Protecting health data becomes more difficult in a socially networked world, but blocking access to these popular sites is being met with dissent, a panel of health care CISOs said Wednesday at the RSA Conference.
The Visiting Nurse Service of New York (VNSNY), a provider of home health care and community-based health services to patients throughout New York, bans social networking sites, said Wayne Wright, senior information security specialist at the organization.
“We don't allow Facebook, LinkedIn, MySpace, or any social networking sites,” he said.
There are some special cases, however, where human resources employees need to use social networking sites to screen candidates that are applying for positions, he said.
Another panelist, Frank Waszmer, information security architect at Florida-based Health First, said he spent a lot of time in the past convincing members at the organization of the need to block access to social networking sites. But now that the sites have been blocked, employees are asking for the ban to be lifted.
“They have seen the value of social networks," he said. “I needed something to look at the traffic coming in, inspect it and categorize it. That's something we are looking at right now.”
A similar situation occurred at John Muir Healthcare, where the ban on social networking sites gradually has been lifted, said panelist Allen Dawson, director of information security at the San Francisco area-based provider.
First, a few years ago, the HR department said it needed to use LinkedIn, Dawson said. Then, the marketing department requested access to Facebook, and other executives said the organization should be using Twitter.
Besides the threat posed by social networking sites, panelists mentioned other data security challenges, including lost laptops and employee use of removable media devices. Complying with regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), and getting buy-in for security initiatives from senior management, were other issues mentioned.
Overall, panelists were in agreement on several principles: It is important to have a multilayered approach to data security, user education should be a key part of the initiative and compliance regulations should be viewed as a minimum level of security. Also, it is beneficial to educate senior management executives and employees from other business departments about the issues involved in protecting sensitive business information so they too can be advocates for security, panelists said.
The panelists said they use data leakage prevention (DLP) technology to protect sensitive data. In addition, they mentioned web filtering, whitelisting, whole disk encryption and log management as other useful technologies.
“You're never going to be 100 percent secure," Wright said. “You just need to be reasonably secure.”