1 v.3 Consultation Harnessing Online Social Networking within NHSScotland: Benefits and Risks Purpose: The aim of the two companion papers is to show how NHSScotland can harness online social networking (OSN) to support the eHealth strategic aims in 2011-2014, to outline the key risks to the organisation and finally how to put a mitigation plan in place. Executive Summary OSNs can be used for internal as well as external facing purposes: within organisations there are already Sharepoint-type tools which have OSN functionality and it needs to be clear at the outset how usage of external OSN fits into an overall corporate knowledge retention strategy. Usage of OSN to engage with the public via transactions, knowledge/information services and patient data access brings eHealth closer to achieving ‘patient portals’. Other first wave - and low risk purposes - to which OSN functionality can be used are; business continuity communications, news and announcements, understanding and monitoring public opinion, public education/health campaigns, professional and patient network support. The main security and legal risks to the organisation and to individual employees can be reduced to an acceptable level if boards tackle OSNs in a strategic manner (i.e. not leave it to lone enthusiasts) and put in place a realistic mixture of governance, guidance/training and technical/security measures.
34
Embed
Harnessing Online Social Networking within NHSScotland: benefits … Social... · 2011-10-19 · Harnessing Online Social Networking within NHSScotland: Benefits and Risks . Purpose:
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
v.3 Consultation
Harnessing Online Social Networking within NHSScotland: Benefits and Risks
Purpose:
The aim of the two companion papers is to show how NHSScotland can harness
online social networking (OSN) to support the eHealth strategic aims in 2011-2014,
to outline the key risks to the organisation and finally how to put a mitigation plan in
place.
Executive Summary
OSNs can be used for internal as well as external facing purposes: within
organisations there are already Sharepoint-type tools which have OSN functionality
and it needs to be clear at the outset how usage of external OSN fits into an overall
corporate knowledge retention strategy. Usage of OSN to engage with the public via
transactions, knowledge/information services and patient data access brings eHealth
closer to achieving ‘patient portals’. Other first wave - and low risk purposes - to
which OSN functionality can be used are; business continuity communications,
news and announcements, understanding and monitoring public opinion, public
education/health campaigns, professional and patient network support. The main
security and legal risks to the organisation and to individual employees can be
reduced to an acceptable level if boards tackle OSNs in a strategic manner (i.e. not
leave it to lone enthusiasts) and put in place a realistic mixture of governance,
guidance/training and technical/security measures.
2
Contents 1. ..................................3 Online social networking and Scottish Government Strategy
1.1 ......................................................3 Transactions that support self-management1.2 .........................3 Communications with the NHS and access to trusted advice1.3 ........................4 Access to health records and patient networking and support
2. ...............................................................................................................5 Current position3. .............................................................................5 Better to harness than simply block4. ....................................................6 Social Circumference: internal or external OSNs?5. ..............................10 What are the first wave OSN applications for NHS Scotland?
5.1 .................................................................12 Business continuity communications5.2 ..................................................................................13 News and announcements5.3 ..................................................13 Understanding and monitoring public opinion5.4 ............................................................15 Public education and health campaigns5.5 ..............................................................................16 Professional network support5.6 .........................................................................................16 Patient support groups5.7 ............................................................................................16 Transactions support
6. .............................................................................17 Security risks and mitigation plans7. ............................................18 Risks to the organisation through own usage of OSN
7.1 .................................................................................18 Site sabotage and hijacking7.2 ....................................................19 Legal risks through official OSN interactions7.3 ...........................20 Information leakage as a result of inadequate permissions7.4 ...............................................................................21 Content management issues7.5 ....................................22 Risks relating to staff usage of OSN in the workplace7.6 ......................................................23 Importation of malware into health systems7.7 ......................................................................25 Capacity and time-wasting issues
8. ............................26 Risks relating to OSN usage by NHS employees outside work8.1 .................................................26 Capturing credentials for malicious purposes8.2 ...........................................................27 Social engineering to obtain information8.3 ...................................................29 Putting up offensive or inappropriate content8.4 .......................................................................30 Personal ID theft and safety risks8.5 .............................................................................................32 Wider privacy issues
1. Online social networking and Scottish Government Strategy
Online citizen participation is a key plank in Scotland’s Digital Strategy and
specifically in eHealth there is an aim to create an environment that gives patients
the ability to equip themselves with the information they need to monitor and manage
their own health care as far as possible.1 An important question is how far online
social networking will bolster rather than hinder work in these areas?
1.1 Transactions that support self-management
There is enormous potential to use the web for patient transactions such as health
appointment bookings, data checking, e-prescriptions etc. IT investment in these
areas is often considerable in order to ensure that the web spaces can be secure,
easily accessible and well managed.
OSN can be used at design, release and steady state stages to ensure that these
significant investments hit the mark (i.e. are not solutions looking for customers).
Online health transactions, like OSNs, rely on very subtle two-way trust-based
interactions. Getting these transactions right, as online banks and shops have found,
is very difficult and a lot can be learned from OSNs.
1.2 Communications with the NHS and access to trusted advice
At the moment virtually all the NHSScotland online activity falls within this category.
There remains the need for high quality trusted content, like NHS Inform for
example, that is controlled by the host and ‘pulled’ when required by the site visitor.
This preserves the integrity of the announcements, sign-posts, news and medical
information in a way that non-official channels which allow interaction/editing cannot
1 eHealth Strategy 2011-2017 published September 2011 (with a refresh due in 2014); The Digital Future: A Strategy for Scotland (March 2011).
4
(e.g. wikis, blogs and company-sponsored medical advice pages are often
misleading).
However, NHS sites are increasingly used to communicate in real time and OSNs
can be an important part of in an overall channel strategy and inform policy (see
below). Similarly, hosting or participating in knowledge sharing – which requires
interactive tools - is an important part of the medical self-management aim.
One of the interesting side effects of the social networking growth is that relatively
old tools such as email, SMS and desk-top web conferencing are taking on a new
lease of life. The NHS therefore needs to re-appraise how these often over-looked
channels can be used for patient interaction. Whereas some clinical telehealth
purposes require considerable investment (hardware, special rooms, robust
connections etc) there are probably many more routine ‘keeping in touch’ type
sessions which could be carried out with lower cost consumer-type applications and
equipment.
1.3 Access to health records and patient networking and support
There is a growing demand for self access to clinical data in addition to the
established routes (e.g. Data Protection subject access requests). Evidence from
pilots such as My Diabetes My Way that allowed access to clinical information has
shown that a) the service is greatly valued; b) clinicians simply do not have the time
to go over all data and c) patients do not always understand what is being said
during visits to hospitals and like to mull over written evidence.
It is likely that having access to own data online (provided the right data fields are
chosen and it is done securely) can improve the success rate of both eHealth
transactions and the information/knowledge services: e.g. being able to check and
update medication/allergy details could help with e-pharmacy applications and
accessing clinical correspondence may induce patients to look at the right online
advice guide on NHS Inform.
5
All these areas – transactions, information services and patient data access – can be
integrated together to form virtual patient web-spaces. A landing page hosted by
NHSScotland could be personalised and provide sign-posts to one or more favourite
patient web-spaces (e.g. for a long-term condition). Secure authentication could then
be used where patient data is being accessed.
Understanding and harnessing OSN (in terms of technical design, content and
human behaviour) can bring NHSScotland closer to realising this vision.
2. Current position
Some health boards are already using OSNs as an additional e-channel for
communication (e.g. placing news and announcements onto Facebook or Twitter).
But the full potential of OSNs, which is based on interactions and not static content,
has yet to be exploited by public health organisations for the following reasons:
OSNs are by their very nature a ‘home grown’ phenomenon and almost
ungovernable. Virtually all of the innovation and momentum has come from
individuals (and increasingly the ‘third sector’) rather than state bodies, corporations
or universities. In fact public sector and corporate participation – if handled clumsily –
can seriously back-fire if it is perceived to be an attempt to undermine the democratic
spirit of OSNs. In turn, health officials, accustomed to controlling messages and their
own online content are understandably wary of setting foot into this legal mire. Some
of the recent impetus for OSN usage by public bodies has come from politicians; but
there have been some spectacular failures (e.g. wiki/blog sabotage) which have left
many bruised and unsure about what they should do, if anything, in the online
networking space. Any lingering doubts about the dangers of OSN are often
confirmed by the weight of security and legal opinion (universal blocking may seem
the safest approach).
3. Better to harness than simply block
Some health boards encourage the use of popular social media on their public-facing
web site and then block OSN usage within the work-place (and fail to promote
6
internal social networking tools). If employees are not informed of the often good
reasons behind this seemingly contradictory approach then it can cause friction
between staff and IT departments.
Similarly, there are examples of a ‘scattergun’ approach (where engagement with
OSNs is seemingly random and without real purpose). OSN continues to grow at an
exponential rate especially in the mobile application space. There needs to be a
more strategic and consistent approach to using OSNs in eHealth. It needs to be
clear that carefully targeted involvement with OSNs can bring a variety of solid
practical benefits (i.e. is not just a matter of seeming to look modern). The security
risks of OSN are very real (and discussed in part B) but are far more likely to be
mitigated when OSN is part of an overall plan and not left to enthusiasts who ‘go it
alone’ against a backdrop of general hostility.
4. Social Circumference: internal or external OSNs?
The focus of this paper is on external - or citizen driven - online social networks (e.g.
Facebook, Twitter etc). But it is worth stressing at the outset that there is a
considerable amount of social networking potential within NHS organisations. Any
OSN strategy needs to ascertain the width of the social circle. Fig 1 illustrates
different concentric circles for a fictitious health board and the appropriate tools that
might be used to meet the business and security requirements (after a risk
assessment).
7
Fig 1: Health board strategic positioning of internal and external OSN tools
5) Facebook
4) Huddle
3)
Knowledge
2) Board
extranet
1)
Sharepoint
Chosen OSN tools Social circumference Justification 1) Sharepoint Core board staff All staff to use this for internal
networking; data held on internal network to RESTRICTED level
2) Extranet/external Sharepoint Staff in core department and selected staff in other boards
Selected staff invited in; governance over documents uploaded. Possible accreditation to PROTECT
3) Communities of Practice or e-library
Staff in core department wishing to network with NHS staff across Scotland
NHS sponsored space which allows content upload to particular communities
4) Huddle/Yammer etc Staff doing a wide consultation exercise with suppliers, charities, third sector etc
May be a fee for a hosted service (data held in UK); closed spaces for each project. Can be accredited to PROTECT if necessary with right design.
5) Facebook Specific staff in board wishing to communicate with public or test public opinion
Free open to all site; technically there are closed spaces but data may be hosted abroad; data should not have any protective marking and few of the controls that exist in internal environment.
8
Without such planning an organisation could end up with a mismatch. There are for
example public bodies that use Internet-based OSNs as the de facto internal
knowledge sharing tool even when Sharepoint-type tools (which increasingly have
powerful OSN functionality) have already been purchased.2 This means that existing
investments are not being exploited and staff get confused as to where is the ‘official’
internal place to share ideas. And in reverse there are organisations contemplating
investment in external instances of KM tools or extranets to allow networking across
sponsored public bodies when a cheaper off-the-shelf networking service hosted by
Yammer or Huddle for example would suffice.
The key benefits to internal online social networking tools include:
People finding: able to find the right people, their skills and whether they are
available for assignments etc. This is more than just a corporate directory.
Instant messaging and communications: often messaging is tightly
integrated into the networking application so that a person can move
seamlessly from reading content to responding via email, voice,
communicator etc
Profiling: tools now log the behaviour of the user and build up a profile (e.g.
who are your contacts; what you have in common with other people, what
assets you most often access?).
Blogs and wikis: content generated by users; and allowing feed-back etc.
This can range from formal (e.g. chief executive weekly summary instead of
emails) to very informal (staff views).
Virtual community building: creating communities of interest which cut
across normal organisational boundaries (e.g. diversity groups, policy areas,
career homes etc).
It is note-worthy that a high proportion of NHS staff are using external OSNs for
all of the above because there is simply nothing on offer within the organisation
with the same level of functionality and because they belong to professional and
special-interest communities (that go far and beyond the confines of a single
2 Scottish Government does not endorse any particular product/company. Sharepoint is fairly ubiquitous across boards and often part of an enterprise agreement. There are other players such as Alfresco.
9
NHS board or practice). A clinician may for example use a professional OSN like
Doctors.net.uk to find a colleague who does not appear on an official directory
that is out of date; he may then open a free web-mail account with the same OSN
and contribute to a discussion group.
There is a growing recognition that routinely putting non-document based content,
news and views onto external rather than internal online networks can undermine an
organisation’s knowledge retention strategy. But given the current financial climate
there is far less scope for investment in corporate networking and knowledge
management tools. The organisation is then faced with two options:
a) Doing without internal tools and being resigned to the fact that staff will use
external ones in their own time (there may even be an attempt to discourage or
block their use in the workplace)
OR
b) Attempt to harness OSNs by giving all or certain staff access to at least some
of them (subject to clear codes of conduct) and even endorsing heavier
participation in selected sites that are deemed to be in the interests of the
organisation.
The main advantages of taking the latter more pragmatic approach are:
The burden of hosting data and running a service is undertaken by a third
party
Often the OSN functionality is far richer and user-friendly than any off-the-
shelf product an organisation might procure itself. Much of the cost of
products like Sharepoint relates to the configuration (e.g. search engines,
look-and-feel, templates, keeping versions up to date etc). Internal tools
can soon look rather dated compared to what staff are using at home.
The social reach is far greater than with internal tools; officials wishing to
collaborate with others across multiple bodies on different IT networks
10
(e.g. for NHS boards to work together on projects). This cuts down on
emails, phone calls and ad-hoc data sharing methods.
The main disadvantages are:
There is a lack of control over the management of content; the data is being
hosted by a company at a location over which the public body has little or no
control (e.g. may even be outside EU).
Security and legal risks (discussed in section 7) that result from the content,
the social interactions and malware.
Although resources may be saved by not hosting services internally,
consumption of OSN can create service and capacity issues (e.g. staff using
bandwidth hungry applications such as video streaming over infrastructure not
designed for it).
Knowledge and information leakage; staff may upload key documents,
corporate records and knowledge onto the external OSNs in preference to
internal corporate tools. Such behaviour creates compliance risks (e.g.
FOI/DPA) and deprives the organisation of content it owns.
Putting together a clear action plan to support knowledge sharing using OSN
internally (and between partner bodies) often means that the organisation is then
well placed to exploit OSN for interaction with the public at large. Lessons will have
been learned in a relatively safe environment and more staff will have become
familiar with OSN functionality.
5. What are the first wave OSN applications for NHS Scotland?
The purposes to which OSNs can be used for interaction with the wider public are
vast so there needs to be focus on the first wave of applications which a) are
relatively low risk from security/compliance angle; b) create maximum impact from
very little outlay and support and c) can be used as a launch pad for more ambitious
usage of OSN in the future.
11
When considering how to deploy OSN the following must be considered at the
outset:
Does the OSN offer something which existing channels cannot? (e.g. wider
social reach).
Is OSN going to be mixed in with existing channels? (i.e. will it reinforce or
could it potentially conflict with messages from official web-sites).
Will existing OSNs be utilised rather than building new ones? (i.e. if the latter
then there needs to be a unique selling point that only the NHS can offer,
such as transactions or access to own data).
What resources are in place to generate or monitor content? (i.e. there is no
point in putting up content if no one in NHS is actually monitoring the
responses or doing analysis).
Does the OSN purpose require staff outside e-communications to have
access to the web-sites? (i.e. if policy makers are blocked from accessing the
sites then they will not be able to engage with those they need to).
Has a risk assessment been carried out which will take into account any
security or legal concerns?
The implications of using OSN criss-cross organisational boundaries so it is vital that
there is adequate participation from Corporate Communications, IT, security and HR
teams. Any OSN small project team needs to focus as far as possible on
requirements rather than products at this stage.
Fig 2: Summary of first wave applications for OSNs in eHealth First wave OSN category Examples Benefits over existing
channels
Business continuity
communications
Severe weather
events; Flu epidemics
IT systems may be down;
social reach for anyone
with web-enabled mobile
phone
News and announcements New facility opened Followers on OSN who
may never want to visit
12
official web site
Public education/health
campaigns
Stop Smoking Content is embedded
among user-tips; tone is
more light hearted and less
censorious
Understanding and monitoring
public Opinion
Plant story on new
eHealth application
Test the water; gather
intelligence before making
big investments
Professional network support Nurses, GPs Provide content on
regulations that may effect
community
Patient support groups Cancer charity Provide sign-posts to NHS
Inform; GPS location finder
for help
Transactions support bookings OSN content induces
people to use the booking
system
Patient data access support Diabetes clinical
correspondence
Would otherwise have to
send hard-copy or email
(which may be less secure)
Public health data collection Elderly perception of
care/anxieties
Collect early evidence prior
to investing in more
traditional research
5.1 Business continuity communications
OSNs can be used to get key messages out quickly to a wide audience during
emergencies. The winter of 2010/11 in Scotland was the worst for 40 years leading
to the closure of public buildings and schools. Some NHS boards used Twitter micro-
blogs or announcements on Facebook to inform the public about the availability of
services. Traditional channels (such as bulk emails, telephone calls or updating front
web pages) are not always option if there is a disaster and IT systems are down.
Micro-blogging could also be used to connect with employees as part of continuity
plan.
13
Using OSNs in this way is also a good way of getting ‘followers’. Most citizens may
follow NHS tweets for the first time during bad weather but can be encouraged to