Outrageous Behavior on Facebook
It's Time to Get Angry About Privacy Violations, and Take ActionDon't assume the entire staff at your organization - or, for that matter, all your contractors - apply common sense when using Facebook. Odds are that at least some of them don't.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
This was recently illustrated by the news that a contract employee at a California hospital posted information about a patient on a Facebook page - just for laughs. The details of the incident are, well, outrageous. And hopefully they'll prove to be a strong reminder that workers need to be educated on how to protect privacy when using social media - and offered frequent reminders that they'll lose their job and face government penalties if they're guilty of a privacy violation.
A Bad Joke
The Los Angeles Daily News reports that an employee of a staffing agency who was working at Providence Holy Cross Medical Center in Mission Hills, Calif., decided to use Facebook to poke fun at a patient.
This 'jokester" displayed a photo of a medical record listing a patient's name and the date she was admitted and posted tasteless comments about her medical condition.
A few enlightened folks, however, took the step of commenting on the Facebook page about the inappropriateness of the post, pointing out it violates the privacy provisions of the Health Insurance Portability and Accountability Act.
But really, we don't need HIPAA to tell us what's right and wrong here. How can it ever be appropriate to post private medical details about someone on Facebook without their permission?
So what was the culprit's reaction to the protestors? Well, according to the newspaper, he added insult to injury, writing, "People, it's just Facebook. Not reality. Hello? Again ... it's just a name out of millions and millions of names. If some people can't appreciate my humor then tough. And if you don't like it, too bad, because it's my wall and I'll post what I want to."
Get Angry, Take Action
This makes my blood boil, how about you?
I hope this news gets you angry enough that you'll lead the charge at your organization - whether you work in healthcare or any other industry - to make sure your co-workers know the do's and don'ts of social media.
So, does your organization have a detailed social media policy in place? Have you educated the workforce about complying with the policy? Is your organization enforcing the policy with zero tolerance for violations? It's time to check.
When I asked Providence Holy Cross to comment on the incident and the steps the hospital plans to take, a spokesman sent me a statement saying it couldn't comment on specifics because the matter is under investigation.
The statement notes: "Providence ... guided by core values that include respect and dedicated to compliance with state and federal privacy laws, takes patient privacy very seriously and regularly trains employees on the importance of guarding patient records. We are investigating this report and if necessary will work with the staffing agency to ensure the individual is not allowed to work in the future in any Providence facility. We also will work with the agency to continue to provide training for contractors to comply with our patient privacy policies and our core values."
The spokesman who sent the statement declined to talk about the organization's social media policy - at least for now.
But even a great social media policy, supported by a top-notch education and awareness program, can't prevent those who are determined to express their "humor" at the expense of others. Demonstrating that such social media misbehavior will result in serious sanctions, however, can prove to be a powerful deterrent.
So here's what I hope will happen in this case. If the details of this incident are confirmed, the culprit should not only lose a job but also should get a tough penalty for violating HIPAA as well as any applicable state regulations.
I also hope other social media abusers get similar, well-publicized penalties. Unfortunately, it's the only way to get some folks to take privacy protection seriously.
In the meantime, privacy and security professionals have a moral obligation to make sure their organizations have a clear-cut social media policy that's well-understood by the workforce and that's well-enforced.