Harnessing Social Media - Shared Services & Outsourcing Network
Harnessing Online Social Networking within NHSScotland: benefits … Social... · 2011-10-19 ·...
Transcript of Harnessing Online Social Networking within NHSScotland: benefits … Social... · 2011-10-19 ·...
1
v.3 Consultation
Harnessing Online Social Networking within NHSScotland: Benefits and Risks
Purpose:
The aim of the two companion papers is to show how NHSScotland can harness
online social networking (OSN) to support the eHealth strategic aims in 2011-2014,
to outline the key risks to the organisation and finally how to put a mitigation plan in
place.
Executive Summary
OSNs can be used for internal as well as external facing purposes: within
organisations there are already Sharepoint-type tools which have OSN functionality
and it needs to be clear at the outset how usage of external OSN fits into an overall
corporate knowledge retention strategy. Usage of OSN to engage with the public via
transactions, knowledge/information services and patient data access brings eHealth
closer to achieving ‘patient portals’. Other first wave - and low risk purposes - to
which OSN functionality can be used are; business continuity communications,
news and announcements, understanding and monitoring public opinion, public
education/health campaigns, professional and patient network support. The main
security and legal risks to the organisation and to individual employees can be
reduced to an acceptable level if boards tackle OSNs in a strategic manner (i.e. not
leave it to lone enthusiasts) and put in place a realistic mixture of governance,
guidance/training and technical/security measures.
2
Contents 1. ..................................3 Online social networking and Scottish Government Strategy
1.1 ......................................................3 Transactions that support self-management1.2 .........................3 Communications with the NHS and access to trusted advice1.3 ........................4 Access to health records and patient networking and support
2. ...............................................................................................................5 Current position3. .............................................................................5 Better to harness than simply block4. ....................................................6 Social Circumference: internal or external OSNs?5. ..............................10 What are the first wave OSN applications for NHS Scotland?
5.1 .................................................................12 Business continuity communications5.2 ..................................................................................13 News and announcements5.3 ..................................................13 Understanding and monitoring public opinion5.4 ............................................................15 Public education and health campaigns5.5 ..............................................................................16 Professional network support5.6 .........................................................................................16 Patient support groups5.7 ............................................................................................16 Transactions support
6. .............................................................................17 Security risks and mitigation plans7. ............................................18 Risks to the organisation through own usage of OSN
7.1 .................................................................................18 Site sabotage and hijacking7.2 ....................................................19 Legal risks through official OSN interactions7.3 ...........................20 Information leakage as a result of inadequate permissions7.4 ...............................................................................21 Content management issues7.5 ....................................22 Risks relating to staff usage of OSN in the workplace7.6 ......................................................23 Importation of malware into health systems7.7 ......................................................................25 Capacity and time-wasting issues
8. ............................26 Risks relating to OSN usage by NHS employees outside work8.1 .................................................26 Capturing credentials for malicious purposes8.2 ...........................................................27 Social engineering to obtain information8.3 ...................................................29 Putting up offensive or inappropriate content8.4 .......................................................................30 Personal ID theft and safety risks8.5 .............................................................................................32 Wider privacy issues
9. ....................................................................................................................33 Conclusions
3
PART A
Realising the benefits
1. Online social networking and Scottish Government Strategy
Online citizen participation is a key plank in Scotland’s Digital Strategy and
specifically in eHealth there is an aim to create an environment that gives patients
the ability to equip themselves with the information they need to monitor and manage
their own health care as far as possible.1 An important question is how far online
social networking will bolster rather than hinder work in these areas?
1.1 Transactions that support self-management
There is enormous potential to use the web for patient transactions such as health
appointment bookings, data checking, e-prescriptions etc. IT investment in these
areas is often considerable in order to ensure that the web spaces can be secure,
easily accessible and well managed.
OSN can be used at design, release and steady state stages to ensure that these
significant investments hit the mark (i.e. are not solutions looking for customers).
Online health transactions, like OSNs, rely on very subtle two-way trust-based
interactions. Getting these transactions right, as online banks and shops have found,
is very difficult and a lot can be learned from OSNs.
1.2 Communications with the NHS and access to trusted advice
At the moment virtually all the NHSScotland online activity falls within this category.
There remains the need for high quality trusted content, like NHS Inform for
example, that is controlled by the host and ‘pulled’ when required by the site visitor.
This preserves the integrity of the announcements, sign-posts, news and medical
information in a way that non-official channels which allow interaction/editing cannot
1 eHealth Strategy 2011-2017 published September 2011 (with a refresh due in 2014); The Digital Future: A Strategy for Scotland (March 2011).
4
(e.g. wikis, blogs and company-sponsored medical advice pages are often
misleading).
However, NHS sites are increasingly used to communicate in real time and OSNs
can be an important part of in an overall channel strategy and inform policy (see
below). Similarly, hosting or participating in knowledge sharing – which requires
interactive tools - is an important part of the medical self-management aim.
One of the interesting side effects of the social networking growth is that relatively
old tools such as email, SMS and desk-top web conferencing are taking on a new
lease of life. The NHS therefore needs to re-appraise how these often over-looked
channels can be used for patient interaction. Whereas some clinical telehealth
purposes require considerable investment (hardware, special rooms, robust
connections etc) there are probably many more routine ‘keeping in touch’ type
sessions which could be carried out with lower cost consumer-type applications and
equipment.
1.3 Access to health records and patient networking and support
There is a growing demand for self access to clinical data in addition to the
established routes (e.g. Data Protection subject access requests). Evidence from
pilots such as My Diabetes My Way that allowed access to clinical information has
shown that a) the service is greatly valued; b) clinicians simply do not have the time
to go over all data and c) patients do not always understand what is being said
during visits to hospitals and like to mull over written evidence.
It is likely that having access to own data online (provided the right data fields are
chosen and it is done securely) can improve the success rate of both eHealth
transactions and the information/knowledge services: e.g. being able to check and
update medication/allergy details could help with e-pharmacy applications and
accessing clinical correspondence may induce patients to look at the right online
advice guide on NHS Inform.
5
All these areas – transactions, information services and patient data access – can be
integrated together to form virtual patient web-spaces. A landing page hosted by
NHSScotland could be personalised and provide sign-posts to one or more favourite
patient web-spaces (e.g. for a long-term condition). Secure authentication could then
be used where patient data is being accessed.
Understanding and harnessing OSN (in terms of technical design, content and
human behaviour) can bring NHSScotland closer to realising this vision.
2. Current position
Some health boards are already using OSNs as an additional e-channel for
communication (e.g. placing news and announcements onto Facebook or Twitter).
But the full potential of OSNs, which is based on interactions and not static content,
has yet to be exploited by public health organisations for the following reasons:
OSNs are by their very nature a ‘home grown’ phenomenon and almost
ungovernable. Virtually all of the innovation and momentum has come from
individuals (and increasingly the ‘third sector’) rather than state bodies, corporations
or universities. In fact public sector and corporate participation – if handled clumsily –
can seriously back-fire if it is perceived to be an attempt to undermine the democratic
spirit of OSNs. In turn, health officials, accustomed to controlling messages and their
own online content are understandably wary of setting foot into this legal mire. Some
of the recent impetus for OSN usage by public bodies has come from politicians; but
there have been some spectacular failures (e.g. wiki/blog sabotage) which have left
many bruised and unsure about what they should do, if anything, in the online
networking space. Any lingering doubts about the dangers of OSN are often
confirmed by the weight of security and legal opinion (universal blocking may seem
the safest approach).
3. Better to harness than simply block
Some health boards encourage the use of popular social media on their public-facing
web site and then block OSN usage within the work-place (and fail to promote
6
internal social networking tools). If employees are not informed of the often good
reasons behind this seemingly contradictory approach then it can cause friction
between staff and IT departments.
Similarly, there are examples of a ‘scattergun’ approach (where engagement with
OSNs is seemingly random and without real purpose). OSN continues to grow at an
exponential rate especially in the mobile application space. There needs to be a
more strategic and consistent approach to using OSNs in eHealth. It needs to be
clear that carefully targeted involvement with OSNs can bring a variety of solid
practical benefits (i.e. is not just a matter of seeming to look modern). The security
risks of OSN are very real (and discussed in part B) but are far more likely to be
mitigated when OSN is part of an overall plan and not left to enthusiasts who ‘go it
alone’ against a backdrop of general hostility.
4. Social Circumference: internal or external OSNs?
The focus of this paper is on external - or citizen driven - online social networks (e.g.
Facebook, Twitter etc). But it is worth stressing at the outset that there is a
considerable amount of social networking potential within NHS organisations. Any
OSN strategy needs to ascertain the width of the social circle. Fig 1 illustrates
different concentric circles for a fictitious health board and the appropriate tools that
might be used to meet the business and security requirements (after a risk
assessment).
7
Fig 1: Health board strategic positioning of internal and external OSN tools
5) Facebook
4) Huddle
3)
Knowledge
2) Board
extranet
1)
Sharepoint
Chosen OSN tools Social circumference Justification 1) Sharepoint Core board staff All staff to use this for internal
networking; data held on internal network to RESTRICTED level
2) Extranet/external Sharepoint Staff in core department and selected staff in other boards
Selected staff invited in; governance over documents uploaded. Possible accreditation to PROTECT
3) Communities of Practice or e-library
Staff in core department wishing to network with NHS staff across Scotland
NHS sponsored space which allows content upload to particular communities
4) Huddle/Yammer etc Staff doing a wide consultation exercise with suppliers, charities, third sector etc
May be a fee for a hosted service (data held in UK); closed spaces for each project. Can be accredited to PROTECT if necessary with right design.
5) Facebook Specific staff in board wishing to communicate with public or test public opinion
Free open to all site; technically there are closed spaces but data may be hosted abroad; data should not have any protective marking and few of the controls that exist in internal environment.
8
Without such planning an organisation could end up with a mismatch. There are for
example public bodies that use Internet-based OSNs as the de facto internal
knowledge sharing tool even when Sharepoint-type tools (which increasingly have
powerful OSN functionality) have already been purchased.2 This means that existing
investments are not being exploited and staff get confused as to where is the ‘official’
internal place to share ideas. And in reverse there are organisations contemplating
investment in external instances of KM tools or extranets to allow networking across
sponsored public bodies when a cheaper off-the-shelf networking service hosted by
Yammer or Huddle for example would suffice.
The key benefits to internal online social networking tools include:
People finding: able to find the right people, their skills and whether they are
available for assignments etc. This is more than just a corporate directory.
Instant messaging and communications: often messaging is tightly
integrated into the networking application so that a person can move
seamlessly from reading content to responding via email, voice,
communicator etc
Profiling: tools now log the behaviour of the user and build up a profile (e.g.
who are your contacts; what you have in common with other people, what
assets you most often access?).
Blogs and wikis: content generated by users; and allowing feed-back etc.
This can range from formal (e.g. chief executive weekly summary instead of
emails) to very informal (staff views).
Virtual community building: creating communities of interest which cut
across normal organisational boundaries (e.g. diversity groups, policy areas,
career homes etc).
It is note-worthy that a high proportion of NHS staff are using external OSNs for
all of the above because there is simply nothing on offer within the organisation
with the same level of functionality and because they belong to professional and
special-interest communities (that go far and beyond the confines of a single
2 Scottish Government does not endorse any particular product/company. Sharepoint is fairly ubiquitous across boards and often part of an enterprise agreement. There are other players such as Alfresco.
9
NHS board or practice). A clinician may for example use a professional OSN like
Doctors.net.uk to find a colleague who does not appear on an official directory
that is out of date; he may then open a free web-mail account with the same OSN
and contribute to a discussion group.
There is a growing recognition that routinely putting non-document based content,
news and views onto external rather than internal online networks can undermine an
organisation’s knowledge retention strategy. But given the current financial climate
there is far less scope for investment in corporate networking and knowledge
management tools. The organisation is then faced with two options:
a) Doing without internal tools and being resigned to the fact that staff will use
external ones in their own time (there may even be an attempt to discourage or
block their use in the workplace)
OR
b) Attempt to harness OSNs by giving all or certain staff access to at least some
of them (subject to clear codes of conduct) and even endorsing heavier
participation in selected sites that are deemed to be in the interests of the
organisation.
The main advantages of taking the latter more pragmatic approach are:
The burden of hosting data and running a service is undertaken by a third
party
Often the OSN functionality is far richer and user-friendly than any off-the-
shelf product an organisation might procure itself. Much of the cost of
products like Sharepoint relates to the configuration (e.g. search engines,
look-and-feel, templates, keeping versions up to date etc). Internal tools
can soon look rather dated compared to what staff are using at home.
The social reach is far greater than with internal tools; officials wishing to
collaborate with others across multiple bodies on different IT networks
10
(e.g. for NHS boards to work together on projects). This cuts down on
emails, phone calls and ad-hoc data sharing methods.
The main disadvantages are:
There is a lack of control over the management of content; the data is being
hosted by a company at a location over which the public body has little or no
control (e.g. may even be outside EU).
Security and legal risks (discussed in section 7) that result from the content,
the social interactions and malware.
Although resources may be saved by not hosting services internally,
consumption of OSN can create service and capacity issues (e.g. staff using
bandwidth hungry applications such as video streaming over infrastructure not
designed for it).
Knowledge and information leakage; staff may upload key documents,
corporate records and knowledge onto the external OSNs in preference to
internal corporate tools. Such behaviour creates compliance risks (e.g.
FOI/DPA) and deprives the organisation of content it owns.
Putting together a clear action plan to support knowledge sharing using OSN
internally (and between partner bodies) often means that the organisation is then
well placed to exploit OSN for interaction with the public at large. Lessons will have
been learned in a relatively safe environment and more staff will have become
familiar with OSN functionality.
5. What are the first wave OSN applications for NHS Scotland?
The purposes to which OSNs can be used for interaction with the wider public are
vast so there needs to be focus on the first wave of applications which a) are
relatively low risk from security/compliance angle; b) create maximum impact from
very little outlay and support and c) can be used as a launch pad for more ambitious
usage of OSN in the future.
11
When considering how to deploy OSN the following must be considered at the
outset:
Does the OSN offer something which existing channels cannot? (e.g. wider
social reach).
Is OSN going to be mixed in with existing channels? (i.e. will it reinforce or
could it potentially conflict with messages from official web-sites).
Will existing OSNs be utilised rather than building new ones? (i.e. if the latter
then there needs to be a unique selling point that only the NHS can offer,
such as transactions or access to own data).
What resources are in place to generate or monitor content? (i.e. there is no
point in putting up content if no one in NHS is actually monitoring the
responses or doing analysis).
Does the OSN purpose require staff outside e-communications to have
access to the web-sites? (i.e. if policy makers are blocked from accessing the
sites then they will not be able to engage with those they need to).
Has a risk assessment been carried out which will take into account any
security or legal concerns?
The implications of using OSN criss-cross organisational boundaries so it is vital that
there is adequate participation from Corporate Communications, IT, security and HR
teams. Any OSN small project team needs to focus as far as possible on
requirements rather than products at this stage.
Fig 2: Summary of first wave applications for OSNs in eHealth First wave OSN category Examples Benefits over existing
channels
Business continuity
communications
Severe weather
events; Flu epidemics
IT systems may be down;
social reach for anyone
with web-enabled mobile
phone
News and announcements New facility opened Followers on OSN who
may never want to visit
12
official web site
Public education/health
campaigns
Stop Smoking Content is embedded
among user-tips; tone is
more light hearted and less
censorious
Understanding and monitoring
public Opinion
Plant story on new
eHealth application
Test the water; gather
intelligence before making
big investments
Professional network support Nurses, GPs Provide content on
regulations that may effect
community
Patient support groups Cancer charity Provide sign-posts to NHS
Inform; GPS location finder
for help
Transactions support bookings OSN content induces
people to use the booking
system
Patient data access support Diabetes clinical
correspondence
Would otherwise have to
send hard-copy or email
(which may be less secure)
Public health data collection Elderly perception of
care/anxieties
Collect early evidence prior
to investing in more
traditional research
5.1 Business continuity communications
OSNs can be used to get key messages out quickly to a wide audience during
emergencies. The winter of 2010/11 in Scotland was the worst for 40 years leading
to the closure of public buildings and schools. Some NHS boards used Twitter micro-
blogs or announcements on Facebook to inform the public about the availability of
services. Traditional channels (such as bulk emails, telephone calls or updating front
web pages) are not always option if there is a disaster and IT systems are down.
Micro-blogging could also be used to connect with employees as part of continuity
plan.
13
Using OSNs in this way is also a good way of getting ‘followers’. Most citizens may
follow NHS tweets for the first time during bad weather but can be encouraged to
maintain contact afterwards provided tweets remain relevant (e.g. for significant virus
outbreaks rather than an avalanche of routine updates on services).
The health organisation can also monitor reaction and feed-back contained in
messages/tweets in order to gauge the effectiveness of its emergency response
(e.g. customers suggesting that a road that provides access to a hospital is now
open or complaints). Some boards are Twitter ‘followers’ of public organisations such
as the Meteorological Office which enables them to aggregate and then condense
lots of news-feeds relevant to their own audience.
5.2 News and announcements
Boards can upload subtly different news and announcements onto OSNs than
mainstream channels such as official web-sites. NHS Lothian have used Twitter to
show when the minor injuries clinic might be more appropriate for some cases than
Accident and Emergency. This not only informs the public but can potentially help
boards to free up resources by funnelling patients to the best place.
The more informal nature of OSNs means that boards can put announcements
which would not normally make the front page of an official health board web-site
(such as health charity and other community events) but which foster good relations
and ‘social presence’. The viral nature of OSNs means that word can get around
more quickly than other channels (companies call it ‘guerrilla marketing’).
5.3 Understanding and monitoring public opinion
The fundamental difference between normal e-communications via official web-sites
and OSNs is that the ‘funnel is reversed’: i.e. more communications are coming in
than going out. Each official health-related ‘tweet’, video-clip or news item on
Facebook will generate far more of response than was the case with traditional web
feed-back forms. The key question is how can the voluminous, un-moderated and
14
often anonymous conversation threads be monitored, captured and used for
practical purposes?
Correcting factual inaccuracies
It is not the place for officials to enter into public debates. But there are cases where
OSN conversation strings highlight straightforward inaccuracies (or even myths).
Virtually all of the discussion boards relating to eCare for example repeated false-
hoods (e.g. that this was a state data-base on children by the back-door). Such
misunderstanding on influential sites such as Netmums (which has 1m+ members)
can seriously impair the ability of health bodies to roll out and get public acceptance
of new tools and services. A news story which aims to correct a myth can be placed
into OSN fora as part of an overall communications plan. Alternatively, there could
be a ‘hot seat’ session where for a limited time-slot a senior official (or minister)
might host a question and answer session. This is safer than entering into
conversation strings already initiated by citizens (i.e. could be construed as state
interference or even political opinion shaping).
Straw-poll canvassing
The un-controlled and anonymous nature of OSNs, mean that they cannot as yet
really replace formal public consultations and statistical analysis. But OSNs can offer
a quick and easy way to ‘test the water’ before making significant investment in new
services or creating new policies. The proposed Healthier Twitter for example can
allow ministers to give flag ship policies an airing. Too many web 1.0 applications in
the early 2000s have been designed by IT professionals and officials ‘in search of
customers’. If for example a very large (albeit un-scientific) sample of tweets and
conversation threads gave overwhelmingly negative views on the functionality of a
proposed e-health patient access application then it might give rise to investing in
further public consultation to check this prior to making significant investment in a
service which might not take off (e.g. because there is not enough trust in the
authentication proposed or concerns about erosion of privacy).
15
Sites such as Patient Opinion and dash-boards on hospital Facebook sites are
already collecting patient experiences. The Patients Rights (Scotland) Act 2011
specifies that NHS bodies should “encourage patients to give feedback or
comments, or raise concerns or complaints, on health care”.3
Data Collection
In the US it is increasingly common for third sector organisations to ask for ‘data
donation’: that is where members of OSNs volunteer their data for not-for-profit
research. Many patient advocacy groups and clinicians are working for example to
capture data on off-label drug use via anonymous contacts on OSNs. Though the
data collected is less scientific than from traditional routes, its value lies in the fact
that it comes from a segments of the population who are dispersed or hard to reach
(e.g. people who would not normally admit to taking a drug for non-approved
purposes). NHS organisations could take a keener interest in this type of
methodology (without actually attempting to do medical data collection via OSN
themselves) or choose to do data collection in a very low risk area (e.g. a request for
elderly people in a territorial board to send in anonymously their top three concerns
for the coming winter). This could provide a spring-board for more targeted research.
Similarly, those working in public health surveillance can use data from OSN - along
with geo-spatial coordinates - to build up an early impression of disease outbreaks.
5.4 Public education and health campaigns
OSNs can be incorporated into wider public health campaigns. ‘Tweet what you eat’
(healthier eating), ‘quitter twitter’ (give up smoking), ‘helping those, helping others’
(Blood Donation) are just some of the blogs/discussion fora set up by boards. The
advantage of OSN here is that the official content is mixed in with tips and self-help
sent in by the public. The informal and less censorious tone can be more accessible
than some poster/web-site campaigns.
3 Section 14 Encouragement of patient feed-back
16
5.5 Professional network support
As discussed in section 4, external online networks can be used where there are no
internal OSN tools (e.g. nurses working in a board may be encouraged to use a
particular respected OSN in preference to others to prevent knowledge being
dispersed too widely). But health boards also need to be engaged with professional
groups. The news stories and communications here can be tailored differently from
those to the wider population (e.g. emphasis on a change in regulations that affects
the membership). Care does need to be taken here as many professional groups
jealously guard their independence and may have views at odds with government
policy. NHSonline.net for example states clearly that it has no affiliation to NHS or
Department for Health (England) and “therefore not subject to censorship by these
organisations”.
5.6 Patient support groups
There has been an explosion of interest in ‘medical support sites’. More than two
thirds of all health-related searches start at search engines (e.g. Google a health
condition in order to find a support group). The quality varies enormously from
respected charities to commercial companies (basically marketing tools dressed up
as OSN) to sites set up by one individual on a kitchen table. NHS Scotland already
provides high quality advice (e.g. NHS Inform) and sign-posts to support groups. On
the whole it does not make practical sense for the NHS to compete with or duplicate
these existing groups. Many have grown up over many years and have a strong
brand. The question instead is how far the NHS should actively engage with any of
these existing OSNs by sponsorship, providing content and two-way interaction. If
OSNs are chosen carefully there are many mutual benefits: members of the OSN
can be informed about new health services in a given area (e.g. via post-code) and
links can be placed to comprehensive advice on official web-site.
5.7 Transactions support
Where there is a stronger case for the NHS to build its own OSNs is where it is in
conjunction with health transactions and patient data access (i.e. something which
no other organisation or charity can offer because it does not have the data). My
17
Diabetes My Way pilot is a good example because the unique selling point has been
access to own clinical correspondence (with authentication linked to Citizen Account)
alongside more standard OSN functionality.
OSNs can be harnessed as a means to encourage use of online health tools.
Gaining public confidence in ‘official’ tools is an important part of any eHealth
strategy. In NHS England for example there are OSN pilots aimed at the 18-24 age
group which promote Chlamydia testing. The idea is that interactive content will a)
encourage the target group to get tested and show how it can be done; b) allow
users to give feed-back or air anxieties which can then lead to the NHS re-designing
the functionality.
PART B
6. Security risks and mitigation plans
Security is usually cited as the main reason why health boards are reluctant to adopt
OSNs (even for the lower risk purposes described above). Much of the generic
guidance produced by the OSNs themselves tends to be broad-brush and does not
make the distinction between organisational risks and risks to individuals using them
in their personal life. Just asking employees to “be responsible” and use “common-
sense” is not enough as many of the risks are subtle and affect even the most
security-aware individuals. The aim of part B is to:
Examine the subject within the NHSScotland healthcare context
Take ‘security’ in the widest possible sense; to include associated legal and
reputational issues
Identify the key risks to the health organisation and risks to staff acting as
individuals in work and home environments (and where there are overlaps)
This paper is not designed to be a definitive list of ‘do’s and don’ts’ (such a
simplistic approach is impossible given all the variables in 22 boards). The
aim instead is to highlight the practical steps boards can take to reduce risks
to an acceptable level through better governance, staff awareness/training
and where possible technical measures.
18
7. Risks to the organisation through own usage of OSN
The following risks relate to the organisation’s own usage of OSN and where staff
are using OSN in the work environment:
7.1 Site sabotage and hijacking
Organisations need to think carefully about how they would deal with their OSN
pages/profiles being attacked and either taken offline or taken over. As the content is
hosted by a third party (with no contractual commitment) there is little that can be
done other than attempting to close down the whole space. At the moment OSNs are
just one very minor channel for communications, but as usage increases the
organisation will need to cope with the following scenarios:
Take-over/spoofing: someone manages to log into the official NHS OSN
account and remove content or even write spurious content which purports to
be official. If this goes undetected or cannot be taken down quickly then it
could seriously undermine services, communications and public trust (e.g.
spoof ministerial/executive tweets or false allegations about staff/boards etc).
Loss of service: the OSN could simply fail for any number of technical
reasons. This could be problematic in situations where a particular site has
become a key plank in a communications process (e.g. weather warning/site
closure alerts reliant on Facebook/Twitter rather than phone).
Hactivism is a relatively new phenomenon; this is where attacks are made
primarily to prove a point rather than for monetary gain. The NHS has not so
far been top of the lists of targets (although Lulzsec group did hack into NHS
web-sites to highlight vulnerabilities) but this could soon change if Scottish
health service reform or new services become controversial (e.g. closure of
health centres, back-tracking on policy commitments for services etc).
Counter measures
Governance Decide on a channel strategy (i.e. where OSN fits into
communications/services). Assume sabotage will happen at
19
some point so put in place a plan of action for dealing with it
(e.g. how you can inform customers through a more trusted
channel such as official web-site hosted internally that there is
a problem and correct the spoof content). Find out from OSN
the process for dealing with the problem (e.g. will it be
minutes or days before a sabotage is corrected?) and
whether there is any OSN moderation.
People/Guidance Training for the OSN engagement team on how to write
content which is less likely to generate attacks (e.g. avoid
overtly political or lecturing tones).
Technical It should be assumed that OSN is not robust for essential
communications and alternative trusted channels will need to
have greater resilience at a time of emergency (e.g. is the
board’s email exchange server, web-server etc able to cope
when everyone is working at home due to snow?)
7.2 Legal risks through official OSN interactions
The whole point of OSNs is to be ‘interactive’ but this does not necessarily mean
interaction with each individual that places content onto the NHS site. When
individuals place a question, make a factually inaccurate remark or appear to be in
distress there is a natural instinct on the part of officials running the OSN profile/site
to answer. But there are some significant problems here for the organisation:
Once you start answering personal queries/remarks/threads then there will be
an expectation that this is a full-blown enquiry and answer service. Boards
may not have the capacity to do this and it could conflict with existing
channels.
OSNs operate at a much faster pace than traditional routes. This can bring
many advantages (e.g. dealing with quick enquires online, giving sign-posts
where to find help and therefore cutting down on the volumes of phone
calls/letters to boards) but it can also pose legal and safety problems when it
starts to touch the clinical arena. For example, a user on a Blood
Transfusion/Blood Safety OSN page might ask for what seems simple advice.
20
But the organisation exposes itself to legal problems if its reply - given by a
non-specialist to an anonymous person in a hurry - is later perceived to be
wrong by the recipient.
Counter measures
Governance Be clear at design phase how the organisation will interact
and deal with queries etc (e.g. policy not to deal with any
individuals but by a block answer?), who will do the
interactions (e.g. only specially trained staff?) and subject
areas which are out of bounds (e.g. not to touch on clinical
areas unless a special clinical hot seat is created?).
People/Guidance Training for the OSN engagement team on how to answer
questions; knowing how to put up ‘sign-posts’ in preference to
giving advice on the hoof.
Technical Find out how moderation works; how long content is being
kept for by the OSN, how anonymous is sign-on/registration,
how can organised groups create multiple false accounts to
create traffic that disrupts the service.
7.3 Information leakage as a result of inadequate permissions
Where an NHS organisation uses a public OSN it is generally assumed that all the
information placed there is unclassified and does not therefore require site
permissions (i.e. if you are going to put up content you expect everyone to see it).
But as OSN use in public bodies takes off there may be a perceived need to
segment the data according to user group to create semi-private spaces (e.g. drug
addiction support OSN user group to log into one separate area). This approach is
already used in the professional group OSNs (e.g. organisations create their own
Yammer/Huddle space or bubble). But the organisation needs to consider the
impact if the permissions simply fail:
Faults in the biggest OSNs has led to permissions or privacy settings not
working; this has allowed personal data – which the user expected to be open
only to specified users - being made available to everyone (which can mean
21
millions of subscribers). An NHS online site in England that stores CVs
recently failed leading to personal data being available to the whole NHS
community until it was fixed.
Counter measures
Governance When using public OSNs ensure that all information is
unclassified; use segmentation of information (e.g. creating
lots of user groups/profile pages) for administrative ease
rather than as security permissions. (i.e. assume everyone
can see it). In the case of OSNs for corporate use seek
advice from security if it is to be used up to PROTECT (e.g.
accreditation to this level is possible with certain sites).
People/Guidance Inform all staff that although information is unclassified this
does not necessarily mean that it is disclosable for the
purposes of FOI.
Technical Monitor permissions failures in OSNs; so as to report back to
the business.
7.4 Content management issues
When using OSNs there is very little control which can be exerted over the lay-out
and ownership of content.
Advertisers for medical products and services will try any means to give the
impression of ‘official’ endorsement, including placing content adjacent to
NHS material.
In many cases the ownership of all content becomes the property of the OSN.
The public body does not have an automatic ability to take content down
(even if it is offensive or in direct conflict with NHS advice). In fact taking
content down can prove to be counter-productive in some cases.
Where an OSN is used for professional purposes (e.g. staff knowledge
sharing tool) care needs to be taken that sensitive internal documents are not
uploaded and that version control is not lost (e.g. un-redacted board minutes
going up on an OSN with redacted version on the official NHS website).
22
Counter measures
Governance Needs to be clear who is able to upload documents and a
process to ensure that the documents are final and approved
for public dissemination. Write copyright statements (e.g.
ownership of documents is still with NHS).
People/Guidance Training for OSN engagement team; making clear that the
type of content is different from standard official web-sites.
Focus on shorter informal bursts rather than monologues.
Technical Agree retentioning policy for corporate OSNs (i.e. if it is
assumed that records are held in organisation then the OSN
copy content can be deleted quickly when no longer used).
Check in advance the OSNs advertising policy and controls
over layout.
7.5 Risks relating to staff usage of OSN in the workplace
When an organisation has adopted OSNs there is the obvious need for a group of
staff to be able to see and interact with those sites. In a tightly controlled
environment this might just be a handful of external communications experts or a
team of policy staff monitoring content. But the larger the group with access (e.g. the
whole organisation) the more there is the risk of staff crossing the professional lines:
In theory when an NHS OSN profile/page is launched there are in effect two
groups of organisational users: a) those in the OSN engagement team who
can officially update and reply to content posted by those outside the
organisation and b) those within the wider organisation who may be able to
look at content but should not interact. But such a neat distinction is not
always easy to maintain; many in the latter group may choose to put up
content which might conflict with the official line. There could then be an
unseemly online debate between two sets of officials relating to health
services or policy.
Access to the whole OSN (e.g. Facebook) then gives staff the technical ability
(though not necessarily the permission) to use that site for personal
23
purposes at work. This brings with it all the risks to the employee outlined
below.
Where the employee acts using official NHS computing resources (rather than
at home) there is a greater legal liability to the organisation. This risk is not
new (i.e. staff have long been able to send inappropriate email from web-
based accounts while at work if the sites are not blocked). But the
spontaneous nature of OSNs, and their reach to millions of people, means
the impact is far greater. For example if libellous, offensive or criminal
content is posted while at work the organisation is likely to be dragged into
any litigation. Even if NHS login/email address is not used to sign into the
OSN, the IP address can still be traced back to the board.
The offensiveness of material is generally higher in a work context. For
example several clinicians have recently been disciplined in Glasgow for
taking ‘funny’ pictures of themselves underneath trolleys in a hospital and
posting them online. The images taken in a different context – such as at
home - may have seemed innocuous but because the staff were on duty it
affected the reputation of the profession and the organisation.
7.6 Importation of malware into health systems
Usage of OSNs significantly increases the likelihood of malware (such as viruses,
trojans and worms) being imported into NHS networks even where robust anti-virus
(AV) measures are in place. This type of importation is indiscriminate (i.e. NHS is not
usually the subject of a targeted attack but has picked up malware in general
circulation). Malware can go un-detected for months (as AV software tends to scan
known objects rather than unknowns) and can shut down whole networks.
The reasons for this are:
Many OSNs use third party messaging/chat applications (which run on
servers which the OSN has no control over). Such applications are a weak
spot from which attacks can be made on the user’s PC/network. Many
distributed ‘Botnets’ (where multiple PCs are in effect ‘taken over’ to perform
malicious attacks) rely on PCs having access to such applications. This
24
contrasts with the current position where staff who use messaging/chat
applications (e.g. Microsoft Communicator) are always on the internal
network.
OSNs generally require an email address and these can be harvested and
used for attacks or spamming. The more NHS email account names entered
the greater likelihood there is of spear-phishing (i.e. where malware, bundled
in a convincing attachment, is sent to recipients from what looks to be an NHS
colleague).
OSNs have features which are more likely to ‘bait’ staff into clicking onto links
which download malware. Some are obvious (e.g. sensational news stories,
prizes etc) whereas other are more subtle (e.g. click here ‘if you do not wish to
receive marketing’).
Counter measures
Governance Decide on whether some of the riskier applications are really
required for the organisation’s online presence. If the answer
is yes decide on which individuals should be using them (i.e.
usually no need for whole organisation to have access to
these tools).
People/Guidance Issue simple desk-top guidance on the top five things to do in
order to prevent malware being introduced into the
organisation for those PCs which are not locked down (e.g.
never to click on attachments from unknown sources, only for
the designated OSN administrators to enter in a generic NHS
email address).
Technical Apart from ensuring AV security patches are up to date there
needs to be timely reporting by the user community of
anomalies (e.g. that might show PC has become part of a
botnet); business continuity plans and quarantine plans to be
in place if there is a serious outbreak.
25
7.7 Capacity and time-wasting issues
One of the main reasons why boards have not adopted OSNs more readily is
because of the lack of band-width. The download of bit-hungry video-clips in
particular can mean that other business critical web-based activities are affected
As with other online activity there are operational risks associated with ‘time
wasting’ by staff. OSNs can be highly ‘addictive’ and many employees will
have grown accustomed to updating content throughout the working day.
Blanket banning of web-sites from office network can just mean that staff
switch to using personal web-enabled mobile devices while in the work-place.
Counter measures
Governance Be clear who can have access to OSNs in order to do their
job. In a NHS territorial board context it is highly unlikely that
the whole organisation would need access to OSNs. But for
special boards it may be that the channel strategy expects
staff to gain visibility of what customers are talking about
online.
People/Guidance Guidance for all staff which goes beyond use of
organisational computing resources; staff are now bringing in
their own equipment and connecting online via short-range
wireless (e.g. Wifi) or cellular). So there needs to be a fair
usage approach.
Technical To advise the OSN engagement team on how access can be
managed (e.g. sometimes access can be just to the official
organisation page on Facebook/Twitter rather than the whole
site). To consider whether a separate internet-pipe is needed
for communications staff (i.e. rather than using N3). Do some
modelling on how x users on a particular site would impact
capacity.
26
8. Risks relating to OSN usage by NHS employees outside work
Even if the NHS were to do nothing in the OSN space and block access at work it
would still be exposed to security and reputational risks relating to employee usage
of them in their home life.
8.1 Capturing credentials for malicious purposes
Many users of OSNs make clear in their profiles/pages that they are NHS
employees. If such users also use NHS credentials as part of login (e.g. NHS email
address, and same password used at work) then it can compromise the security of
the work environment.
If a user habitually uses the same password(s) or one of the most common
passwords in their home life (e.g. for OSNs) then if captured with context (i.e.
a would-be attacker knows exactly where you work) then it could be used to
gain access to online NHS applications or internal systems.
Currently ‘single-sign on’ is being rolled out across some boards; this means
that obtaining one password will grant access to multiple applications. Many
would-be attackers are insiders with access to the building and PCs; if they
are able to login using captured credentials then the audit trail would show
only the name of the official user.
At least one key NHS application allows changes of passwords based on
personal detail prompts (e.g. mothers maiden name, place of birth, pets etc).
Much of this is easily picked up on OSNs. (e.g. aggregating bits from several
sites to get a complete picture of an individual).
Counter measures
Governance Update existing policies to make clear that the use of official
NHS email addresses or credentials in a non-work (e.g.
online social networking) context is prohibited. Sanctions for
transgressions.
People/Guidance Awareness campaign with top five things to protect staff work
identify (e.g. never use work passwords; never give out work
27
email, phone number on personal OSNs etc). But bear in
mind that many employee details (especially senior
managers) will already have their work details online as part
of government transparency/FOI etc. The ICO has made
clear that public servants do not have an absolute right to
anonymity.
Technical When developing identity and access models in NHS to
consider how staff are operating in the home environment. To
develop subtly different ways of authentication (e.g. stronger
passwords and prompts, two-factor authentication, biometrics
etc) so that if a person’s identity is compromised at home it
minimises the impact on the organisation.
8.2 Social engineering to obtain information
As well as capturing credentials there are other types of NHS information which can
be obtained using deceitful – but not necessarily illegal - techniques that play on
people’s natural instincts and ‘hook’ them in. There is a large market for the type of
data held in NHS:
So-called information brokers or aggregators are paid to source
addresses/employers and other key data; they are increasingly aware of the
types of information systems within the NHS and the people who have access
to them.
The so-called ‘phone hacking’ scandal in the UK has shown how private
detectives can use illegal methods to obtain data (e.g. gaining access to
voice-mail and using insiders at telcos). But some individuals leave the door
wide open in their personal online profiles to debt collection and tracing
agencies, activists, researchers, companies in healthcare or organised
criminals (e.g. fraud or intimidation purposes).
Some healthcare staff have access to controlled drugs and materials which
can be used by terrorists for biological, chemical or even radioactive attacks.
OSNs are both a place to hide (for anonymous conversations) and a place to
air extreme views and hook in staff.
28
Although NHSScotland does not offer the same scope as banks etc to steal
hard cash it does have a budget of c. £10 billion, considerable movable
assets (e.g. IT hardware, drugs), a catalogue of services which can be
fraudulently obtained (e.g. repeat prescriptions) and a pool of people –
patients and staff - who have often dropped their guard in stressful situations.
OSNs offer data in abundance from which to plan an attack from a remote
location (whereas in the past physical surveillance of sites and people would
have been necessary).
Counter measures
Governance To put in place an alert procedure whereby an employee can
contact HR/security if he/she feels that NHS data as well as
personal data has been unwittingly passed on during online
chats/blogs at home. Early notification can mean that the
organisation can take steps to warn other staff and lessen
impact.
People/Guidance Staff awareness campaign; e.g. staff to not enter into OSN
conversations with patients; to look out for un-wanted
attention that arises from their employment in NHS. Many
professional groups such as the British Medical Association
and the Nursing and Midwifery Council have recently drawn
up guidance for own members.
Technical Make regular security assessments of the people and assets
which are vulnerable; to ensure that information about them is
tightly restricted so that there is far less scope for them to be
talked about in OSNs or anywhere else (e.g. the location or
procedures governing hazardous materials). Step up
protective security in sensitive areas wherever possible (e.g.
swipe card readers) Assume that information in some areas
of NHS is bound to get discussed online what ever steps you
take (e.g. admittance of high profile patients, sacking of staff).
To put in place more robust audit mechanisms around access
to NHS systems and be able to monitor staff use of OSNs
29
(where there is a formal investigation).
8.3 Putting up offensive or inappropriate content
Individuals using OSNs - who can be identified as NHS employees - can cause
serious reputational damage to organisations as a result of the content they upload.
The use of web enabled mobile devices in particular can lead to impulsive behaviour
which users often later regret. Once content has gone online (e.g. a picture on a
profile) it is virtually impossible to remove completely as followers with access may
have copied and distributed world-wide within minutes. Some content is obviously
inappropriate (e.g. explicit pictures that identify staff) or illegal (patient identifiable
data) but in other cases the employee may feel they are acting within their rights:
There are difficult ethical questions surrounding how far staff should be able
to give personal views on the NHS (e.g. the leadership, colleagues, facilities,
procedures etc).
Writing detailed descriptions of what is going on in the work-place (without
mentioning staff or patients by name or being critical) can still be damaging.
Change management resulting from organisational re-structuring and reform
of patient services becomes much more difficult if staff are giving a running
commentary on OSNs.
Counter measures
Governance Update existing policy documentation and weave in employee
online behaviour. Much existing documentation only covers
activity while at work or using work computing resources. This
needs to be wider and cover behaviour using own mobile
devices/equipment at home that can be damaging to the
organisation. Blanket bans on discussing work may not
always be useful as staff belong to professional networks
(e.g. GPs, nurses) and may wish to share common concerns
(without mentioning patients etc).
People/Guidance As a general rule employees should ‘put away their badge’
30
and act as individuals if giving general views about their
organisation or political decisions and should steer clear of
attacks on individuals. Use the guidance material produced
by professional bodies.
Technical There may be a need to monitor the activity of an employee
on an OSN (e.g. if HR are investigating a complaint); if the
updates to OSN are taking place at home then there needs to
be an agreed method of monitoring and recording that is
proportionate (i.e. not to undermine a person’s privacy without
good grounds). This can be difficult if online presence is
relatively anonymous and audit trails are under the control of
the OSN. Understand how liaison with the police would work
before an incident actually happens (e.g. some
constabularies have online crime experts).
8.4 Personal ID theft and safety risks
The police make a distinction between age-old crime ‘facilitated by ICT’ (e.g.
extortion, theft) and new crime ‘created by ICT’ (e.g. denial of IT service). Both types
of crime can be found in OSN space:
Harassment and bullying: some disputes start online and then escalate into
real world conflict (i.e. several disputes on OSNs have led directly to murders)
while in other cases it is the other way round (with a dispute starting in the
work-place for example and then continuing in cyber-space). NHS staff are
perhaps more vulnerable than most because of the very public nature of their
work and the high emotion generated in health contexts. A patient with a
grudge for example could seek out staff through OSNs. Cyber-stalking can in
extreme cases lead to actual harassment or physical harm.
The risks of targeting are higher for staff working in sensitive areas with
vulnerable groups and children.
ID theft ranges from indiscriminate harvesting of personal/work email
addresses to focussing on an individual over a period to gain employer
details, bank, National Insurance, date of birth etc. Login details and cookies
31
are relatively easy to steal from people logging onto OSNs (which generally
do not have secure login such as SSL) while in Wifi hotspots.
The physical security of hospitals and surgeries is rarely high because of the
volumes of people coming and going. An intruder – with or without a white
coat - has a greater chance of blagging his way into wards or administrative
buildings if he knows the names, exact job titles, departments, buildings and
other contextual data relating to staff.
Patients too are at greater risk if information about their stay in hospital is
broadcast on OSNs. Loose talk has always been a problem (e.g. when high
profile persons are in hospital) but OSN functionality such as micro-blogs from
Twitter and photo imaging from mobile devices in hospitals mean that the
speed and reach is now far greater.
Location based risks: Many mobile applications attached to OSNs give
precise geographical coordinates. Burglars for example are known to monitor
them to seek out empty properties and an employee’s presence in a
hospital/surgery can be pin pointed to within 10 metres if he/she has a device
switched on and has subscribed to the service.
Counter measures
Governance As for 8.3; HR policy on harassment/professional conduct
may need to be updated to include activity in cyber space.
People/Guidance Simple guide on the types of business information which
should never be revealed online as well as general rules
about discussing work. Some of this is board-specific: in an
ambulance service for example this might include daily
fleeting for ambulances or control procedures for transporting
medicines/human organs (things which could come out
informally when writing a daily personal blog but get picked
up by those with malicious intent). Be aware that logging on
to OSNs while in wireless hotspots exposes the user to
possible credential theft.
Technical To have a reporting procedure in place for theft or spoofing of
personal ID as it is likely to affect the work ID (e.g. NHS mail
32
address being used to send out malware/spam or a pseudo
NHS address which uses a real name but does not have an
official suffix). To be able to take an email account out of
service quickly, change passwords, security passes etc.
8.5 Wider privacy issues
OSNs have so far rubbed against the grain of privacy legislation in Europe (such as
Data Protection Act) and Privacy and Electronic Communications Regulations:
Much of the data placed by staff onto OSNs is sold onto third parties. Small
print on joining is taken as consent to this activity.
When an individual decides to take a profile down there is often no
commitment from OSNs that all the data will be permanently deleted.
New features are added to sites which could affect privacy (such as facial
recognition software to provide names to photographs) without the user
necessarily being aware of them.
Cookies have become more sophisticated and intrusive. Users can decide
how far they wish to connect their web browsing activity to OSNs (e.g.
Facebook ‘likes’) but there have been allegations for example that
connectivity between NHS Choices in England and an OSN could in effect
generate a log of the medical health advice pages visited.
Counter measures
Governance If an OSN is being used for corporate purposes get
assurances beforehand on what the company is doing with
the data, where it is hosted etc
People/Guidance Simple guidance on how to reduce risk at home (e.g.
removing certain types of cookies, changing privacy settings,
understanding ‘fair processing’ notices, how to complain to
the Information Commissioner etc
Technical To gather case-study evidence on good and bad practice
relating to cookies and fair processing notices so it can be
33
used when designing official NHS interactive services (e.g.
patient portal) that rely on patient trust.
9. Conclusions
Targeted use of OSNs – internally and externally - for the first wave applications can
bring considerable benefits and fit in squarely with the eHealth strategic aims. It is
important that security and legal anxieties surrounding OSNs do not lead to health
boards simply ignoring or blocking them wholesale. OSNs are here to stay and many
of the risks relate more to how individuals, in a personal capacity, behave while
online rather than the controlled and officially sanctioned content (or the analysis of
other peoples content) that boards produce.
At the moment health boards have very little official OSN presence and most of the
threats are indirect: boards, as organisations, are not being actively targeted online
by criminals, terrorists or foreign agencies (but are at risk from the malware such
groups have circulated). Most of the current threats are to individuals, who just
happen to be employees of the NHS. And it is individuals, through personal use at
home or in the work-place, who are exposing the organisation to reputational, legal
and security risks. So even if boards had no presence in OSNs, these risks would
not go away without concerted steps to change staff behaviour.
The threat level is likely to increase in the coming months as:
Boards begin to use OSN to a much greater extent in conjunction with online
services online (e.g. patient portals).
An even higher proportion of the 165,000 staff in NHSScotland use OSNs for
personal and professional networking.
As the security of e-commerce gets progressively tighter (e.g. better
authentication, audit, monitoring and user education for online
banking/shopping) criminals and other groups will turn even more to OSNs as
a weak spot from which to obtain personal data.
34
Criminals move into new areas of health-related fraud. Malware attacks will
become much more targeted than in the past (e.g. email with embedded
malware sent to a specific person).
The risks to the organisation can be reduced to an acceptable level if boards tackle
OSNs in a strategic manner (i.e. not leave it to lone enthusiasts) and put in place a
realistic mixture of governance, guidance and technical/security measures outlined
above.