1

v.3 Consultation

Harnessing Online Social Networking within NHSScotland: Benefits and Risks

Purpose:

The aim of the two companion papers is to show how NHSScotland can harness

online social networking (OSN) to support the eHealth strategic aims in 2011-2014,

to outline the key risks to the organisation and finally how to put a mitigation plan in

place.

Executive Summary

OSNs can be used for internal as well as external facing purposes: within

organisations there are already Sharepoint-type tools which have OSN functionality

and it needs to be clear at the outset how usage of external OSN fits into an overall

corporate knowledge retention strategy. Usage of OSN to engage with the public via

transactions, knowledge/information services and patient data access brings eHealth

closer to achieving ‘patient portals’. Other first wave - and low risk purposes - to

which OSN functionality can be used are; business continuity communications,

news and announcements, understanding and monitoring public opinion, public

education/health campaigns, professional and patient network support. The main

security and legal risks to the organisation and to individual employees can be

reduced to an acceptable level if boards tackle OSNs in a strategic manner (i.e. not

leave it to lone enthusiasts) and put in place a realistic mixture of governance,

guidance/training and technical/security measures.

2

Contents 1. ..................................3 Online social networking and Scottish Government Strategy

1.1 ......................................................3 Transactions that support self-management1.2 .........................3 Communications with the NHS and access to trusted advice1.3 ........................4 Access to health records and patient networking and support

2. ...............................................................................................................5 Current position3. .............................................................................5 Better to harness than simply block4. ....................................................6 Social Circumference: internal or external OSNs?5. ..............................10 What are the first wave OSN applications for NHS Scotland?

5.1 .................................................................12 Business continuity communications5.2 ..................................................................................13 News and announcements5.3 ..................................................13 Understanding and monitoring public opinion5.4 ............................................................15 Public education and health campaigns5.5 ..............................................................................16 Professional network support5.6 .........................................................................................16 Patient support groups5.7 ............................................................................................16 Transactions support

6. .............................................................................17 Security risks and mitigation plans7. ............................................18 Risks to the organisation through own usage of OSN

7.1 .................................................................................18 Site sabotage and hijacking7.2 ....................................................19 Legal risks through official OSN interactions7.3 ...........................20 Information leakage as a result of inadequate permissions7.4 ...............................................................................21 Content management issues7.5 ....................................22 Risks relating to staff usage of OSN in the workplace7.6 ......................................................23 Importation of malware into health systems7.7 ......................................................................25 Capacity and time-wasting issues

8. ............................26 Risks relating to OSN usage by NHS employees outside work8.1 .................................................26 Capturing credentials for malicious purposes8.2 ...........................................................27 Social engineering to obtain information8.3 ...................................................29 Putting up offensive or inappropriate content8.4 .......................................................................30 Personal ID theft and safety risks8.5 .............................................................................................32 Wider privacy issues

9. ....................................................................................................................33 Conclusions

3

PART A

Realising the benefits

1. Online social networking and Scottish Government Strategy

Online citizen participation is a key plank in Scotland’s Digital Strategy and

specifically in eHealth there is an aim to create an environment that gives patients

the ability to equip themselves with the information they need to monitor and manage

their own health care as far as possible.1 An important question is how far online

social networking will bolster rather than hinder work in these areas?

1.1 Transactions that support self-management

There is enormous potential to use the web for patient transactions such as health

appointment bookings, data checking, e-prescriptions etc. IT investment in these

areas is often considerable in order to ensure that the web spaces can be secure,

easily accessible and well managed.

OSN can be used at design, release and steady state stages to ensure that these

significant investments hit the mark (i.e. are not solutions looking for customers).

Online health transactions, like OSNs, rely on very subtle two-way trust-based

interactions. Getting these transactions right, as online banks and shops have found,

is very difficult and a lot can be learned from OSNs.

1.2 Communications with the NHS and access to trusted advice

At the moment virtually all the NHSScotland online activity falls within this category.

There remains the need for high quality trusted content, like NHS Inform for

example, that is controlled by the host and ‘pulled’ when required by the site visitor.

This preserves the integrity of the announcements, sign-posts, news and medical

information in a way that non-official channels which allow interaction/editing cannot

1 eHealth Strategy 2011-2017 published September 2011 (with a refresh due in 2014); The Digital Future: A Strategy for Scotland (March 2011).

4

(e.g. wikis, blogs and company-sponsored medical advice pages are often

misleading).

However, NHS sites are increasingly used to communicate in real time and OSNs

can be an important part of in an overall channel strategy and inform policy (see

below). Similarly, hosting or participating in knowledge sharing – which requires

interactive tools - is an important part of the medical self-management aim.

One of the interesting side effects of the social networking growth is that relatively

old tools such as email, SMS and desk-top web conferencing are taking on a new

lease of life. The NHS therefore needs to re-appraise how these often over-looked

channels can be used for patient interaction. Whereas some clinical telehealth

purposes require considerable investment (hardware, special rooms, robust

connections etc) there are probably many more routine ‘keeping in touch’ type

sessions which could be carried out with lower cost consumer-type applications and

equipment.

1.3 Access to health records and patient networking and support

There is a growing demand for self access to clinical data in addition to the

established routes (e.g. Data Protection subject access requests). Evidence from

pilots such as My Diabetes My Way that allowed access to clinical information has

shown that a) the service is greatly valued; b) clinicians simply do not have the time

to go over all data and c) patients do not always understand what is being said

during visits to hospitals and like to mull over written evidence.

It is likely that having access to own data online (provided the right data fields are

chosen and it is done securely) can improve the success rate of both eHealth

transactions and the information/knowledge services: e.g. being able to check and

update medication/allergy details could help with e-pharmacy applications and

accessing clinical correspondence may induce patients to look at the right online

advice guide on NHS Inform.

5

All these areas – transactions, information services and patient data access – can be

integrated together to form virtual patient web-spaces. A landing page hosted by

NHSScotland could be personalised and provide sign-posts to one or more favourite

patient web-spaces (e.g. for a long-term condition). Secure authentication could then

be used where patient data is being accessed.

Understanding and harnessing OSN (in terms of technical design, content and

human behaviour) can bring NHSScotland closer to realising this vision.

2. Current position

Some health boards are already using OSNs as an additional e-channel for

communication (e.g. placing news and announcements onto Facebook or Twitter).

But the full potential of OSNs, which is based on interactions and not static content,

has yet to be exploited by public health organisations for the following reasons:

OSNs are by their very nature a ‘home grown’ phenomenon and almost

ungovernable. Virtually all of the innovation and momentum has come from

individuals (and increasingly the ‘third sector’) rather than state bodies, corporations

or universities. In fact public sector and corporate participation – if handled clumsily –

can seriously back-fire if it is perceived to be an attempt to undermine the democratic

spirit of OSNs. In turn, health officials, accustomed to controlling messages and their

own online content are understandably wary of setting foot into this legal mire. Some

of the recent impetus for OSN usage by public bodies has come from politicians; but

there have been some spectacular failures (e.g. wiki/blog sabotage) which have left

many bruised and unsure about what they should do, if anything, in the online

networking space. Any lingering doubts about the dangers of OSN are often

confirmed by the weight of security and legal opinion (universal blocking may seem

the safest approach).

3. Better to harness than simply block

Some health boards encourage the use of popular social media on their public-facing

web site and then block OSN usage within the work-place (and fail to promote

6

internal social networking tools). If employees are not informed of the often good

reasons behind this seemingly contradictory approach then it can cause friction

between staff and IT departments.

Similarly, there are examples of a ‘scattergun’ approach (where engagement with

OSNs is seemingly random and without real purpose). OSN continues to grow at an

exponential rate especially in the mobile application space. There needs to be a

more strategic and consistent approach to using OSNs in eHealth. It needs to be

clear that carefully targeted involvement with OSNs can bring a variety of solid

practical benefits (i.e. is not just a matter of seeming to look modern). The security

risks of OSN are very real (and discussed in part B) but are far more likely to be

mitigated when OSN is part of an overall plan and not left to enthusiasts who ‘go it

alone’ against a backdrop of general hostility.

4. Social Circumference: internal or external OSNs?

The focus of this paper is on external - or citizen driven - online social networks (e.g.

Facebook, Twitter etc). But it is worth stressing at the outset that there is a

considerable amount of social networking potential within NHS organisations. Any

OSN strategy needs to ascertain the width of the social circle. Fig 1 illustrates

different concentric circles for a fictitious health board and the appropriate tools that

might be used to meet the business and security requirements (after a risk

assessment).

7

Fig 1: Health board strategic positioning of internal and external OSN tools

5) Facebook

4) Huddle

3)

Knowledge

2) Board

extranet

1)

Sharepoint

Chosen OSN tools Social circumference Justification 1) Sharepoint Core board staff All staff to use this for internal

networking; data held on internal network to RESTRICTED level

2) Extranet/external Sharepoint Staff in core department and selected staff in other boards

Selected staff invited in; governance over documents uploaded. Possible accreditation to PROTECT

3) Communities of Practice or e-library

Staff in core department wishing to network with NHS staff across Scotland

NHS sponsored space which allows content upload to particular communities

4) Huddle/Yammer etc Staff doing a wide consultation exercise with suppliers, charities, third sector etc

May be a fee for a hosted service (data held in UK); closed spaces for each project. Can be accredited to PROTECT if necessary with right design.

5) Facebook Specific staff in board wishing to communicate with public or test public opinion

Free open to all site; technically there are closed spaces but data may be hosted abroad; data should not have any protective marking and few of the controls that exist in internal environment.

8

Without such planning an organisation could end up with a mismatch. There are for

example public bodies that use Internet-based OSNs as the de facto internal

knowledge sharing tool even when Sharepoint-type tools (which increasingly have

powerful OSN functionality) have already been purchased.2 This means that existing

investments are not being exploited and staff get confused as to where is the ‘official’

internal place to share ideas. And in reverse there are organisations contemplating

investment in external instances of KM tools or extranets to allow networking across

sponsored public bodies when a cheaper off-the-shelf networking service hosted by

Yammer or Huddle for example would suffice.

The key benefits to internal online social networking tools include:

People finding: able to find the right people, their skills and whether they are

available for assignments etc. This is more than just a corporate directory.

Instant messaging and communications: often messaging is tightly

integrated into the networking application so that a person can move

seamlessly from reading content to responding via email, voice,

communicator etc

Profiling: tools now log the behaviour of the user and build up a profile (e.g.

who are your contacts; what you have in common with other people, what

assets you most often access?).

Blogs and wikis: content generated by users; and allowing feed-back etc.

This can range from formal (e.g. chief executive weekly summary instead of

emails) to very informal (staff views).

Virtual community building: creating communities of interest which cut

across normal organisational boundaries (e.g. diversity groups, policy areas,

career homes etc).

It is note-worthy that a high proportion of NHS staff are using external OSNs for

all of the above because there is simply nothing on offer within the organisation

with the same level of functionality and because they belong to professional and

special-interest communities (that go far and beyond the confines of a single

2 Scottish Government does not endorse any particular product/company. Sharepoint is fairly ubiquitous across boards and often part of an enterprise agreement. There are other players such as Alfresco.

9

NHS board or practice). A clinician may for example use a professional OSN like

Doctors.net.uk to find a colleague who does not appear on an official directory

that is out of date; he may then open a free web-mail account with the same OSN

and contribute to a discussion group.

There is a growing recognition that routinely putting non-document based content,

news and views onto external rather than internal online networks can undermine an

organisation’s knowledge retention strategy. But given the current financial climate

there is far less scope for investment in corporate networking and knowledge

management tools. The organisation is then faced with two options:

a) Doing without internal tools and being resigned to the fact that staff will use

external ones in their own time (there may even be an attempt to discourage or

block their use in the workplace)

OR

b) Attempt to harness OSNs by giving all or certain staff access to at least some

of them (subject to clear codes of conduct) and even endorsing heavier

participation in selected sites that are deemed to be in the interests of the

organisation.

The main advantages of taking the latter more pragmatic approach are:

The burden of hosting data and running a service is undertaken by a third

party

Often the OSN functionality is far richer and user-friendly than any off-the-

shelf product an organisation might procure itself. Much of the cost of

products like Sharepoint relates to the configuration (e.g. search engines,

look-and-feel, templates, keeping versions up to date etc). Internal tools

can soon look rather dated compared to what staff are using at home.

The social reach is far greater than with internal tools; officials wishing to

collaborate with others across multiple bodies on different IT networks

10

(e.g. for NHS boards to work together on projects). This cuts down on

emails, phone calls and ad-hoc data sharing methods.

The main disadvantages are:

There is a lack of control over the management of content; the data is being

hosted by a company at a location over which the public body has little or no

control (e.g. may even be outside EU).

Security and legal risks (discussed in section 7) that result from the content,

the social interactions and malware.

Although resources may be saved by not hosting services internally,

consumption of OSN can create service and capacity issues (e.g. staff using

bandwidth hungry applications such as video streaming over infrastructure not

designed for it).

Knowledge and information leakage; staff may upload key documents,

corporate records and knowledge onto the external OSNs in preference to

internal corporate tools. Such behaviour creates compliance risks (e.g.

FOI/DPA) and deprives the organisation of content it owns.

Putting together a clear action plan to support knowledge sharing using OSN

internally (and between partner bodies) often means that the organisation is then

well placed to exploit OSN for interaction with the public at large. Lessons will have

been learned in a relatively safe environment and more staff will have become

familiar with OSN functionality.

5. What are the first wave OSN applications for NHS Scotland?

The purposes to which OSNs can be used for interaction with the wider public are

vast so there needs to be focus on the first wave of applications which a) are

relatively low risk from security/compliance angle; b) create maximum impact from

very little outlay and support and c) can be used as a launch pad for more ambitious

usage of OSN in the future.

11

When considering how to deploy OSN the following must be considered at the

outset:

Does the OSN offer something which existing channels cannot? (e.g. wider

social reach).

Is OSN going to be mixed in with existing channels? (i.e. will it reinforce or

could it potentially conflict with messages from official web-sites).

Will existing OSNs be utilised rather than building new ones? (i.e. if the latter

then there needs to be a unique selling point that only the NHS can offer,

such as transactions or access to own data).

What resources are in place to generate or monitor content? (i.e. there is no

point in putting up content if no one in NHS is actually monitoring the

responses or doing analysis).

Does the OSN purpose require staff outside e-communications to have

access to the web-sites? (i.e. if policy makers are blocked from accessing the

sites then they will not be able to engage with those they need to).

Has a risk assessment been carried out which will take into account any

security or legal concerns?

The implications of using OSN criss-cross organisational boundaries so it is vital that

there is adequate participation from Corporate Communications, IT, security and HR

teams. Any OSN small project team needs to focus as far as possible on

requirements rather than products at this stage.

Fig 2: Summary of first wave applications for OSNs in eHealth First wave OSN category Examples Benefits over existing

channels

Business continuity

communications

Severe weather

events; Flu epidemics

IT systems may be down;

social reach for anyone

with web-enabled mobile

phone

News and announcements New facility opened Followers on OSN who

may never want to visit

12

official web site

Public education/health

campaigns

Stop Smoking Content is embedded

among user-tips; tone is

more light hearted and less

censorious

Understanding and monitoring

public Opinion

Plant story on new

eHealth application

Test the water; gather

intelligence before making

big investments

Professional network support Nurses, GPs Provide content on

regulations that may effect

community

Patient support groups Cancer charity Provide sign-posts to NHS

Inform; GPS location finder

for help

Transactions support bookings OSN content induces

people to use the booking

system

Patient data access support Diabetes clinical

correspondence

Would otherwise have to

send hard-copy or email

(which may be less secure)

Public health data collection Elderly perception of

care/anxieties

Collect early evidence prior

to investing in more

traditional research

5.1 Business continuity communications

OSNs can be used to get key messages out quickly to a wide audience during

emergencies. The winter of 2010/11 in Scotland was the worst for 40 years leading

to the closure of public buildings and schools. Some NHS boards used Twitter micro-

blogs or announcements on Facebook to inform the public about the availability of

services. Traditional channels (such as bulk emails, telephone calls or updating front

web pages) are not always option if there is a disaster and IT systems are down.

Micro-blogging could also be used to connect with employees as part of continuity

plan.

13

Using OSNs in this way is also a good way of getting ‘followers’. Most citizens may

follow NHS tweets for the first time during bad weather but can be encouraged to

maintain contact afterwards provided tweets remain relevant (e.g. for significant virus

outbreaks rather than an avalanche of routine updates on services).

The health organisation can also monitor reaction and feed-back contained in

messages/tweets in order to gauge the effectiveness of its emergency response

(e.g. customers suggesting that a road that provides access to a hospital is now

open or complaints). Some boards are Twitter ‘followers’ of public organisations such

as the Meteorological Office which enables them to aggregate and then condense

lots of news-feeds relevant to their own audience.

5.2 News and announcements

Boards can upload subtly different news and announcements onto OSNs than

mainstream channels such as official web-sites. NHS Lothian have used Twitter to

show when the minor injuries clinic might be more appropriate for some cases than

Accident and Emergency. This not only informs the public but can potentially help

boards to free up resources by funnelling patients to the best place.

The more informal nature of OSNs means that boards can put announcements

which would not normally make the front page of an official health board web-site

(such as health charity and other community events) but which foster good relations

and ‘social presence’. The viral nature of OSNs means that word can get around

more quickly than other channels (companies call it ‘guerrilla marketing’).

5.3 Understanding and monitoring public opinion

The fundamental difference between normal e-communications via official web-sites

and OSNs is that the ‘funnel is reversed’: i.e. more communications are coming in

than going out. Each official health-related ‘tweet’, video-clip or news item on

Facebook will generate far more of response than was the case with traditional web

feed-back forms. The key question is how can the voluminous, un-moderated and

14

often anonymous conversation threads be monitored, captured and used for

practical purposes?

Correcting factual inaccuracies

It is not the place for officials to enter into public debates. But there are cases where

OSN conversation strings highlight straightforward inaccuracies (or even myths).

Virtually all of the discussion boards relating to eCare for example repeated false-

hoods (e.g. that this was a state data-base on children by the back-door). Such

misunderstanding on influential sites such as Netmums (which has 1m+ members)

can seriously impair the ability of health bodies to roll out and get public acceptance

of new tools and services. A news story which aims to correct a myth can be placed

into OSN fora as part of an overall communications plan. Alternatively, there could

be a ‘hot seat’ session where for a limited time-slot a senior official (or minister)

might host a question and answer session. This is safer than entering into

conversation strings already initiated by citizens (i.e. could be construed as state

interference or even political opinion shaping).

Straw-poll canvassing

The un-controlled and anonymous nature of OSNs, mean that they cannot as yet

really replace formal public consultations and statistical analysis. But OSNs can offer

a quick and easy way to ‘test the water’ before making significant investment in new

services or creating new policies. The proposed Healthier Twitter for example can

allow ministers to give flag ship policies an airing. Too many web 1.0 applications in

the early 2000s have been designed by IT professionals and officials ‘in search of

customers’. If for example a very large (albeit un-scientific) sample of tweets and

conversation threads gave overwhelmingly negative views on the functionality of a

proposed e-health patient access application then it might give rise to investing in

further public consultation to check this prior to making significant investment in a

service which might not take off (e.g. because there is not enough trust in the

authentication proposed or concerns about erosion of privacy).

15

Sites such as Patient Opinion and dash-boards on hospital Facebook sites are

already collecting patient experiences. The Patients Rights (Scotland) Act 2011

specifies that NHS bodies should “encourage patients to give feedback or

comments, or raise concerns or complaints, on health care”.3

Data Collection

In the US it is increasingly common for third sector organisations to ask for ‘data

donation’: that is where members of OSNs volunteer their data for not-for-profit

research. Many patient advocacy groups and clinicians are working for example to

capture data on off-label drug use via anonymous contacts on OSNs. Though the

data collected is less scientific than from traditional routes, its value lies in the fact

that it comes from a segments of the population who are dispersed or hard to reach

(e.g. people who would not normally admit to taking a drug for non-approved

purposes). NHS organisations could take a keener interest in this type of

methodology (without actually attempting to do medical data collection via OSN

themselves) or choose to do data collection in a very low risk area (e.g. a request for

elderly people in a territorial board to send in anonymously their top three concerns

for the coming winter). This could provide a spring-board for more targeted research.

Similarly, those working in public health surveillance can use data from OSN - along

with geo-spatial coordinates - to build up an early impression of disease outbreaks.

5.4 Public education and health campaigns

OSNs can be incorporated into wider public health campaigns. ‘Tweet what you eat’

(healthier eating), ‘quitter twitter’ (give up smoking), ‘helping those, helping others’

(Blood Donation) are just some of the blogs/discussion fora set up by boards. The

advantage of OSN here is that the official content is mixed in with tips and self-help

sent in by the public. The informal and less censorious tone can be more accessible

than some poster/web-site campaigns.

3 Section 14 Encouragement of patient feed-back

16

5.5 Professional network support

As discussed in section 4, external online networks can be used where there are no

internal OSN tools (e.g. nurses working in a board may be encouraged to use a

particular respected OSN in preference to others to prevent knowledge being

dispersed too widely). But health boards also need to be engaged with professional

groups. The news stories and communications here can be tailored differently from

those to the wider population (e.g. emphasis on a change in regulations that affects

the membership). Care does need to be taken here as many professional groups

jealously guard their independence and may have views at odds with government

policy. NHSonline.net for example states clearly that it has no affiliation to NHS or

Department for Health (England) and “therefore not subject to censorship by these

organisations”.

5.6 Patient support groups

There has been an explosion of interest in ‘medical support sites’. More than two

thirds of all health-related searches start at search engines (e.g. Google a health

condition in order to find a support group). The quality varies enormously from

respected charities to commercial companies (basically marketing tools dressed up

as OSN) to sites set up by one individual on a kitchen table. NHS Scotland already

provides high quality advice (e.g. NHS Inform) and sign-posts to support groups. On

the whole it does not make practical sense for the NHS to compete with or duplicate

these existing groups. Many have grown up over many years and have a strong

brand. The question instead is how far the NHS should actively engage with any of

these existing OSNs by sponsorship, providing content and two-way interaction. If

OSNs are chosen carefully there are many mutual benefits: members of the OSN

can be informed about new health services in a given area (e.g. via post-code) and

links can be placed to comprehensive advice on official web-site.

5.7 Transactions support

Where there is a stronger case for the NHS to build its own OSNs is where it is in

conjunction with health transactions and patient data access (i.e. something which

no other organisation or charity can offer because it does not have the data). My

17

Diabetes My Way pilot is a good example because the unique selling point has been

access to own clinical correspondence (with authentication linked to Citizen Account)

alongside more standard OSN functionality.

OSNs can be harnessed as a means to encourage use of online health tools.

Gaining public confidence in ‘official’ tools is an important part of any eHealth

strategy. In NHS England for example there are OSN pilots aimed at the 18-24 age

group which promote Chlamydia testing. The idea is that interactive content will a)

encourage the target group to get tested and show how it can be done; b) allow

users to give feed-back or air anxieties which can then lead to the NHS re-designing

the functionality.

PART B

6. Security risks and mitigation plans

Security is usually cited as the main reason why health boards are reluctant to adopt

OSNs (even for the lower risk purposes described above). Much of the generic

guidance produced by the OSNs themselves tends to be broad-brush and does not

make the distinction between organisational risks and risks to individuals using them

in their personal life. Just asking employees to “be responsible” and use “common-

sense” is not enough as many of the risks are subtle and affect even the most

security-aware individuals. The aim of part B is to:

Examine the subject within the NHSScotland healthcare context

Take ‘security’ in the widest possible sense; to include associated legal and

reputational issues

Identify the key risks to the health organisation and risks to staff acting as

individuals in work and home environments (and where there are overlaps)

This paper is not designed to be a definitive list of ‘do’s and don’ts’ (such a

simplistic approach is impossible given all the variables in 22 boards). The

aim instead is to highlight the practical steps boards can take to reduce risks

to an acceptable level through better governance, staff awareness/training

and where possible technical measures.

18

7. Risks to the organisation through own usage of OSN

The following risks relate to the organisation’s own usage of OSN and where staff

are using OSN in the work environment:

7.1 Site sabotage and hijacking

Organisations need to think carefully about how they would deal with their OSN

pages/profiles being attacked and either taken offline or taken over. As the content is

hosted by a third party (with no contractual commitment) there is little that can be

done other than attempting to close down the whole space. At the moment OSNs are

just one very minor channel for communications, but as usage increases the

organisation will need to cope with the following scenarios:

Take-over/spoofing: someone manages to log into the official NHS OSN

account and remove content or even write spurious content which purports to

be official. If this goes undetected or cannot be taken down quickly then it

could seriously undermine services, communications and public trust (e.g.

spoof ministerial/executive tweets or false allegations about staff/boards etc).

Loss of service: the OSN could simply fail for any number of technical

reasons. This could be problematic in situations where a particular site has

become a key plank in a communications process (e.g. weather warning/site

closure alerts reliant on Facebook/Twitter rather than phone).

Hactivism is a relatively new phenomenon; this is where attacks are made

primarily to prove a point rather than for monetary gain. The NHS has not so

far been top of the lists of targets (although Lulzsec group did hack into NHS

web-sites to highlight vulnerabilities) but this could soon change if Scottish

health service reform or new services become controversial (e.g. closure of

health centres, back-tracking on policy commitments for services etc).

Counter measures

Governance Decide on a channel strategy (i.e. where OSN fits into

communications/services). Assume sabotage will happen at

19

some point so put in place a plan of action for dealing with it

(e.g. how you can inform customers through a more trusted

channel such as official web-site hosted internally that there is

a problem and correct the spoof content). Find out from OSN

the process for dealing with the problem (e.g. will it be

minutes or days before a sabotage is corrected?) and

whether there is any OSN moderation.

People/Guidance Training for the OSN engagement team on how to write

content which is less likely to generate attacks (e.g. avoid

overtly political or lecturing tones).

Technical It should be assumed that OSN is not robust for essential

communications and alternative trusted channels will need to

have greater resilience at a time of emergency (e.g. is the

board’s email exchange server, web-server etc able to cope

when everyone is working at home due to snow?)

7.2 Legal risks through official OSN interactions

The whole point of OSNs is to be ‘interactive’ but this does not necessarily mean

interaction with each individual that places content onto the NHS site. When

individuals place a question, make a factually inaccurate remark or appear to be in

distress there is a natural instinct on the part of officials running the OSN profile/site

to answer. But there are some significant problems here for the organisation:

Once you start answering personal queries/remarks/threads then there will be

an expectation that this is a full-blown enquiry and answer service. Boards

may not have the capacity to do this and it could conflict with existing

channels.

OSNs operate at a much faster pace than traditional routes. This can bring

many advantages (e.g. dealing with quick enquires online, giving sign-posts

where to find help and therefore cutting down on the volumes of phone

calls/letters to boards) but it can also pose legal and safety problems when it

starts to touch the clinical arena. For example, a user on a Blood

Transfusion/Blood Safety OSN page might ask for what seems simple advice.

20

But the organisation exposes itself to legal problems if its reply - given by a

non-specialist to an anonymous person in a hurry - is later perceived to be

wrong by the recipient.

Counter measures

Governance Be clear at design phase how the organisation will interact

and deal with queries etc (e.g. policy not to deal with any

individuals but by a block answer?), who will do the

interactions (e.g. only specially trained staff?) and subject

areas which are out of bounds (e.g. not to touch on clinical

areas unless a special clinical hot seat is created?).

People/Guidance Training for the OSN engagement team on how to answer

questions; knowing how to put up ‘sign-posts’ in preference to

giving advice on the hoof.

Technical Find out how moderation works; how long content is being

kept for by the OSN, how anonymous is sign-on/registration,

how can organised groups create multiple false accounts to

create traffic that disrupts the service.

7.3 Information leakage as a result of inadequate permissions

Where an NHS organisation uses a public OSN it is generally assumed that all the

information placed there is unclassified and does not therefore require site

permissions (i.e. if you are going to put up content you expect everyone to see it).

But as OSN use in public bodies takes off there may be a perceived need to

segment the data according to user group to create semi-private spaces (e.g. drug

addiction support OSN user group to log into one separate area). This approach is

already used in the professional group OSNs (e.g. organisations create their own

Yammer/Huddle space or bubble). But the organisation needs to consider the

impact if the permissions simply fail:

Faults in the biggest OSNs has led to permissions or privacy settings not

working; this has allowed personal data – which the user expected to be open

only to specified users - being made available to everyone (which can mean

21

millions of subscribers). An NHS online site in England that stores CVs

recently failed leading to personal data being available to the whole NHS

community until it was fixed.

Counter measures

Governance When using public OSNs ensure that all information is

unclassified; use segmentation of information (e.g. creating

lots of user groups/profile pages) for administrative ease

rather than as security permissions. (i.e. assume everyone

can see it). In the case of OSNs for corporate use seek

advice from security if it is to be used up to PROTECT (e.g.

accreditation to this level is possible with certain sites).

People/Guidance Inform all staff that although information is unclassified this

does not necessarily mean that it is disclosable for the

purposes of FOI.

Technical Monitor permissions failures in OSNs; so as to report back to

the business.

7.4 Content management issues

When using OSNs there is very little control which can be exerted over the lay-out

and ownership of content.

Advertisers for medical products and services will try any means to give the

impression of ‘official’ endorsement, including placing content adjacent to

NHS material.

In many cases the ownership of all content becomes the property of the OSN.

The public body does not have an automatic ability to take content down

(even if it is offensive or in direct conflict with NHS advice). In fact taking

content down can prove to be counter-productive in some cases.

Where an OSN is used for professional purposes (e.g. staff knowledge

sharing tool) care needs to be taken that sensitive internal documents are not

uploaded and that version control is not lost (e.g. un-redacted board minutes

going up on an OSN with redacted version on the official NHS website).

22

Counter measures

Governance Needs to be clear who is able to upload documents and a

process to ensure that the documents are final and approved

for public dissemination. Write copyright statements (e.g.

ownership of documents is still with NHS).

People/Guidance Training for OSN engagement team; making clear that the

type of content is different from standard official web-sites.

Focus on shorter informal bursts rather than monologues.

Technical Agree retentioning policy for corporate OSNs (i.e. if it is

assumed that records are held in organisation then the OSN

copy content can be deleted quickly when no longer used).

Check in advance the OSNs advertising policy and controls

over layout.

7.5 Risks relating to staff usage of OSN in the workplace

When an organisation has adopted OSNs there is the obvious need for a group of

staff to be able to see and interact with those sites. In a tightly controlled

environment this might just be a handful of external communications experts or a

team of policy staff monitoring content. But the larger the group with access (e.g. the

whole organisation) the more there is the risk of staff crossing the professional lines:

In theory when an NHS OSN profile/page is launched there are in effect two

groups of organisational users: a) those in the OSN engagement team who

can officially update and reply to content posted by those outside the

organisation and b) those within the wider organisation who may be able to

look at content but should not interact. But such a neat distinction is not

always easy to maintain; many in the latter group may choose to put up

content which might conflict with the official line. There could then be an

unseemly online debate between two sets of officials relating to health

services or policy.

Access to the whole OSN (e.g. Facebook) then gives staff the technical ability

(though not necessarily the permission) to use that site for personal

23

purposes at work. This brings with it all the risks to the employee outlined

below.

Where the employee acts using official NHS computing resources (rather than

at home) there is a greater legal liability to the organisation. This risk is not

new (i.e. staff have long been able to send inappropriate email from web-

based accounts while at work if the sites are not blocked). But the

spontaneous nature of OSNs, and their reach to millions of people, means

the impact is far greater. For example if libellous, offensive or criminal

content is posted while at work the organisation is likely to be dragged into

any litigation. Even if NHS login/email address is not used to sign into the

OSN, the IP address can still be traced back to the board.

The offensiveness of material is generally higher in a work context. For

example several clinicians have recently been disciplined in Glasgow for

taking ‘funny’ pictures of themselves underneath trolleys in a hospital and

posting them online. The images taken in a different context – such as at

home - may have seemed innocuous but because the staff were on duty it

affected the reputation of the profession and the organisation.

7.6 Importation of malware into health systems

Usage of OSNs significantly increases the likelihood of malware (such as viruses,

trojans and worms) being imported into NHS networks even where robust anti-virus

(AV) measures are in place. This type of importation is indiscriminate (i.e. NHS is not

usually the subject of a targeted attack but has picked up malware in general

circulation). Malware can go un-detected for months (as AV software tends to scan

known objects rather than unknowns) and can shut down whole networks.

The reasons for this are:

Many OSNs use third party messaging/chat applications (which run on

servers which the OSN has no control over). Such applications are a weak

spot from which attacks can be made on the user’s PC/network. Many

distributed ‘Botnets’ (where multiple PCs are in effect ‘taken over’ to perform

malicious attacks) rely on PCs having access to such applications. This

24

contrasts with the current position where staff who use messaging/chat

applications (e.g. Microsoft Communicator) are always on the internal

network.

OSNs generally require an email address and these can be harvested and

used for attacks or spamming. The more NHS email account names entered

the greater likelihood there is of spear-phishing (i.e. where malware, bundled

in a convincing attachment, is sent to recipients from what looks to be an NHS

colleague).

OSNs have features which are more likely to ‘bait’ staff into clicking onto links

which download malware. Some are obvious (e.g. sensational news stories,

prizes etc) whereas other are more subtle (e.g. click here ‘if you do not wish to

receive marketing’).

Counter measures

Governance Decide on whether some of the riskier applications are really

required for the organisation’s online presence. If the answer

is yes decide on which individuals should be using them (i.e.

usually no need for whole organisation to have access to

these tools).

People/Guidance Issue simple desk-top guidance on the top five things to do in

order to prevent malware being introduced into the

organisation for those PCs which are not locked down (e.g.

never to click on attachments from unknown sources, only for

the designated OSN administrators to enter in a generic NHS

email address).

Technical Apart from ensuring AV security patches are up to date there

needs to be timely reporting by the user community of

anomalies (e.g. that might show PC has become part of a

botnet); business continuity plans and quarantine plans to be

in place if there is a serious outbreak.

25

7.7 Capacity and time-wasting issues

One of the main reasons why boards have not adopted OSNs more readily is

because of the lack of band-width. The download of bit-hungry video-clips in

particular can mean that other business critical web-based activities are affected

As with other online activity there are operational risks associated with ‘time

wasting’ by staff. OSNs can be highly ‘addictive’ and many employees will

have grown accustomed to updating content throughout the working day.

Blanket banning of web-sites from office network can just mean that staff

switch to using personal web-enabled mobile devices while in the work-place.

Counter measures

Governance Be clear who can have access to OSNs in order to do their

job. In a NHS territorial board context it is highly unlikely that

the whole organisation would need access to OSNs. But for

special boards it may be that the channel strategy expects

staff to gain visibility of what customers are talking about

online.

People/Guidance Guidance for all staff which goes beyond use of

organisational computing resources; staff are now bringing in

their own equipment and connecting online via short-range

wireless (e.g. Wifi) or cellular). So there needs to be a fair

usage approach.

Technical To advise the OSN engagement team on how access can be

managed (e.g. sometimes access can be just to the official

organisation page on Facebook/Twitter rather than the whole

site). To consider whether a separate internet-pipe is needed

for communications staff (i.e. rather than using N3). Do some

modelling on how x users on a particular site would impact

capacity.

26

8. Risks relating to OSN usage by NHS employees outside work

Even if the NHS were to do nothing in the OSN space and block access at work it

would still be exposed to security and reputational risks relating to employee usage

of them in their home life.

8.1 Capturing credentials for malicious purposes

Many users of OSNs make clear in their profiles/pages that they are NHS

employees. If such users also use NHS credentials as part of login (e.g. NHS email

address, and same password used at work) then it can compromise the security of

the work environment.

If a user habitually uses the same password(s) or one of the most common

passwords in their home life (e.g. for OSNs) then if captured with context (i.e.

a would-be attacker knows exactly where you work) then it could be used to

gain access to online NHS applications or internal systems.

Currently ‘single-sign on’ is being rolled out across some boards; this means

that obtaining one password will grant access to multiple applications. Many

would-be attackers are insiders with access to the building and PCs; if they

are able to login using captured credentials then the audit trail would show

only the name of the official user.

At least one key NHS application allows changes of passwords based on

personal detail prompts (e.g. mothers maiden name, place of birth, pets etc).

Much of this is easily picked up on OSNs. (e.g. aggregating bits from several

sites to get a complete picture of an individual).

Counter measures

Governance Update existing policies to make clear that the use of official

NHS email addresses or credentials in a non-work (e.g.

online social networking) context is prohibited. Sanctions for

transgressions.

People/Guidance Awareness campaign with top five things to protect staff work

identify (e.g. never use work passwords; never give out work

27

email, phone number on personal OSNs etc). But bear in

mind that many employee details (especially senior

managers) will already have their work details online as part

of government transparency/FOI etc. The ICO has made

clear that public servants do not have an absolute right to

anonymity.

Technical When developing identity and access models in NHS to

consider how staff are operating in the home environment. To

develop subtly different ways of authentication (e.g. stronger

passwords and prompts, two-factor authentication, biometrics

etc) so that if a person’s identity is compromised at home it

minimises the impact on the organisation.

8.2 Social engineering to obtain information

As well as capturing credentials there are other types of NHS information which can

be obtained using deceitful – but not necessarily illegal - techniques that play on

people’s natural instincts and ‘hook’ them in. There is a large market for the type of

data held in NHS:

So-called information brokers or aggregators are paid to source

addresses/employers and other key data; they are increasingly aware of the

types of information systems within the NHS and the people who have access

to them.

The so-called ‘phone hacking’ scandal in the UK has shown how private

detectives can use illegal methods to obtain data (e.g. gaining access to

voice-mail and using insiders at telcos). But some individuals leave the door

wide open in their personal online profiles to debt collection and tracing

agencies, activists, researchers, companies in healthcare or organised

criminals (e.g. fraud or intimidation purposes).

Some healthcare staff have access to controlled drugs and materials which

can be used by terrorists for biological, chemical or even radioactive attacks.

OSNs are both a place to hide (for anonymous conversations) and a place to

air extreme views and hook in staff.

28

Although NHSScotland does not offer the same scope as banks etc to steal

hard cash it does have a budget of c. £10 billion, considerable movable

assets (e.g. IT hardware, drugs), a catalogue of services which can be

fraudulently obtained (e.g. repeat prescriptions) and a pool of people –

patients and staff - who have often dropped their guard in stressful situations.

OSNs offer data in abundance from which to plan an attack from a remote

location (whereas in the past physical surveillance of sites and people would

have been necessary).

Counter measures

Governance To put in place an alert procedure whereby an employee can

contact HR/security if he/she feels that NHS data as well as

personal data has been unwittingly passed on during online

chats/blogs at home. Early notification can mean that the

organisation can take steps to warn other staff and lessen

impact.

People/Guidance Staff awareness campaign; e.g. staff to not enter into OSN

conversations with patients; to look out for un-wanted

attention that arises from their employment in NHS. Many

professional groups such as the British Medical Association

and the Nursing and Midwifery Council have recently drawn

up guidance for own members.

Technical Make regular security assessments of the people and assets

which are vulnerable; to ensure that information about them is

tightly restricted so that there is far less scope for them to be

talked about in OSNs or anywhere else (e.g. the location or

procedures governing hazardous materials). Step up

protective security in sensitive areas wherever possible (e.g.

swipe card readers) Assume that information in some areas

of NHS is bound to get discussed online what ever steps you

take (e.g. admittance of high profile patients, sacking of staff).

To put in place more robust audit mechanisms around access

to NHS systems and be able to monitor staff use of OSNs

29

(where there is a formal investigation).

8.3 Putting up offensive or inappropriate content

Individuals using OSNs - who can be identified as NHS employees - can cause

serious reputational damage to organisations as a result of the content they upload.

The use of web enabled mobile devices in particular can lead to impulsive behaviour

which users often later regret. Once content has gone online (e.g. a picture on a

profile) it is virtually impossible to remove completely as followers with access may

have copied and distributed world-wide within minutes. Some content is obviously

inappropriate (e.g. explicit pictures that identify staff) or illegal (patient identifiable

data) but in other cases the employee may feel they are acting within their rights:

There are difficult ethical questions surrounding how far staff should be able

to give personal views on the NHS (e.g. the leadership, colleagues, facilities,

procedures etc).

Writing detailed descriptions of what is going on in the work-place (without

mentioning staff or patients by name or being critical) can still be damaging.

Change management resulting from organisational re-structuring and reform

of patient services becomes much more difficult if staff are giving a running

commentary on OSNs.

Counter measures

Governance Update existing policy documentation and weave in employee

online behaviour. Much existing documentation only covers

activity while at work or using work computing resources. This

needs to be wider and cover behaviour using own mobile

devices/equipment at home that can be damaging to the

organisation. Blanket bans on discussing work may not

always be useful as staff belong to professional networks

(e.g. GPs, nurses) and may wish to share common concerns

(without mentioning patients etc).

People/Guidance As a general rule employees should ‘put away their badge’

30

and act as individuals if giving general views about their

organisation or political decisions and should steer clear of

attacks on individuals. Use the guidance material produced

by professional bodies.

Technical There may be a need to monitor the activity of an employee

on an OSN (e.g. if HR are investigating a complaint); if the

updates to OSN are taking place at home then there needs to

be an agreed method of monitoring and recording that is

proportionate (i.e. not to undermine a person’s privacy without

good grounds). This can be difficult if online presence is

relatively anonymous and audit trails are under the control of

the OSN. Understand how liaison with the police would work

before an incident actually happens (e.g. some

constabularies have online crime experts).

8.4 Personal ID theft and safety risks

The police make a distinction between age-old crime ‘facilitated by ICT’ (e.g.

extortion, theft) and new crime ‘created by ICT’ (e.g. denial of IT service). Both types

of crime can be found in OSN space:

Harassment and bullying: some disputes start online and then escalate into

real world conflict (i.e. several disputes on OSNs have led directly to murders)

while in other cases it is the other way round (with a dispute starting in the

work-place for example and then continuing in cyber-space). NHS staff are

perhaps more vulnerable than most because of the very public nature of their

work and the high emotion generated in health contexts. A patient with a

grudge for example could seek out staff through OSNs. Cyber-stalking can in

extreme cases lead to actual harassment or physical harm.

The risks of targeting are higher for staff working in sensitive areas with

vulnerable groups and children.

ID theft ranges from indiscriminate harvesting of personal/work email

addresses to focussing on an individual over a period to gain employer

details, bank, National Insurance, date of birth etc. Login details and cookies

31

are relatively easy to steal from people logging onto OSNs (which generally

do not have secure login such as SSL) while in Wifi hotspots.

The physical security of hospitals and surgeries is rarely high because of the

volumes of people coming and going. An intruder – with or without a white

coat - has a greater chance of blagging his way into wards or administrative

buildings if he knows the names, exact job titles, departments, buildings and

other contextual data relating to staff.

Patients too are at greater risk if information about their stay in hospital is

broadcast on OSNs. Loose talk has always been a problem (e.g. when high

profile persons are in hospital) but OSN functionality such as micro-blogs from

Twitter and photo imaging from mobile devices in hospitals mean that the

speed and reach is now far greater.

Location based risks: Many mobile applications attached to OSNs give

precise geographical coordinates. Burglars for example are known to monitor

them to seek out empty properties and an employee’s presence in a

hospital/surgery can be pin pointed to within 10 metres if he/she has a device

switched on and has subscribed to the service.

Counter measures

Governance As for 8.3; HR policy on harassment/professional conduct

may need to be updated to include activity in cyber space.

People/Guidance Simple guide on the types of business information which

should never be revealed online as well as general rules

about discussing work. Some of this is board-specific: in an

ambulance service for example this might include daily

fleeting for ambulances or control procedures for transporting

medicines/human organs (things which could come out

informally when writing a daily personal blog but get picked

up by those with malicious intent). Be aware that logging on

to OSNs while in wireless hotspots exposes the user to

possible credential theft.

Technical To have a reporting procedure in place for theft or spoofing of

personal ID as it is likely to affect the work ID (e.g. NHS mail

32

address being used to send out malware/spam or a pseudo

NHS address which uses a real name but does not have an

official suffix). To be able to take an email account out of

service quickly, change passwords, security passes etc.

8.5 Wider privacy issues

OSNs have so far rubbed against the grain of privacy legislation in Europe (such as

Data Protection Act) and Privacy and Electronic Communications Regulations:

Much of the data placed by staff onto OSNs is sold onto third parties. Small

print on joining is taken as consent to this activity.

When an individual decides to take a profile down there is often no

commitment from OSNs that all the data will be permanently deleted.

New features are added to sites which could affect privacy (such as facial

recognition software to provide names to photographs) without the user

necessarily being aware of them.

Cookies have become more sophisticated and intrusive. Users can decide

how far they wish to connect their web browsing activity to OSNs (e.g.

Facebook ‘likes’) but there have been allegations for example that

connectivity between NHS Choices in England and an OSN could in effect

generate a log of the medical health advice pages visited.

Counter measures

Governance If an OSN is being used for corporate purposes get

assurances beforehand on what the company is doing with

the data, where it is hosted etc

People/Guidance Simple guidance on how to reduce risk at home (e.g.

removing certain types of cookies, changing privacy settings,

understanding ‘fair processing’ notices, how to complain to

the Information Commissioner etc

Technical To gather case-study evidence on good and bad practice

relating to cookies and fair processing notices so it can be

33

used when designing official NHS interactive services (e.g.

patient portal) that rely on patient trust.

9. Conclusions

Targeted use of OSNs – internally and externally - for the first wave applications can

bring considerable benefits and fit in squarely with the eHealth strategic aims. It is

important that security and legal anxieties surrounding OSNs do not lead to health

boards simply ignoring or blocking them wholesale. OSNs are here to stay and many

of the risks relate more to how individuals, in a personal capacity, behave while

online rather than the controlled and officially sanctioned content (or the analysis of

other peoples content) that boards produce.

At the moment health boards have very little official OSN presence and most of the

threats are indirect: boards, as organisations, are not being actively targeted online

by criminals, terrorists or foreign agencies (but are at risk from the malware such

groups have circulated). Most of the current threats are to individuals, who just

happen to be employees of the NHS. And it is individuals, through personal use at

home or in the work-place, who are exposing the organisation to reputational, legal

and security risks. So even if boards had no presence in OSNs, these risks would

not go away without concerted steps to change staff behaviour.

The threat level is likely to increase in the coming months as:

Boards begin to use OSN to a much greater extent in conjunction with online

services online (e.g. patient portals).

An even higher proportion of the 165,000 staff in NHSScotland use OSNs for

personal and professional networking.

As the security of e-commerce gets progressively tighter (e.g. better

authentication, audit, monitoring and user education for online

banking/shopping) criminals and other groups will turn even more to OSNs as

a weak spot from which to obtain personal data.

34

Criminals move into new areas of health-related fraud. Malware attacks will

become much more targeted than in the past (e.g. email with embedded

malware sent to a specific person).

The risks to the organisation can be reduced to an acceptable level if boards tackle

OSNs in a strategic manner (i.e. not leave it to lone enthusiasts) and put in place a

realistic mixture of governance, guidance and technical/security measures outlined

above.