It is well reported that insider threats pose the biggest cyber security risk to healthcare organizations. According to Verizon’s Protected Health Information Data Breach Report, the majority (58%) of healthcare PHI data breaches are caused by insiders. Furthermore, healthcare is the only industry where insider threats pose a greater threat to sensitive data than external factors.
The report notes that while employees misusing or abusing their access privileges account for a significant proportion of breaches (29%), over a third (33.5%) are a result of error, including misdelivery of information or inadequate disposal.
Accidental errors occur every day in organizations of all shapes and sizes across the country, but in healthcare environments, when the confidentiality of PHI is at stake, the repercussions of even an innocent mistake can be severe. And to make matters worse, most of the time employees don’t even know they’re breaking the rules. Social media in particular poses a threat to healthcare organizations; the ability to share anything with anyone at any time with just a few taps of a smartphone screen make social networks a potentially high risk channel within clinical settings.
This was highlighted in a recent case involving Thompson Health’s M.M. Ewing Continuing Care Center, a nursing home based in Canandaigua, NY. The organization discovered that members of staff had been sharing images and videos of residents via Snapchat – the multimedia messaging application used by people around the world to share photos, videos, text, and so on – and in doing so violated the rules of HIPAA. The nursing home has since fired all employees, but the case is being investigated further by the New York Department of Health and the state attorney general’s office. While it is believed that the images were only shared with a group of employees, and not publicly, this case further highlights how easily patient privacy can be compromised by employees misusing social media.
Top tips for staying HIPAA compliant on social media
- Never post patient details – The best way to ensure PHI isn’t shared on social media is to simply not publish posts about patients, or at work at all. It is very hard to anonymize patients and remove all potential identifiers that could give away patient details. Therefore the best way to make sure patient’s details aren’t shared on social media is to simply not post about any patients in any way. Some of the key PHI identifiers include name, contact details, medical records, and less obvious things such as license plate numbers and IP addresses.
- Separate work and personal life – Keeping working life and personal life separate can be a difficult balancing act. For healthcare professionals mixing work life and personal life and interacting with patient’s online could lead to a potential leak of PHI in the public domain, therefore it is important to ensure there is a key divide between the two.
- If in doubt, don’t post – This may sound obvious and straightforward, but if there is any doubt that the information being shared could compromise a patient’s privacy, then it shouldn’t be posted. Before posting anything on social media, take a minute to reread what you are sharing and make sure there will be no negative consequences.
- Stay away from non-secure messaging services – Most social networks have their own ‘private’ messaging platform to allow you to communicate with others easily without leaving the app or site. However, you cannot ensure the security of these messages as the recipient may be using a public computer where the information could be access but someone else. The best way to remain secure is to avoid private messaging patient PHI altogether.
- Education is key – Ensuring all staff are kept up to date with HIPAA compliance best practices and company social media policies is crucial and educating staff about the dangers of social media help them understand what is at risk.
The benefits of utilising social media platforms can make them an extremely useful and crucial tool for healthcare professionals and patients alike. However, great caution must be taken when posting on social media as the disclosure of patient PHI, intentional or not, can have huge consequences for a healthcare provider.