft Communicator) are always on the internal network.
OSNs generally require an email address and these can be harvested and used for attacks or spamming. The more NHS email account names entered the greater likelihood there is of pear-phishing (i.e. where malware, bundled in a convincing attachment, is sent to recipients from what looks to be an NHS colleague).
OSNs have features which are more likely to „bait‟ staff into clicking onto links which download malware. Some are obvious (e.g. sensational news stories, prizes etc) whereas others are more subtle (e.g. click here „if you do not wish to receive marketing‟).
Counter measures
Governance Decide on whether some of the riskier applications are really required for the organisation‟s online presence. If the answer is yes decide on which individuals should be using them (i.e. usually no need for whole organisation to have access to these tools).
People/Guidance Issues simple desk-top guidance on the top five things to do in order to prevent malware being introduced into the organisation for those PCs which are not locked down (e.g. never to click on attachments from unknown sources, only for the designated OSN administrators to enter in a generic HS email address).
Technical Apart from ensuring AV security patches are up to date there needs to be timely reporting by the user community of anomalies (e.g. that might show PC has become part of a botnet); business continuity plans and quarantine plans to be in place if there is a serious outbreak.
40
7.7 Capacity and time-wasting issues
One of the main reasons why boards have not adopted OSNs more readily is because of the lack of band-width. The download of bit-hungry video-clips in particular can mean that other business critical web-based activities are affected.
As with other online activity there are operational risks associated with „time wasting‟ by staff. OSNs can be highly „addictive‟ and many employees will have grown accustomed to updating content throughout the working day.
Blanket banning of web-sites from office network can just mean that staff switch to using personal web-enabled mobile devices while in the work-place.
Counter measures
Governance Be clear who can have access to OSNs in order to do their job. In a NHS territorial board context it is highly unlikely that the whole organisation would need access to OSNs. But for special boards if may be that the channel strategy expects staff to gain visibility of what customers are talking about online.
People/Guidance Guidance for all staff which goes beyond use of organisational computing resources; staff are now bringing in their own equipment and connecting online via short-range wireless (e.g. Wifi) or Cellular). So there needs to be a fair usage approached.
Technical To advise the OSN engagement team on how access can be managed (e.g. sometimes access can be just to the official organisation page on Facebook/Twitter rather than the whole site). To consider whether a separate internet-pipe is needed for communications staff (i.e. rather than using N3). Do some modelling on how x users on a particular site would impact capacity.
41
8 Risks relating to OSN usage by NHS employees outside work
Even if the NHS were to do nothing in the OSN space and block access at work it would still be exposed to security and reputational risks relating to employee usage of them in their home life.
8.1 Capturing credentials for malicious purpose
Many users of OSNs make clear in their profiles/pages that they are NHS employees. If such users also use NHS credentials as part of login (e.g. NHS email address, and same passwords used at work) then it can compromise the security of the work environment.
If a user habitually uses the same password(s) or one of the most common passwords in their home life (e.g. for OSNs) then If captured with context (i.e. a would-be attacker knows exactly where you work) then it could be used to gain access to online NHS applications or internal systems,
Currently „single-sign on‟ is being rolled out across some boards; this means that obtaining one passwords will grant access to multiple applications. Many would-be attackers are insiders with access to the building and PCs; if they are able to login using captured credentials then the audit trail would show only the name of the official user.
At least one key NHS application allows changes of passwords based on personal detail prompts (e.g. mother‟s maiden name, place of birth, pets etc). Much of this is easily picked up on OSNs. (e.g. aggregating bits from several sites to get a complete picture of an individual).
Counter measures
Governance Update existing policies to make clear that the use of official NHS mail addresses or credentials in a non-work (e.g. online social networking) context is prohibited. Sanctions for transgressions.
People/Guidance Awareness campaign with top five things to protect staff work identify (e.g. never use work passwords; never give out work email, phone number on personal OSNs etc). But bear in mind that many employee details (especially senior managers) will already have their work details
42
online as part of government transparency/FOI etc. The ICO has made clear that public servants do not have an absolute right to anonymity.
Technical When developing identify and access models in NHS to consider how staff are operating in the home environment. To develop subtly different ways of authentication (e.g. stronger passwords and prompts, two-factor authentication, biometrics etc) so that if a person‟s identity is compromised at home if minimises the impact on the organisation.
8.2 Social engineering to obtain information
As well as capturing credentials there are other types of NHS information which can be obtained using deceitful – but not necessarily illegal – techniques that play on people‟s natural instincts and „hook‟ them in. There is a large market for the type of data held in NHS.
So-called information brokers or aggregators are paid to source addresses/employers and other key data; they are increasingly aware of the types of information systems within the NHS and the people who have access to them.
The so-called „phone-hacking‟ scandal in the UK has shown how private detectives can use illegal methods to obtain data (e.g. gaining access to voice-mail and using insiders at telcos). But some individuals leave the door wide open in their personal online profiles to debt collection and tracing agencies, activists, researchers, companies in healthcare or organised criminals (e.g. fraud or intimidation purposes).
Some healthcare staff have access to controlled drugs and materials which can be used by terrorists for biological, chemical or even radioactive attacks. OSNs are both a place to hide (for anonymous conversations) and a place to air extreme views and hook in staff.
Although NHS Scotland does not offer the same scope as banks etc to steal hard cash it does have a budget of c. £10 billion, considerable movable assets (e.g. IT hardware, drugs), a catalogue of services which can be fraudulently obtained (e.g. repeat prescriptions) and a pool of people – patients and staff –
43
who have often dropped their guard in stressful situations. OSNs offer data in abundance from which to plan an attack from a remote location (whereas in the past physical surveillance of sites and people would have been necessary).
Counter measures
Governance To put in place an alert procedure whereby an employee can contact HR/security if he/she feels that NHS data as well as personal data has been unwittingly passed on during online chats/blogs at home. Early notification can mean that the organisation can take steps to warn other staff and lessen impact.
People/Guidance Staff awareness campaign; e.g. staff to not enter into OSN conversations with patients; to look out for un-wanted attention that arises from their employment in NHS. Many professional groups such as the British Medical Association and the Nursing and Midwifery Council have recently drawn up guidance for own members.
Technical Make regular security assessments of the people and assets which are vulnerable; to ensure that information about them is tightly restricted so that there is far less scope for them to be talked about in OSNs or anywhere else (e.g. the location or procedures governing hazardous materials). Step up protective security in sensitive areas wherever possible (e.g. swipe card readers). Assume that information in some areas of NHS is bound to get discussed online whatever steps you take (e.g. admittance of high profile patients, sacking of staff). To put in place more robust audit mechanisms around access to NHS systems and be able to monitor staff use of OSNs (where there is a formal investigation).
8.3 Putting up offensive or inappropriate content
Individuals using OSNs – who can be identified as NHS employees – can cause serious reputational damage to organisations as a result of the content they upload. The use of web enabled mobile devices in particular can lead to impulsive behaviour which users often later regret.
44
Once content has gone online (e.g. a picture on a profile) it is virtually impossible to remove completely as followers with access may have copies and distributed wold-wide within minutes. Some content is obviously inappropriate (e.g. explicit pictures that identify staff) or illegal (patient identifiable data) but in other cases the employee may feel they are acting within their rights:
There are difficult ethical questions surrounding how far staff should be able to give personal views on the NHS (e.g. the leadership, colleague, facilities, procedures etc).
Writing detailed descriptions of what is going on in the work-place (without mentioning staff or patients by name or being critical) can still be damaging. Change management resulting from organisational re-structuring and reform of patient services becomes much more difficult if staff are giving a running commentary on OSNs.
Counter measures
Governance Update existing policy documentation and weave in employee online behaviour. Much existing documentation only covers activity while at work or using work computing resources. This needs to be wider and cover behaviour using own mobile devices/equipment at home that can be damaging to the organisation. Blanket band on discussing work may not always be useful as staff belong to professional networks (e.g. GPs, nurses) and may wish to share common concerns (without mentioning patients etc).
People/Guidance As a general rule employees should „put away their badge‟ and act as individuals if giving general views about their organisation or political decisions and should steer clear of attacks on individuals. Use the guidance material produced by professional bodies.
Technical There may be a need to monitor the activity of an employee on an OSN (e.g. if HR are investigating a compliment); if the updates to OSN are taking place at home then there needs to be an agreed method of monitoring and recording that is proportionate (i.e. not undermine a person‟s privacy without good grounds). This can be difficult if online presence is relatively anonymous
45
and audit trails are under the control of the OSN. Understand how liaison with the police would work before an incident actually happens (e.g. some constabularies have online crime experts).
8.4 Personal ID theft and safety risks
The police make a distinction between age-old crime „facilitated by ICT‟ (e.g. extortion, theft) and new crime „created by ICT‟ (e.g. denial of IT service). Both types of crime can be found in OSN space:
Harassment and bullying: some disputes start online and then escalate into real world conflict (i.e. several disputes on OSNs have led directly to murders) while in other cases it is the other way round (with a dispute starting in the work-place for example and then continuing in cyber-space). NHS staff are perhaps more vulnerable than most because of the very public nature of their work and the high emotion generated in health contexts. A patient with a grudge for example could seek out staff through OSNs. Cyber-stalking can in extreme cases lead to actual harassment or physical harm.
The risks of targeting are higher for staff working in sensitive areas with vulnerable groups and children.
ID theft ranges from indiscriminate harvesting of personal/work email addresses to focussing on an individual over a period to gain employer details, bank, National Insurance, date of birth etc. Login details and cookies are relatively easy to steel from people logging onto OSNs (which generally do not have secure login such as SSL) while in Wifi hotspots.
The physical security of hospitals and surgeries is rarely high because of the volumes of people coming and going. An intruder – with or without a white coat – has a greater chance of blagging his way into wards or administrative buildings if he knows the names, exact job titles, departments, buildings and other contextual data relating to staff.
Patients too are at greater risk if information about their stay in hospital is broadcast on OSNs. Loose talk has always been a problem (e.g. when high profile persons are in hospital) but OSN functionality such as micro-blogs from Twitter and photo imaging
46
from mobile devices in hospitals mean that the speed and reach is now far greater.
Location based risks: Many mobile applications attached to OSNs give precise geographical coordinates. Burglars for example are known to monitor then to seek out empty properties and an employee‟s presence in a hospital/surgery can be pin pointed to within 10 meters if he/she has a device switched on and had subscribed to the service.
Counter measures
Governance As for 8.3; HR Policy on harassment/professional conduct may need to be updated to include activity in cyber space.
People/Guidance Simple guide on the types of business information which should never be revealed online as well as general rules about discussing work. Some of this is board-specific: in an ambulance service for example this might include daily fleeting for ambulances or control procedures for transporting medicines/human organs (things which could come out informally when writing a daily personal blog but get picked up by those with malicious intent). Be aware that logging on to OSNs while in wireless hotspots exposes the user to possible credential theft.
Technical To have a reporting procedure in place for theft or spoofing of personal ID as it is likely to affect the work ID (e.g. NHS mail address being used to send out malware/spam or a pseudo NHS address which uses a real name but does not have an official suffix). To be able to take an email account out of service quickly, change passwords, security passes etc.
8.5 Wider privacy issues
OSNs have so far rubbed against the grain of privacy legislation in Europe (such as Data Protection Act) and Privacy and Electronic Communications Regulations.
Much of the data placed by staff onto OSNs is sold onto third parties. Small print on joining is taken as consent to this activity.
47
When an individual decides to take a profile down there is often no commitment from OSNs that all the data will be permanently deleted.
New features are added to sites which could affect privacy (such as facial recognition software to provide names to photographs) without the user necessarily being aware of them.
Cookies have become more sophisticated and intrusive, Users can decide how far they wish to connect their web browsing activity to OSNs (e.g. Facebook „likes‟) but there have been allegations for examples that connectivity between NHS Choices in England and an OSN could in effect generate a log of the medical health advice pages visited.
Counter measures
Governance If an OSN is being used for corporate purposes get assurances beforehand on what the company is doing with the data, where it is hosted etc.
People/Guidance Simple guidance on how to reduce risk at home (e.g. removing certain types of cookies, changing privacy settings, understanding „fait processing‟ notices, how to complain to the Information Commissioner etc.
Technical To gather case-study evidence on good and bad practice relating to cookies and fair processing notices so it can be used when designing official NHS interactive services (e.g. patient portal) that rely on patient trust.
9 Conclusions
Targeted use of OSNs – internally and externally – for the first wave applications can bring considerable benefits and fit in squarely with the eHealth strategic aims. It is important that Security and legal anxieties surrounding OSNs do not lead to health boards simply ignoring or blocking them wholesale. OSNs are here to stay and many of the risks relate more to how individuals, in a personal capacity, behave while online rather than the controlled and officially sanctioned content (or the analysis of other peoples content) that boards produce. At the moment health boards have very little official OSN presence and most of the threats are indirect boards as organisations, are not being actively targeted online by criminals, terrorists or foreign agencies (but
48
are at risk from the malware such groups have circulated). Most of the current threats are to individuals, who just happen to be employees of the NHS. And it is individuals, through personal use at home or in the work-place, who are exposing the organisation to reputational, legal and security risks. So even if boards had no presence in OSNs, these risks would not go away without concerted steps to change staff behaviour. The threat level is likely to increase in the coming months as:
Boards begin to use OSN to a much greater extent in conjunction with online services online (e.g. patient portals)
An even higher proportion of the 165,000 staff in NHS Scotland use OSNs for personal and professional networking.
As the security of e-commerce gets progressively tighter (e.g. better authentication, audit, monitoring and user groups will turn even more to OSNs as a week spot from which to obtain personal data.
Criminals move into new areas of health-related fraud, Malware attacks will become much more targeted than in the past (e.g. email with embedded malware sent to a specific person).
The risks to the organisation can be reduced to an acceptable level if boards tackle OSNs is a strategic manner (i.e. not leave it to lone enthusiasts) and put in place a realistic mixture of governance, guidance and technical/security measures outlined above.