Abuse of an established company policy is a management issue. Even when it involves company systems, it is not an IT issue. The abdication of management responsibilities to IT may briefly create the perception that the problem has been solved. In fact, a larger problem has been created.
Consider the case of a Boston-area hospital which has blocked access for all of its employees to social networking sites. According to a memo issued to employees,
The decision is based on recent evidence that some employees have been using these sites to comment on Hospital business, which is a violation of the Hospital’s Electronic Communications policy and a potential HIPAA violation.
In other words, the actions of a few employees have led the hospital’s management to ban access to these resources for all employees, including those who have abided by the hospital’s Electronic Communications policy. The message this sends to the majority of employees who play by the rules:
Your good behavior is irrelevant. We have opted to trust none of you.
This message can only result in deterioration of employee commitment and engagement. It would have taken more effort for the hospital to identify those who absued the privilege and discipline them according to the established policy. It would also have required some effort to communicate to the rest of the workforce that the hospital regretfully had to enforce the policy, and will continue to enforce it.
But employee behaviors are managed through reward and recognition. Recognizing that consequences will befall employees who violate policies is a sure way to obtain compliance. Sadly, it is far easier to simply block everybody than to take the correct steps.
But this hospital goes one jaw-dropping step further, noting in the memo that…
The Executive Team will be working in the coming months to ensure that we have written policies in place that articulate the appropriate use of social networking sites while on duty at the Hospital. Once these written policies are in place, we have educated all employees about expectations and disciplinary action associated with violating the policies, and we have the appropriate IS tools in place to track utilization and monitor content, we will consider once again providing access to these sites. We expect this will take a period of about 6 months.
Several hospital social media policies are in place and available online, including those of The Mayo Clinic, M.D. Anderson Cancer Center, Henry Ford Health, and The Cleveland Clinic. Why should even the most tangled of bureaucracies require six months to review the best practices and put a policy in place?
Finally, as I have noted before, most employees have cell phones and will be able to post exactly the same HIPAA violations to the same networks using their personal Internet-connected devices. Blocking access on hospital computers will prevent exactly nothing.
This is precisely the kind of brain-dead, mindless, knee-jerk reaction that is crippling organizations as they move ienvitably into a networked ecosystem. I learned about the situation on “Running a Hospital,” the blog by Paul Levy, CEO of another Boston-area hospital, Beth Israel Deaconess. Paul published the hospital memo in its entirety, but introduced it, in part, with these words:
you can guess my view of this: Any form of communication (even conversations in the elevator!) can violate important privacy rules, but limiting people’s access to social media in the workplace will mainly inhibit the growth of community and discourage useful information sharing. It also creates a generational gap, in that Facebook, in particular, is often the medium of choice for people of a certain age. I often get many useful suggestions from staff in their 20’s and 30’s who tend not to use email. Finally, consider the cost of building and using tools that attempt to “track utilization and monitor content.” Not worth the effort, I say.
There are voices of reason with an eye on the long-term view in the world of business. We need to spread those voices and offer the alternatives to mindless blocking of all content from all employees.
In this case, a clearly-communicated and enforced policy would have done the trick. Instead, this unnamed Boston-area hospital has taken proactive steps to disenfranchising its workforce while inhibiting the sharing of information and keeping virtually no employees from using these social sites.