Sharon Finney from Adventist Health System in Winter Park, Florida prepared an excellent presentation at the 2010 NIST HIPAA conference. She shared her experience in developing and implementing a comprehensive, risk-based policy at her organization.

Sharon talked about the creation of a corporate policy and standard of conduct for social media. In order to be successful in creating these documents you must have executive buy-in from an “executive sponsor”. This sponsor is typically a VP of Marketing or PR.

Sharon recommends assembling a team that includes representatives from legal, HR, compliance, data security, and IT departments to help shape and implement the social media policies. She recommends the following steps:

• Create a policy on social media – define scope of use such as who has legitimate business reasons (marketing, HR, communications, training, outreach, etc).
• Create a standard of conduct manual so that employees know how they should conduct themselves online. Ensure that proper disclaimers are placed. Look at HP, IBM, Microsoft standards of conduct as a goods start.
• Watch out for exceptions to policies. If you grant too many exceptions the exceptions become the rule. Create a tedious exception policy to discourage exceptions.
• Define your organization’s risk tolerance.
• Define sanctions for non-compliance and ensure employees know them.
• Create a plan for monitoring including who will be doing the monitoring, what is being monitored, and the frequency of monitoring.
• Create a quarterly audit policy trickled down to department heads to ensure that they review how their direct reports spend time online.
• Clearly define what employees should and should not do (Adventist has about 36 points).
• Create a policy on monitoring and enforce it. Setup alerts for certain conditions.
• Implement DLP (Data Loss Prevention) technologies to prevent critical data (like PHI) from leaving your network.