Social networking in healthcare – security and privacy implications
The Internet is in constant evolution and while most users find this exciting, it also introduces a series of new threats and a range of new opportunities for cyber criminals. New technologies such as social networking tools are rapidly growing in popularity, including amongst healthcare professionals.
A growing number of organisations have jumped on the social networking bandwagon as a means to extend the reach of their business. Tools like Facebook, Twitter, LinkedIn and MySpace and many other blogging sites are an excellent way to promote products and services and keep in touch with customers, or patients in the case of the health sector. However, social networking tools could also pose some serious security threats to businesses if not wisely used.
According to a study conducted by Medical Observer in 2010, 79% of Australian doctors use Facebook. Most of them use social networking tools for social purposes but there is a growing number of doctors that use social networks to provide healthy lifestyle advice and education to patients.
Some doctors may find themselves in an awkward situation when their patients add them as ‘friends’ on Facebook and wish to discuss their medical issues. Health professionals need to be aware of the professional and legal issues introduced by using social media to interact with their patients.
Another problem related to the use of social networking tools, from a security point of view, is the leakage of confidential information. Staff discussing work related issues on social networking sites may inadvertently disclose confidential information about the business, a competitor, a customer or patient, or may make inappropriate comments which may be a cause of embarrassment to their employer.
Employees need to be extremely careful not to accidentally post sensitive information on public websites, forums and blogs. Even the publishing non‑sensitive information may have a considerable impact on security. In fact any personal information posted may be used by cyber-criminals to develop a detailed profile of the employee and help them to build a trusting relationship with their victims for malicious purposes.
An individual may be able to discover sensitive information by deduction from non-sensitive information published on a blog for example. This phenomenon is known as ‘inference’. Similarly, two or more pieces of non-sensitive information may increase their sensitivity when they are put together. This phenomenon is know an ‘aggregation’ and is very common on blogs and online forums, where multiple individuals discuss a common topic.
It is very difficult to prevent inference and aggregation as individuals can access a great volume of information from multiple sources over a long period of time and then correlate all the gathered data. Healthcare workers should be trained and aware of the risks posed by aggregation and inference.
A review of 271 medical blogs carried out by the University of Pennsylvania revealed that 56.8% of blog authors provided sufficient information to reveal their own identity and in 42.1% of these blogs individual patients were described. 16.6% of the blogs contained enough information for patients to identify their doctors or themselves.
There have been cases in Australia of doctors making inappropriate statements or discussing confidential information on social networking media. Doctors need to be very careful when posting comments or other information on the Internet as it can more than likely become very public very quickly, potentially having serious consequences on their reputation and career.
The Australian Medical Association in collaboration with three other peak medical bodies has developed Social Media and the Medical Profession, a guide to online professionalism for medical practitioners and medical students. This document provides advice to health professionals and medical students about preserving their personal integrity and reputation when using social networking media. One of the first pieces of advice provided by this guide is an invitation to doctors to search for their full name on popular search engines such as Google and consider whether they are comfortable with the results.
It is also important to understand that on the Internet, where users go, cyber-criminals follow. They have in fact developed many techniques that leverage social networking tools to steal users identity, to gather personal information and confidential data and to infect their victims’ computers with malware. These techniques include, for example, hijacking users accounts, spreading fake applications, setting up fake accounts, contacting users as Facebook itself and more.
Most malware can propagate via popular social networking tools. New malware that has been specifically engineered to take advantage of vulnerabilities of social networking media has started to appear. For instance the Koobface worm, which after infecting a computer, spreads itself by sending messages to friends of Facebook users. Koobface also works with Twitter, MySpace and other popular social networking tools. Consequently the information gathered from users’ accounts such as names, age and job titles, for example, can be used to impersonate the individual and to send emails containing malware on their behalf.
Organisations should have a social networking policy that regulates the use of social networking tools in accordance to the organisation’s objectives. An organisation may decide to provide unrestricted access to social networking sites in which case it is advisable that users are trained about the risks posed by the use of social networking tools. Or an organisation may decide to allow for restricted use of social networking tools by limiting access to specific employees or to specific hours of the day. This arrangement can be implemented through a web content filtering application or the administration interface of many modern routers.
Other organisations may decide to totally ban the use of social networking tools. However the employer can obviously exert no technical controls over what employees do outside business hours, or during business hours using their own Internet connected devices. Confidential or embarrassing information involving the organisation may still be leaked. It is therefore advisable that organisations have a policy covering the use of social networking tools and provide them with adequate information and training on the topic.
The social networking phenomenon continues to grow and has started playing quite an influential role on the political landscape in many countries. We only need to look at recent events in Egypt, Libya and Algeria, where social media has assisted in driving political changes. In January 2010 Facebook had 350 million active users however, just a year later the total of users had exceeded 640 million, half of which connect to the service daily.
Social networking is impacting on all industries and the healthcare sector will not be immune. Providers and the organisations they work for may be required to adopt such technologies in order to remain competitive. The risks are surely always going to be there but these can be mitigated through the use of the technologies in an informed manner.
- Brill D. Social networking: facing the facts. http://www.medicalobserver.com.au/news/social-networking-facing-the-facts (accessed Aug 2011).
- Tara Lagu, MD, MPH, Elinore J. Kaufman, David A. Asch, MD, and Katrina Armstrong, MD, MSCE. Content of Weblogs Written by Health Professionals. http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2533366/ (accessed Aug 2011).
- Rose D. Warning to doctors on Facebook. http://www.dailytelegraph.com.au/news/breaking-news/warning-to-doctors-on-facebook/story-e6freuyi-1225963359472 (accessed Aug 2011).
- Australian Medical Association et al. Social Media and the Medical Profession. http://www.ama.com.au/socialmedia (accessed Aug 2011).
- Browser Media. 2011 social media statistics show huge growth. http://www.browsermedia.co.uk/2011/03/30/2011-social-media-statistics-show-huge-growth (accessed Aug 2011).
IT Security Consultant
eHealth Security Services
Alberto Tinazzi is a Certified Information Systems Security Professional (CISSP). He works as an independent information security consultant specialised in the healthcare sector. He has 16 years experience as an IT professional, specialised in information management and security. He has spent the last 10 years working within the health sector covering a number of different roles within the Division of General Practice Network.
Posted in Australian eHealth