Online social networking: harnessing benefits and reducing risks

Daniel BeaumontSeptember 2011

NOT PROTECTIVELY MARKED

Polite disclaimer

• Some vendors/products are mentioned as examples. But should not be taken as a Scottish Government endorsement or preference of one social media site or product over another.

• The aim is to give an honest assessment to health informatics professionals attending the conference rather than a statement of government policy.

• I will outline the broad categories of risk and suggested counter-measures rather than a prescriptive set of ‘do’s and dont’s’. Each NHS board has its own specific requirements and policies.

Agenda

1) How Online social networking (OSN) fits into wider strategy for NHS citizen engagement

2) The first wave of relatively low risk purposes

3) Main risks of OSN to the organisation and to individual employees

4) Final thoughts

Who we are

The eHealth Programme aims to improve patient care through advances in technology, resulting in better access to health information, quicker test results for clinicians and joined-up GP and hospital services.

eHealth strategyPublished by Cabinet Secretary September 2011

Strong themes: patient self-management (especially long-term conditions)

- access to own clinical data (e.g. medications, allergies)- doing actual transactions online (e.g. bookings)- high quality interactive content

**patient spaces or portals

• Where does online social networking fit into all this?

• Will OSN be a help or a hindrance to these plans?

What is the current position?

Understandable apprehension

• ‘home-grown’ nature of OSNs (state participation is not always welcome and can seriously back-fire)

• Spectacular failures (e.g. Sites created by elected representatives sabotaged)

• E-communications professionals accustomed to controlling content on own servers

• IT security often prefer to simply block..if business has not articulated why it needs OSN access

Better to harness than simply block.....

Lack of channel strategy leads to:

• ‘lone enthusiasts’ who ..fight it out with IT

• Organisation has a Facebook site etc but staff blocked from accessing it in workplace (often the good reasons for blocking not well articulated to staff)

• ‘Scattergun approach’: really not clear why the public body is using OSN (is it just ‘to look up to date’?)....lots of content coming in but no one bothering to read it?

Lets not forgot internal OSNOSN functionality under-utilised by organisations with existing investments in

enterprise mgt tools : why jump to external sites?• .. people finding/profiles; instant messaging/comms, blogs/wikis, virtual

community building

• Sharepoint 2010

• Alfresco

• NHS Scotland• has 165,000 staff

What if you do not have internal OSN functionality..or the money to buy tools?

• Two main options:

• A) live without such tools, resigned to fact that staff use them own time (maybe block use in workplace)

• B) harness external OSN by giving staff access to at least some ‘officially sanctioned’ ones

Advantages of ‘piggy-backing’ on externally hosted sites...

• 1) burden hosting data and running service by another party

• 2) social reach far greater: i.e. Can invite partners outside organisation’s IT network into the space to collaborate on projects

• 3) OSN functionality is often far richer than anything internal (corporate internal tools tend to get dated easily)

Disadvantages of ‘piggy-backing’ on externally hosted sites...

• 1) lack of control over content (data hosted anywhere...US?)

• 2) security and legal risks

• 3) capacity/consumption issues (staff using web apps while at work)

• 4) knowledge and information leakage (staff uploading corporate assets onto external sites rather than capturing it internally)...when was the last time you saved to your official EDRM??

Where are you going to position your OSN tools? What is your social circumference?

5) Facebook

4) Huddle

3) Knowledge Network

2) Board extranet

1) Sharepoint

OSN: citizen-facing

• What are you going to use it for?• Where do I start?

Think requirements, not tools...• 1) does OSN offer something existing channels do not (e.g. wider

social reach, two-way interaction)

• 2) how is it going to complement rather than disrupt existing channels?

• 3) what resources will need to be in place to monitor content that public upload?

• 4) Why try to compete with excellent existing online support groups/established brands? Where is the demand from customers?

Which are the first wave NHS uses for OSN?

• Relatively low risk from security/compliance angle

• Create maximum impact from very little outlay and ongoing staff support

• Can be used as a launch pad for more ambitious usage in the future

First wave purposesCategory1) Business continuity communications2) News and announcements3) Public education and health campaigns4) Understanding and monitoring public opinion5) Professional network support6) Patient support groups7) Transactions support8) Patient data access support9) Public health data collection

Business continuity communications

Business continuity communications

• Micro-blogs like Twitter (closure buildings)

• Traditional channels fell down (e.g. Phone, email)

• Gain ‘followers’ during a winter emergency; then maintain interest with relevant tweets (e.g. Significant virus outbreaks rather than bombarding with routine updates on services).

• Health organisation monitors reaction and feed-back (to enable better planning)

• Health organisation to consume content from other public bodies and provide a relevant digest (police, Met office etc)

News and announcements

• Subtly different from content mainstream official web sites (things that might not make it onto your front-page)

• Social presence: community and charity events

• Much more informal in tone

• Re-directing public to resources (e.g. That minor injuries clinic is open and more appropriate than A and E for x condition...)

News and announcements

Understanding and monitoring public opinion

• Main difference OSN compared to normal e-comms is that the ‘funnel is reversed’: far more content coming back than going out

• How is the voluminous, un-moderated and often anonymous conversation threads going to be monitored and used for practical purposes?

Understanding public opinion: correcting falsehoods

• Correcting factual inaccuracies and myths: placing content to correct (e.g. eCare; eHealth programme = ehealth slimming company...) .

• ‘hot seat’ for senior executive or clinician

• **this is safer than entering into conversation strings with individuals or anything that could be seen and political opinion shaping.

Understanding public opinion: correcting falsehoods

Understanding public opinion: straw-poll canvassing

Understanding public opinion: straw-poll canvassing

• OSN cannot replace formal consultations and statistical analysis.

• Quick and easy way to test the water for new services/policies

• Large – albeit unscientific- sample of opinion can spur on formal public consultation prior to making significant investment (e.g. Applications which no one wants or has privacy/ethical concerns with).

Understanding public opinion: ‘data collection’

• Collecting data from hard to reach groups- e.g. US research on ‘off-label’ drug use via ‘data

donation’- for elderly: ‘what are your top three concerns’

approaching this winter

• Public health surveillance: twitter feeds into a geographical map showing seasonal flu

• **if not actually collecting data; NHS could be analysing data already out there

Understanding public opinion: services

Public health education/campaigns

• Incorporated into wider public health campaigns:- ‘tweet what your eat’ (healthier eating)

- ‘quitter twitter’ (give up smoking)- ‘helping those, helping others’ (Blood donation)

- Advantage here is that official content is mixed in with tips and self-help sent in by public

- **informal and less censorious tone more accessible than poster/web site campaigns.

Public health campaigns

Professional network support

• Some boards have no internal OSN tools; but encourage use of a respected one (e.g. doctors.net.uk)

• News stories are different from wider population: e.g. changes in regulations that affect professional groups

• **care needs to be taken as many professional groups jealously guard independence (e.g. NHSOnline clearly states it is not a mouthpiece of Dept for Health

Patient support groups

• Explosion of sites here; ranging from ‘kitchen-table’, to respected charities to medical company marketing (dressed up as support)

• Do we build OSN functionality onto own ‘official’ websites (e.g. NHSInform) or piggy-back onto existing OSNs and provide content or even funds?

• OSN can inform members about new services in area, provide sign-posts to advice

Transactions support

• Stronger case for NHS to build its own OSN where it in conjunction with health transactions or patient data access

• What are the risks to the health board of OSN interaction

• How can the risks be mitigated?

Putting together an organisational risk mitigation plan

• Need to go beyond generic guidance which just says. “use common sense”; “be responsible” etc

• Many risks subtle and affect even most security-aware individuals

• I cannot give a definitive list of ‘do’s and dont’s’ given all variables in 22 health boards

• Highlight practical steps: better governance, staff awareness and where possible technical measures

Main risk categories

1) Site sabotage and hijacking2) Legal risks through official OSN interactions3) Information leakage as a result of inadequate permissions4) Content management issues5) Risks relating to staff usage of OSN in the workplace6) Importation of malware into health systems7 Capacity and time-wasting issues8) Capturing credentials for malicious purposes9) Social engineering to obtain information10) Putting up offensive or inappropriate content11) ID theft and personal safety12) Wider privacy issues

Site sabotage and hijacking

• Take-over/spoofing: manages to log in, put up spurious content

• ‘Hacktivism’: relatively new threat for NHS

• How are you going to recover, minutes or days?

Site sabotage

Site sabotage and hijacking: counter measures

Example Counter measuresGovernance Assume sabotage will happen (you

are not hosting the data); how can you use more trusted channels to correct; how quickly can you get spoof content down?

People training/guidance Write content less likely to generate attacks (e.g. overtly political or lecturing tones)

Technical Other channels need be even more robust (e.g. Email and web-servers) when everyone working at home due to snow

Legal risks through official OSN interactions

• Whole point of OSN is to be interactive; but does not necessarily mean interaction with each individual

• Once you start answering: public then expect full blown enquiry and answer service (may not have staff capacity)

• Speed and anonymity: what if a non-specialist in a hurry gives advice on the hoof?

Legal risks through official OSN interactions

Legal risks through official OSN interactions: counter measures

Example Counter measuresGovernance Be clear at design stage how

you will interact (e.g. block answer?; areas out of bounds (e.g. Clinical?);

Guidance/people training OSN engagement team (not just anyone in office); how to put up sign-posts

Technical Find out how moderation works; how long content kept for; how easy to create an account

Content Management issues

• Little or no control over lay-out and ownership of content

• Advertisers for medical products (try anything to get ads adjacent to NHS content)

• Content property of OSN; not able to take it down

• Where OSN used also for documents; version control lost (e.g. Un-redacted, un-finalised minutes)

Content management issues

Content Management issues: counter measures

Example counter measuresGovernance Be clear who can upload official docs,

copyright statementsPeople training/guidance Training on type content: informal

bursts; no monologuestechnical Check OSN advertising policy,

corporate policy on versions/copies; controls layout, archiving

Privacy breach as a result of inadequate permissions

• As NHS use of OSN takes off there may be perceived need to segment data with walls (e.g. Invitation only space for drug addiction support group etc)

• Many professional sites already have ‘bubbles’ or spaces for members

• But regular faults in OSNs sites mean such permissions and ‘paper thin walls’ fail meaning every member can see data

Privacy breach as a result of inadequate permissions

Risks relating to staff usage of OSN in workplace

• In theory only small group selected staff update content; but other staff may comment (e.g. unseemly debate between different officials)

• Where using corporate computing resources; dragged into litigation (libel, criminal) IP address traced

• Offensiveness generally higher when content is in a work context

Risks relating to staff usage of OSN in workplace

Risks relating to staff usage of OSN in workplace: counter measures

Example counter measuresGovernance Update policies (more to ‘online

presence at work/out of work); and HR procedures

People training/guidance Point to professional codesTechnical Monitoring at work; can use in

conjunction with privacy breach detection systems

Importation malware into health systems

• Usage OSN significantly increases likelihood malware being imported (targeted or indiscriminate)

• Can go undetected for months and can shut down networks

• Third party apps on the OSNs are weak spot from which attacks can be made (e.g. Botnets)

• OSN harvesting of NHS emails; then used for spear-phishing attacks (people more likely open an NHS.net email with executable file attached)

• OSN have features which ‘bait staff’ into clicking onto links (e.g. Click here not to receive marketing, click here for news story, click here to update Adobe etc)

‘Click here’ scams becoming more sophisticated

Importation malware into health systems: counter measures

Example counter measuresGovernance Decide whether some riskier

applications are really required for organisation’s OSN presence; should whole org have access to them?

People training/guidance e.g. Top five things to avoid (emails unknown sources, executable files etc

technical Anti-AV up to date; timely reporting; steps finding which PC is on botnet etc

Capacity and time-wasting issues

• Highly addictive nature; staff accustomed checking throughout working day

• Blanket banning can just move onto personal mobile devices

• Some health orgs have very limited band-width; and this can affect speed more important web-apps

Capacity and time-wasting issues: counter measures

Example counter measuresGovernance Be clear who can access OSN to do

their job; all staff?, policy makers?, e- comms?

People training/guidance Guidance on fair usage approach; staff bringing in own equipment

Technical Create public wireless hotspot; can block sites (parts of sites), grant access specified persons.

What are main risks relating to OSN usage by NHS employees outside work?

Capturing credentials for malicious purposes

• Habitual use same passwords in home and work environments (especially vulnerable now with single-sign on to multiple applications in NHS)

• Password re-set at work based on common prompts (mother’s maiden name, pet etc); can easily find this on Facebook in minutes

• Many attacks are inside jobs (gain your credentials, then gain access to work network)

Capturing credentials for malicious purposes

Capturing credentials for malicious purposes: countermeasures

Example counter measuresGovernance Make clear use of NHS mail

addresses etc for personal use prohibited;

People training/guidance Use different credentials in workplace; awareness campaign passwords, be aware how much data on officials already out there (i.e. Via FOI)

technical Design away some risks when putting in work authentication (e.g. Password prompts); ways minimise impact if credentials misused.

Social engineering to obtain information

• Information brokers paid to source addresses/employers for key data

• Individuals leave door wide open personal profiles to activists, debt collectors as well as criminals etc

• Some health staff have access controlled drugs, chemicals, biological, radioactive and vast amounts of sensitive personal data on most population.

• NHS Scotland does not have same scope as banks for theft: but does have budget £10billion (drugs, computer assets etc). As e- commerce tightens health sector could be seen as soft target to gain data.

Social engineering to obtain information

Example counter measuresGovernance Alert procedures from employee to

organisation (data unwittingly passed on);

People training/guidance Staff awareness campaign; professional groups such as BMA, Nursing/Midwifery Council/ACAS have good guidance

Technical Regular security assessment of people and assets; protective security (swipe card access certain areas);

ID theft and personal safety risks

• Age old crime facilitated by IT (extortion, theft etc); and new crime created by IT (denial of service)

• Harassment and bullying (start in real world and continue in cyber-space or vice versa)

• Risks for staff working in sensitive areas, vulnerable adults/children

• ID theft (e.g. very easy capture OSN logins from wireless hot spots)

• Physical security not high in NHS because it is open to public 24/7

• Location-based risks (burglars target empty properties; knowing if you are in hospital building etc)

ID theft and personal safety risks

ID theft and personal safety risks: counter measures

Example counter measuresGovernance Update HR policy on harassment to

include cyber spacePeople training/guidance Guide on business information which

should never be revealed (e.g. Some things may seem innocuous when in a blog)

technical Reporting procedure theft/spoofing NHS IDs, able to take an email account out of service, change passwords, security passes etc

Wider privacy issues

• OSNs have rubbed against grain privacy legislation (e.g. e- communications, DPA)

• Much data sold onto third parties, small print on joining provides consent to all this

• No commitment from OSN that content will be permanently deleted when user takes a profile down

• New features that could affect privacy with no proper consultation (e.g. Facial recognition on your family snaps)

• Cookies have become much more intrusive and sophisticated (e.g. Cross over of navigation between OSN and other NHS sites).

Wider privacy issues

Last thoughts

• Do harness OSNs but be clear on what it is to be used for (and how it fits in with internal knowledge management and citizen engagement strategies)

• Start with the low risk areas I described rather than take plunge

• Get decision makers, IT security and HR together to go over the risk matrix and agree sensible counter-measures

• Remember: even if you do not go for any OSN for the organisation you cannot simply avoid the risks as a growing proportion of 165,000 staff are using them!

• ANNEX for workshop

• [Optional training materials]

SCENARIO ONE

During a management meeting your Chief Executive suggested that the board should do far more to engage with patients (especially on their experience while staying in hospital); he said “could we not do something on Facebook in the next week or two?”

• How will you advise your CEO at the next meeting?• How will you flesh out the requirements? • What tools might be good to meet them?• What are the main risks?• How would you reduce the risks?• How are you going to make the this happen (e.g. who in the board has to

be consulted).

SCENARIO TWO

• During a management meeting your Chief Executive said he was disappointed by the lack of knowledge management and online social networking for employees. He said “currently staff just file documents onto shared drives and then share all their views and knowledge when they logon to sites like Doctors.net….how can be capture all this stuff? Do we need to buy a new IT application?”

• How will you advise your CEO?

• How will you flesh out the requirements? • What tools might be good to meet them?• What are the main risks?• How would you reduce the risks?• How are you going to make the this happen (e.g. who in the board has to

be consulted).

SCENARIO THREE

• The Director of Operations has summoned you to her office. She says that the official NHS board news page on Facebook have been updated with nasty content that mentions among other things sensitive staff re-structuring that has not been announced and is now all over the press. She asks “how did this happen? Can you take the content down and can you assure me that it will not happen again?”

• What do you think has happened?• How can you get the content down and deal with the incident?• Is there anything you can do to stop this happening?

SCENARIO FOUR

• A colleague has asked you for advice. She is a member of several online social networks and is very open about where she works and what she does during daily conversations (though never mentions patients). Recently she has been chatting to a man on a dating site who said he also worked in the NHS as a nurse in a children’s hospital and seemed to be really understanding of her work issues. She tried to stop contact when he started to harp on about money problems. Now he is constantly emailing her NHS account, ringing the ward and threatening to post photos online that might affect her professional reputation.

• What advice would you give?• Does the board need to get involved?• What are the risks to the board?• What are the risks to the employee?