Entries Tagged 'Policies' ↓

Pretty much everyone in the healthcare world is buzzing over a Los Angeles Times story from earlier this week that superficially made a strong case for blocking hospital employee access to Facebook.

The article, by Times reporter Molly Hennessy-Fiske, chronicled the case of 60-year-old William Wells, who died at St. Mary Medical Center in Long Beach, California, where he was brought after suffering severe knife wounds inflicted by a fellow resident of his nursing home.

Instead of focusing on treating him, an employee said, St. Mary nurses and other hospital staff did the unthinkable: They snapped photos of the dying man and posted them on Facebook.

The article chronciles a number of incidents at other hospitals involving staff violating patient privacy (and HIPAA) on Facebook, along with the fates of the nurses who posted the information (several were fired). The article has inspired conversation in the healthcare community about the need to block employee access to Facebook.

It’s a kneejerk reaction. After all, before social media, it was just as easy to share inappropriate, confidential information via email. (And, at one point in the early 1990s, organizations everywhere resisted the use of email for exactly that reason.)

Beth Israel Deaconess Medical Center President and CEO Paul Levy has written perhaps the best analysis of the St. Mary case and the resulting flurry of blocking commentary. Levy’s excellent post concludes:

If you block Facebook on the hospital server, will it nonetheless be used in the wrong way by misguided people? Yes. They will use their iPhones or some other such handheld devices.

I know this sounds like the pro-gun argument, “Guns don’t kill people. People do.” However you might feel about that issue, this one is different. By blocking this medium on your hospital server, you will remove a highly effective communications tool, all because you are fearful that a few misguided people will misuse it. You trade the illusion of security for a loss of community.

In an earlier post dating back to October 2009, Levy also noted that blocking Facebook creates “a generational gap, in that Facebook, in particular, is often the medium of choice for people of a certain age. I often get many useful suggestions from staff in their 20′s and 30′s who tend not to use email.”

I’m currently reading a book, “The 2020 Workplace,” which delves deeply into the work habits and expectations of the Millennial Generation (born between 1977 and 1997); indeed, email is viewed (correctly) as an inefficient means of communication given more effective tools. As your Millennial kids how much they use email.

Blaming Facebook (or MySpace or Twitter or what-have-you) for human behavior that can be practiced with email, Usenet news groups, the telephone or in the elevator is not only misguided; it turns a blind eye to the more effective channels for communication that can actually improve communication in your institution. If you remember policies banning email in your organization in the early 90s, it’s easy to see today’s blocking policies as a failure to learn from mistakes made a mere 20 years ago.

The entire post is worth a careful reading, especially if your organization is on the brink of blocking staff access with the deluded expectation that it’ll solve a problem the roots of which have nothing at all to do with Facebook.

I continue to be impressed with the way the US Department of Defense (DoDis handling staff use of social media. As most organizations continue to succumb to the FUD factor by blocking employee access, the DoD recognizes the importance of online engagement by staff at all levels — from Pentagon workers to soldiers in the field.

If ever an organization was security-conscious, it’s the DoD. Yet they’ve managed to address security concerns while trusting hundreds of thousands of members of the organization to represent the DoD well in social forums.

A Social Media Hub has been added to the DoD’s arsenal of social media tools — another approach from which mainstream business can learn. While the DoD hub is accessible to the general public, it would be equally easy to create something like this on a corporate intranet as a resource for employees.

The home page of the hub proclaims, “ocial media is an integral part of Department of Defense operations. This site is designed to help the DoD community use social media and other internet-based capabilities to share responsibly and effectively, both in official and unofficial capacities.”

The site offers three core categories of information:

• Learning and Resources — “I’m concerned about social media and I need…” reads the introduction to this section, which leads to education and training resources, social media guides and examples.
• Policies and Procedures — This section begins with “I manage an official DoD social media presence and I want to…” which directs visitors to policies, user agreements and a form to register a page with the DoD.
• Collaborate and Connect — “I have questions about social media,” reads the introduction to this section, “and I want to…” Visitors can access discussion forums, FAQs and an Ask the Experts section (a contact form).

The page includes many of the elements more commonly seen on inidividuals’ social media channels, like retweet and Facebook share buttons. The site walks the talk in other ways, such as the embedding of SlideShare presentations in the Examples section.

Access to resources like this can reinforce policies and training and raise the confidence of employees who know they have somewhere to go where they can not only review the rules but ask questions, view case studies and have conversations with others in the organization.

Once again, I’m left wondering: Why can a command and control-centric organization like the US military take such a rational approach to social media while the average US corporation behaves more like we’d expect the military to behave?

(Cross-posted from a shel of my former self.)

I’ve been intrigued, since launching this site, by the inordinate number of comments left by high school students. After all, the Stop Blocking initiative is aimed at business, not academia. But Voce Communications’ Doug Haslam pointed me to a notice that Newton North High School — close to Doug’s Boston home — is considering shutting down student access to Facebook.

According to the Newton North Library’s Learning Commons website:

This is being debated at SFA (Student Faculty Administration). Your input will help SFA decide. The next meeting is April 13th @ 7:00am in the library. It is open for all students and staff to attend. (Note: Facebook is currently blocked at all Newton Public Schools.)

A poll included with the item currently stands at 370 votes against blocking and 87 in favor. The cynic in me suspects it was mostly students casting the opposing votes and parents voting yes.

The comments left to the item on the Wicked Local blog that directed me to the Learning Commons site, however, got me thinking more about the issue. The impetus behind the ban is at least partly based on the worry that kids use Facebook to bully others. One comment, for example, reads…

I am a private tutor in Newton. Just this year, I have had 3 Newton students (2 from North, 1 from South) who have been involved with the Newton police due to cyberbullying via Facebook. I am not sure what the outcome was, but I know for a fact that there were threats and there was police involvement.

Bullying is a problem, to be sure. It was a problem when I was in school, and when my parents were in school. The recent case in South Hadley, Massachusetts — in which nine teens were indicted for their roles in relentlessly bullying a 15-year-old girl who was driven to kill herself — is another tragedy that points to a serious need for action.

But blaming the Internet or Facebook is a mistake. In fact, I don’t care for the term “cyberbullying.” Is bullying that takes place over the phone called “phonebullying?” The venue is irrelevant. The channel isn’t the problem. The problem is the attitude that some kids have that bullying is okay wherever they can engage in it.

The situation reminds me of hospital CEO Paul Levy’s reaction when he learned that another hospital in the area was blocking Facebook because some staff members had violated HIPAA — the regulation that protects patient privacy — on Facebook. Levy, of Beth Israel Deaconess Medical Center (also in Boston), wrote on his “Running a Hospital” blog:

Any form of communication (even conversations in the elevator!) can violate important privacy rules, but limiting people’s access to social media in the workplace will mainly inhibit the growth of community and discourage useful information sharing. It also creates a generational gap, in that Facebook, in particular, is often the medium of choice for people of a certain age. I often get many useful suggestions from staff in their 20′s and 30′s who tend not to use email. Finally, consider the cost of building and using tools that attempt to “track utilization and monitor content.” Not worth the effort, I say.

Interestingly, the use of Facebook under consideration at Newton North involves a portal for parents, where they could view information relevant to their childrens’ education, including homework and projects.

I see multiple problems, though, with blocking kids’ access. First, many of them — like their counterparts in the business world — don’t need the school’s computers to access Facebook; they can do that just fine on their mobile phones. Lack of access from school won’t stop cyberbullying, either; they’ll just do it when they get home to their own computers.

But what’s really at issue is starting to teach using the channels that kids are already using in a manner that reflects the way peopale will be working and learning with increasing frequency. Collaborating on team projects makes more sense on Facebook than a proprietary school system because Facebook is (for now) the network they’ll continue to use in college and then in the work world. (A recent study (PDF file) from the Society for New Communication Research (SNCR) determined that decision-makers in the business world are making faster and better decisions by tapping their Social Media Peer Groups (SMPGs) via Facebook and LinkedIn. Failing to guide students in the use of the resources they’ll be required to use just to get their jobs done by the time they graduate is a failure of the education system.

I’m not talking about unrestricted Facebook use while students should be focused on schoolwork. But teachers need to begin figuring out how to incorporate social networking into their teaching plans in order for the coursework to be truly relevant. The idea that people work in isolation is fast becoming outdated, as the SNCR study reveals; teaching kids to do schoolwork in a vacuum is not preparing them for the processes they’ll need to understand when they go to college (where online collaboration is just the extension of the age-old study group) and then when they enter the world of work.

That is, teachers should be teaching the ways social neteworks can benefit their learning while actively discouraging bullying of any kind. The issues are, in fact, mutually exclusive.

Doug Haslam himself gets the final word, from a comment he left to the Wicked Local blog:

The thing is, people will form their own groups where they want regardless of what is “blocked.” It makes sense for schools to have some presence on Facebook — not to supervise or watch, but to participate as part of a community.

A proprietary network makes sense as far as assignments, but experimenting — as class groups, in the right circumstances — with Facebook and other social tools is a way to tap into how people are now working together in the real world.

That doesn’t mean students should be using Facebook during school hours to play Farmville, just as it shouldn’t in the workplace (where, for the most part, Facebook should not be blocked either. But, there are some applications. As someone astutely said (in an earlier comment), high school kids are on Facebook anyway. Maybe we should teach them how to use it to be better community citizens (online and off) rather than ignore it at our peril.

Cross-posted from my primary blog, a shel of my former self

In a comment left recently to a post I wrote for Stop Blocking back in October 2007 about malware on Facebook, David Jones with CommerceMicro wrote:

Stupid, out dated information.

We have users that repeatedly get infected with viruses and spyware no matter what level or type of antivirus and antispyware software we install. It’s rather odd that ONLY THOSE particular users get re-infected day after day and that they all have MySpace accounts, FaceBook accounts, or whatever. Their employers have to continually pay us to come and clean these infections.

My reply was a bit terse. I asked Jones if he believed all the companies that don’t block access were lying about not encountering the problems he cited. (And no, I wasn’t snarky enough to point out that “outdated” is one word.)

The security issue does, however, appear to be supplanting productivity concerns as the main reason companies block access to Facebook and other social media sites. Among the dominant social networks, Facebook presents the biggest risk to company security, according to 60% of the respondents to a survey of 500 companies conducted by Sophos, an IT security organization. No other network comes close. MySpace ranks second, with 18% of companies identifying it as a concern, followed by Twitter (17%) and LinkedIn (4%).

The concerns are not illegitimate. The incidents of reported malware and spam attacks through social networks has jumped 70% since April of last year. Social networks have become common launching pads fore a couple of particularly nasty worms. The risk of infection, though, is not the only security issue that keeps IT staff up at night. Employees’ individual behavior represents a risk, particularly as web-unsavvy employees fall prey to phishing and other devious ploys. And then there’s the fear that employees will share information they shouldn’t.

Sarah Perez goes into considerable detail on the Sophos report in her post on ReadWriteWeb. Perez also notes that even Sophos isn’t advocating an outright block, despite the study’s findings:

Unfortunately for those in charge of enforcing corporate security, simply blocking Facebook and other social networks via URL is not a realistic solution anymore. The networks are often a large part of a company’s marketing and sales strategies, notes Sophos, meaning they cannot be blocked outright. Instead, companies are encouraged to use a unified approach for mitigating threats that combines data monitoring, malware protection and granular access for their employees.

A Financial Times article (free registration required) has the same advice, noting that organizations have too much to gain from employee interactions on social networks. The article, penned by the head of an information risk management and e-discovery firm, rightly notes that leetting employees access social networks from work gives them “the ability to locate the right people, information and expertise quickly, but they also greatly aid external networking, sales and marketing activities.”

The article (which I discovered on the Idea Peepshow blog, notes thyat 89% of businesses in the UK have no policies governing employee use of social networks and calls for companies to establish and enforce such policies.

As I’ve noted before, protecting the company is a matter of ensuring the proper network safeguards are in place (such as anti-malware/spyware software and the latest virus definitions) and that employees understand their responsibilities.

It works in a lot of companies that don’t block access. It can work in yours.

Abuse of an established company policy is a management issue. Even when it involves company systems, it is not an IT issue. The abdication of management responsibilities to IT may briefly create the perception that the problem has been solved. In fact, a larger problem has been created.

Consider the case of a Boston-area hospital which has blocked access for all of its employees to social networking sites. According to a memo issued to employees,

The decision is based on recent evidence that some employees have been using these sites to comment on Hospital business, which is a violation of the Hospital’s Electronic Communications policy and a potential HIPAA violation.

In other words, the actions of a few employees have led the hospital’s management to ban access to these resources for all employees, including those who have abided by the hospital’s Electronic Communications policy. The message this sends to the majority of employees who play by the rules:

Your good behavior is irrelevant. We have opted to trust none of you.

This message can only result in deterioration of employee commitment and engagement. It would have taken more effort for the hospital to identify those who absued the privilege and discipline them according to the established policy. It would also have required some effort to communicate to the rest of the workforce that the hospital regretfully had to enforce the policy, and will continue to enforce it.

But employee behaviors are managed through reward and recognition. Recognizing that consequences will befall employees who violate policies is a sure way to obtain compliance. Sadly, it is far easier to simply block everybody than to take the correct steps.

But this hospital goes one jaw-dropping step further, noting in the memo that…

The Executive Team will be working in the coming months to ensure that we have written policies in place that articulate the appropriate use of social networking sites while on duty at the Hospital. Once these written policies are in place, we have educated all employees about expectations and disciplinary action associated with violating the policies, and we have the appropriate IS tools in place to track utilization and monitor content, we will consider once again providing access to these sites. We expect this will take a period of about 6 months.

Six months?

Several hospital social media policies are in place and available online, including those of The Mayo Clinic, M.D. Anderson Cancer Center, Henry Ford Health, and The Cleveland Clinic. Why should even the most tangled of bureaucracies require six months to review the best practices and put a policy in place?

Finally, as I have noted before, most employees have cell phones and will be able to post exactly the same HIPAA violations to the same networks using their personal Internet-connected devices. Blocking access on hospital computers will prevent exactly nothing.

This is precisely the kind of brain-dead, mindless, knee-jerk reaction that is crippling organizations as they move ienvitably into a networked ecosystem. I learned about the situation on “Running a Hospital,” the blog by Paul Levy, CEO of another Boston-area hospital, Beth Israel Deaconess. Paul published the hospital memo in its entirety, but introduced it, in part, with these words:

you can guess my view of this: Any form of communication (even conversations in the elevator!) can violate important privacy rules, but limiting people’s access to social media in the workplace will mainly inhibit the growth of community and discourage useful information sharing. It also creates a generational gap, in that Facebook, in particular, is often the medium of choice for people of a certain age. I often get many useful suggestions from staff in their 20′s and 30′s who tend not to use email. Finally, consider the cost of building and using tools that attempt to “track utilization and monitor content.” Not worth the effort, I say.

There are voices of reason with an eye on the long-term view in the world of business. We need to spread those voices and offer the alternatives to mindless blocking of all content from all employees.

In this case, a clearly-communicated and enforced policy would have done the trick. Instead, this unnamed Boston-area hospital has taken proactive steps to disenfranchising its workforce while inhibiting the sharing of information and keeping virtually no employees from using these social sites.

Good move.

I missed this USA Today report from October 17 on issues surrounding employees who view pornography in the workplace.  The article raises some intriguing issues, including a focus on lawsuits stemming from employees who felt harrassed by colleagues’ viewing of porn. On the other hand, the article points out that only 6% of men and 5% of women surveyed acknowledged that they deliberately looked at online porn at work. Doesn’t it seem excessive to block everybody based on the behavior of 5% of the population? What does that do to trust and engagement? Surely this can be handled as a management issue instead of taking the technology approach.

More interesting to me, however, is the fact that employees are easily accessing this content even when their companies have blocked access. They’re doing it over their cell phones and their wirelessly-connected laptops — personal gear brought to work over which the company has no control.

You knew this was inevitable, right? As the use of personal wireless devices at work increases (for uses other than porn), companies may just have to face up to the fact that technical solutions are the wrong approach and that training, communication, and a slavish commitment to following through on consequences for those who violate policies will have a much greater effect.