Monday, June 25, 2012

HACKED in HIT: Does your HCO have an EMR / EHR security plan?

Our blog has moved. You will find this blog post and fresh content on our new Talascend IT blog.

Does your HCO have a EMR security plan?
A couple of weeks ago we talked about your social media network getting hacked. While potentially embarrassing to those hacked and a slight risk to other accounts on your network, it is a problem easily remedied in the grand scheme of things.

What happens when an entire HCO is hacked and EMR / EHR information is compromised?

Patient records, dating back perhaps to prenatal checkups for mom, to that surgery 10 years ago, to a suspicious lump that was successfully removed, are at risk. And once they’re out there in cyberspace, how can they affect the rest of a person’s life?

In all likelihood, people after the information are looking to snatch your identity. For the longest time, medical records have been linked to social security and driver’s license numbers not only for ID purposes but for billing purposes as well. When a criminal makes off with a couple million of those numbers, there is bound to be at least a few prime names and numbers to target.

I am making a big leap here but, in this age of social media and cloud computing, what if your medical records were compromised and made available online to background check services without your knowledge?

Might an internet search bring up a health record file stating that you are being treated for severe depression, causing your renowned career as a motivational speaker to come to an abrupt end? A more plausible scenario: Could a past positive malignancy test keep you from getting a job, even though you’re one of the top two candidates, because you may cost your potential employer group a higher health insurance premium than the candidate without such a medical past?   

A study performed last year reported that upwards of 51% HCO’s and private practices intended to apply for Meaningful Use dollars during the first year, yet only 11% of them had the EHR systems in place to be able to meet 10 of the 15 Stage One requirements. Wouldn’t make sense that many of these same physicians intending to implement EHR systems might not be completely locked -down security-wise as well?

One thing is certain, healthcare providers are going mobile. Laptops, smart phones and tablets make up 40 % of the healthcare data breaches, but only 50% of the respondents to a recent HIT survey said that anything was being done to protect the data on their mobile units.

With cloud computing replacing SaaS and proprietary systems, new tablets coming out seemingly overnight, and limited quality mobile device protection it’s a daunting task for any HIT professional to stay ahead of the game. In addition, although I suspect many would like to, the heads of HIT security can’t staple a tablet to the practitioner’s hand to avoid leaving it at the cafĂ© table.  Even with security measures in place, most healthcare professionals are not practicing any form of security best practices.

Since 2009, there have been nearly 400 major EMR and EHR security breaches  affecting nearly 20 million people, or, about 6.5% of the US population. Chances are, the numbers are similar all over the world. 

The result? Several lawsuits have arisen out of these breaches in security. Special security breach insurance policies are available now and they are selling, meaning healthcare cost are going to rise even further. The public image of institutions, much like that of a hacked social media user, is tarnish at the time of the incident and beyond.

So what can HIT departments do to minimize risk?:

  • Get a security plan in place. Many of the largest data breaches occurred at institutions with inadequate or no security plan in place
  • Learn the cloud and all the intricacies of its communication with your staff’s mobile devices.
  • Standardize equipment. If everyone has the same devices, it is much easier to stay ahead of the game and update security software.
  • Bolster security training and make it mandatory.
  • Use encryption tools to keep data protected.
  • Have a social media policy in place  covering practitioner conduct to protect patient information.
  • And most importantly, explain to staff why it is important to the HCO, the professional and the patient (customer) to adhere to your security plan.

It’s one thing for your social media account to get hacked. When personal health information is hacked, a breach has the potential to evoke a different level of embarrassment for HCO’s and patients.

Does your institution have a data breach or security action plan in place? Have you had any security training on your mobile devices? I invite HIT and practitioners alike to share your stories with us.


Monday, June 18, 2012

What’s Mine is Yours: When does employer social media policy cross the line on privacy and property concerns?

Our blog has moved. You will find this blog post and fresh content on our new Talascend IT blog.

Do employers have rights to employee social media info?
In the technical resources business, we have to be concerned about several aspects of E/O/E laws and regulations. Yet, in today’s world, it’s becoming more commonplace for an employer to ask for social media user names and passwords from candidates, employees and current staff.

Laws and guidance are changing every day and cases being heard on the gray area over social media monitoring by employers. The trouble with the law is that it is black and white; all or nothing.

The problem with intellectual property of social media is that no one knows which side of the spectrum is which. Where do we draw the line between privacy and intellectual property rights of employers and employees?

Here are three scenarios to ponder:

1. What’s mine is mine…right?
Say a new employee has a following of over 35,000 Twitter followers and can attract 7,000 new visits per month to your corporate website. It’s all based on their ingenuity in building such a following before they were your hire. You hired them because of the very influence they garner in the social media realm.

After you hire them, who owns the rights to those followers and visits?

The employee did all the work before you hired them, which made them more attractive. Where is the line drawn? I can understand company ownership if the employee built the following based on their employer’s network, leads and audience they already had. When they bring it to the game, unless you’ve specified otherwise in a contract, you could lose the following you so desired at the time of hire.

2. Personal business on company time vs. company business on personal time
Often personal and professional social media cross paths in a professional setting. An employee promoting the company wants to gain as much publicity for the company as possible while under your employ. Do employers have the right to monitor everything you do during working and non-working hours?

There are stories of off time surveillance of personal accounts being conducted by employers to mitigate risk. Where does this leave social savvy employees? Must they worry about every word they share with friends and family. The information contained in your Facebook account could directly conflict with the best interest of the company and its initiatives. Does this type of social media surveillance cross the line?

What could an employee do in their personal sphere that could hurt the company?  Does that potential damage exist with enough probability that it warrants an invasion of privacy? Is it even an invasion of privacy if the employee chooses to mix their work and personal lives together? Is it even possible to separate the two these days, and is there too much gray area? The more I think about this the fewer answers I have and the more questions I have.

The surveillance is happening, more frequently than you’d expect; whether you know it or not.

3. What was yours and what was mine again?
So you’re ready to leave your current employer. Similar to the PhoneDog case we discussed in January, while with the company, say you created a large social media following. You used it for the good of the company, both in your time on the clock and off. 

Does that time off the clock give you any rights to part of that audience? Conventional wisdom regarding other forms of intellectual property would say ‘no.’ The tricky part about social media is that, many times personal networks and promotion come into the mix. Who’s to say employees have no rights to personal followers, on their own accounts, gained through this activity: The courts; a panel of experts; their network?

The problem with all of these scenarios is that there is a fine line between personal and professional clout when it comes to social media. And with the increasing use of social media as a promotional and marketing tool, the lines get grayed in a hurry in legal dealings. A case could go either way depending on the jury and the ‘experts’ called to testify.

If you’re an employer I ask, ‘Do you have a social media policy in place to cover such matters?’ If so, is it legal? If you’re the social media guru, have you protected the rights of your personal intellectual property?

Look for more legislation in the future surrounding these issues and look for and ever changing landscape of precedents to follow.

Where do you think the line should be drawn?

Monday, June 11, 2012

Your password has been hacked, now what? Three ways to address your contacts.

Our blog has moved. You will find this blog post and fresh content on our new Talascend IT blog.

Last Wednesday, LinkedIn reported that a number of users had their passwords compromised. Although not confirmed by LinkedIn, it’s estimated that about six million of its 161 million + network fell victim to the security breach. If you’ve been following Talascend and me for a while you’ll remember the piece about creating passwords using a cipher.

How would you handle being hacked?
But what do you do once the damage is done?

Some choose to ignore the problem hoping it will go away. Even worse, infrequent users might not realize that anything has happened and the resulting spam propagates to incredible levels. Some choose to get right out there and post on Facebook and Twitter, ‘folks my password has been compromised. I am not stranded in London. I am OK. Please do not respond to messages from me that ask for money, unless of course, I call you and speak with an outrageous accent or send a grammatically incomprehensible email.’

What’s the proper etiquette or social protocol to inform friends, family and colleagues that a hacker has infiltrated your personal online space? Here are three ways to address your network.

  1. Humor - ‘Two passwords walk into a bar.’ Even if you’re not exactly on the comedy A-List, a good way to break the ice with your network is to use a little bit of humor. Like the example above, be a little ridiculous. Give examples of old fraud emails. Talk to them about free iPads or winning a $1000 gift card to BestBuy. Then get serious. Tell them not to open anything that has a link in it and, if you must send them a link, remove the hyperlink and tell them to cut and paste it.

  2. The straight forward approach - If you’re the no nonsense type, simply get to the point and be done with it. In the LinkedIn example, if your account was hacked give them the facts, let them know you’re on top of it and when likely the problem will be resolved. Tell them how to find more information on the attack and how to create a better password.

  3. Infrequent users: Check or close your account - Social media accounts that are inactive or abandoned tend to be the most vulnerable to attack and the most dangerous simply because users might not get notification if a breach has occurred. Chances are, say if you migrated from MySpace to Facebook years ago, then many of your friends have done the same and many of them still have the same email address. They could be getting messages from you for anything from ‘cheap prescription drugs’ to ‘cut rate insurance’ without you knowing it. One of the best things you can do is rid yourself and the web of those inactive accounts.

If you’re connected to the Internet or any network, you are at risk. Sometimes, even the best passwords are compromised due to hacker ingenuity. It’s still important to choose a password that is not easily detected. It was also reported that about 1.5 million eHarmony passwords were hacked and published the same day and a significant number of those had ‘eharmony’ or ‘harmony’ as part, if not all, of the password.

Is there shame in being hacked? Is it a cause for personal and professional worry?

If you choose easily guessed passwords, you should probably feel a little angst if you get hacked. Your lack of concern could cost you and your network a host of problems. If you get bested by hackers even with a high strength password, then fear not; quick action and honesty can help you save face. Even having a perfect, random character password won’t protect you from a site you are a member of being compromised as in this case.

What do you think proper protocol should be?

Monday, June 4, 2012

Top three differences between old professional behavior and new professional behavior

Our blog has moved. You will find this blog post and fresh content on our new Talascend IT blog.

Social media blogger and author Allison Fine recently wrote an article in the Havard Business Review discussing the difference between an old professional and a new professional.

Are you an old professional or new professional?
Through a series of examples she conveys the point that old professionals are those who operate by ‘corporate’ rules of conduct. New professionals, or those engaged in the social media world, are connected; literally. They more openly wear their professional hearts on their sleeves and feel connected on a more personal level. They share hobbies and interests with others in the course of their work.  Fine asserts that corporations need to be like new professionals to succeed; shedding the corporate veil and opening up to the world.

While I agree with some points, I tend to believe that a proper mixture of old professionalism and new professionalism is needed to succeed. I also believe businesses do need to embrace social media but, not without some level of planning and oversight. 

I present to you the top three differences between old professional and new professional behavior and some thoughts as to why I feel a mixture of behaviors is the way to go:

  1. Guarded and closed off versus open and emotional
    Old professionals operate by a different set of standards when it comes to the public release of company information. They tend to close the blinds and curtains until a carefully formulated message is ready for public release, if at all.  New professionals want to get information out in real time. Yes, the opportunity to make public mistakes increases but it makes your company more ‘human’ and easier to engage with.

    The new approach is risky because it only takes one mistake to relegate you to the front pages of the social media realm for all the wrong reasons. I am one of the thought that designated, trusted individuals should be responsible for speaking on the company’s behalf in social media and that executive oversight is a good idea.

  2. Public mistakes aren’t acceptable versus being free to make mistakes and apologizing
    Public mistakes are the enemy of the old professional and are a direct result of that guarded, closed off persona. Time and time again we’ve heard reports of companies and celebrities putting out sensitive information or doing something outside the realm of reason. Oddly enough, many of these mishaps occur in the social media world.

    Everyone, old and new professionals alike, make mistakes. What’s really important that you don’t make too many of the same mistakes and view them as an opportunity to learn.

  3. I have to have all the answers versus I’ll get back to you
    In the old professional world, when a question is asked you are expected to have an answer and to be on top of all goings on.

    I am more new professional when it comes to this attribute. I tell my teams and colleagues it is acceptable to say, ‘I don’t know but I will find out and get back to you’ and that one cannot possibly succeed by holing up and working without communicating with the team.
In a sense, I am agreeing that we do need to be more transparent and accessible to the world outside of ourselves, however, one need be careful about the way they present themselves publicly.

There is indeed a divide as to what makes a person or company professional, what is considered acceptable and that it is likely somewhat generational. Fine argues that social media makes professionals and companies more human, in that they are more ‘honest, open, fallible, funny, and connected.’ Ultimately she says companies need to embrace the new professional approach to be effective.

I tend to assert the point that many pros, old and new, who are firmly entrenched in social media and use it for work and play, have a diminished ability to separate their front-stage persona from their backstage-selves.

All-too-often, the exact characteristics that are positives for the new professional are joined together with a feeling that it’s ok to be the ‘real you’ in all environments. Spouting off opinions without thinking (ala personal social media) could possibly alienate you, your company and those who support it by being too ‘real.’

The old professional is likely the real face you should have on in most instances because it is important to show respect, restraint, and patience. That’s not to say that being completely old school is the right way to go either. I suggest that companies need to find the right balance between openness and planning to be truly effective.