Enterprise 2.0

Professor McAfee on Enterprise 2.0 and compliance: Slight risk

This year, I approached the annual Enterprise 2.0 Conference in Boston with a specific question: Can an organization in a regulated industry adopt enterprise social software and remain compliant?

I received a range of answers, depending upon whether I talked to vendors, end users, analysts or CIOs. Later today, I’ll be publishing a feature that examines precisely this issue.

After reading C.G. Lynch’s Q&A on what’s next for enterprise 2.0 with Professor Andrew McAfee, who coined the term, I saw I’d need to ask him the same question.

When asked about whether CIOs should worry about “implementing Web 2.0 tools in the enterprise because of security and compliance,” Professor McAfee said he didn’t have any horror stories to relate – and that he asks for them, whenever he talks to big business. His “quick and dirty explanation” for that is:

”People know how to do their jobs. By this point, none of these tools are a week old, so the rules for using them aren’t unclear. We know the stuff that will get us fired if we talk about it. If you work in an investment bank, for example, you have it drummed into you, before any enterprise 2.0 tools even showed up, what you can and can’t talk about, and to whom.”

I asked McAfee a similar question: “Where do you see the intersection between enterprise 2.0 and regulatory compliance?” His answer:

I do not think these tools substantially alter the compliance risk profile of organizations. Employees today are acutely aware of compliance issues, and I don’t see that they’ll be tempted to disobey policy or break the law simply because 2.0 tools become available.

There may be some slight risk of inadvertent noncompliance, but the fact that contributions to 2.0 environments are so visible means that any such breaches are likely to be detected quickly.

When it comes to enterprise 2.0, I agree heartily with Thomas Jefferson, who wrote, “I know of no safe repository of the ultimate power of society but people. And if we think them not enlightened enough, the remedy is not to take the power from them, but to inform them by education.”

After reporting on the story for a week, it’s clear to me that CIOs, privacy and security professionals need better tools to monitor, log and filter communication with external social networking platforms. Data loss prevention (DLP) will be a line item in enterprise security budgets, driven by the need to reduce new risks posed by social messaging.

Even if political gaffes on social networking sites don’t cease — like Battle Creek Mayor Mark Behnke accidentally tweeting Social Security numbers or continued Congressional missteps on Twitter — compliance concerns about the use of enterprise 2.0 platforms are likely to increase with continued data leaks, from whatever vector they take.

Insider threats are a significant concern, given increased economic pressures stemming from the recession. As Forrester senior analyst Andrew Jacquith observed earlier this year, “as auditors have gained more experience assessing compliance with Sarbanes-Oxley and other statutes, they have become increasingly aware of the perils of excessive entitlements. Greater awareness has led to tougher audits. Now enterprises must be prepared to explain who got access to what application features, and why.”

What Professor McAfee’s answer reveals to me, primarily, is that the people aspect of compliance is a crucial consideration. The technology matters but, in the end, your security and ability to meet regulatory requirements rests on the mind-set and education of those entrusted with the sensitive data of an enterprise or its customers. Thanks to the good professor for his answer.

Booz Allen wins Open Enterprise Award for collaborative environment

Booz Allen Hamilton won the Open Enterprise Award for 2009 at the Enterprise 2.0 Conference in Boston today for their innovative internal collaborative environment. The Open Enterprise research project, led by Stowe Boyd and Oliver Marks, conferred the award to a company that was “truly transforming their organization at its core through deep, enterprise-wide adoption.” Walton Smith, a senior associate at the Virginia-based consulting firm, presented “hello.bah.com” to the crowd.

Smith described how Hello was built around people, focusing on connecting associates to each other and activity streams to profiles. According to Smith, more than 40% of the firm has added content to the system, rapidly forming connections with one another. Booz Allen Hamilton used agile development to create their Enterprise 2.0 platform, a methodology that now allows the team to roll out a new function every two weeks. Smith said that “functionality is driven by the users.” One upcoming feature, for instance, will allow users to rank and rate the quality of content entered into the system.

One initial roadblock that Smith noted was human resources, which viewed itself as the “official source” of data. In fact, the new intranet actually allowed employees to clean up bad data entered by HR into PeopleSoft on the back end.

When asked about security and compliance concerns – critical to a consulting firm that deals with government data or works with corporations with sensitive intellectual property – Smith noted several aspects of the system that are designed to prevent data leaks. First, only Booz Allen employees are allowed on Hello – not contractors. Second, data that comes under regulatory compliance actually resides in SharePoint, which Booz Allen uses for document-based collaboration for restricted content. Users can link to content from blogs, Confluence wikis or other pages but are confronted with an access control layer. Within the restricted environment, familiar compliance tools used in knowledge management are employed, like access management, monitoring and logging.

Smith is aware of the possibilities for a data breach, noting that “our weakest link is our people – we spend a lot of time making sure they know which tools to use.” He’s also cognizant of potential regional compliance issues, such as European Union laws that require that employees must opt-in to share information like pictures or work history with others.

The creators of Hello also had thought through employee departures. Smith allowed that departures weren’t “so much of an issue, given the economy,” but that there is a process in place. When someone moves on, a banner is added to the top of his or her profile page indicating the departure. That person won’t show up on the dropdown menu, which only includes actives employees for searchers, but the profile page itself, including connections and intellectual property created for Booz Allen, remains.

Podcast: Expert tackles e-health and compliance in healthcare IT

What is the state of IT healthcare compliance in 2009? Dr. William Yasnoff has some thoughts.

 

 Dr. William Yasnoff on e-health and compliance in healthcare IT infrastructure.: Play Now | Play in Popup | Download

His reply to ” Healthcare compliance gets boost from national HHS privacy framework,” a recent tip from one of SearchCompliance.com’s sister sites, demonstrated his deep understanding of the complex relationships among regulations, medicine and IT. A quick visit to his blog at WilliamYasnoff.com will confirm that he’s thought long and hard about the role of IT infrastructure in assuring patient privacy and health. SearchCompliance.com’s Alexander B. Howard found Dr. Yasnoff at his office last week and recorded a podcast.

Download Dr. William Yasnoff on e-health and compliance in healthcare IT infrastructure.

When you listen, you’ll learn the answers to the following questions about e-health, including what changes might be expected under the new Obama administration:

• The United States Department of Health and Human Services (HHS) has a released a new privacy framework that provides guidance to organizations that handle personal health information. Does the Health Insurance Portability and Accountability Act (HIPAA) apply?  What are the privacy and data protection issues created by the movement to e-health records?
• How does this directive affect IT compliance officers or system administrators at companies that handle e-health records? How could — and how should — a compliance officer change IT infrastructure and best practices to address the so-called HIPAA “audit hole?”
• The incoming Obama administration made the digitization of health records a focus of its presidential campaign. How may the atmosphere around healthcare compliance change? What additional regulatory requirements may be introduced that compliance officers should consider?
• What is Dossia? What role might this new entity, funded by corporations, play in e-health? How could Dossia affect e-health compliance? What is a health records bank? How many physicians currently use e-health records?
• What is the Electronic Communications Privacy Act (ECPA)? What must a CIO, CTO, CCO or IT administrator do to remain in compliance with the ECPA?
• What are some best practices for setting up IT infrastructure for healthcare institutions so that the systems are compliant? How will consent management factor into compliance in 2009?
• How might emerging enterprise 2.0 technologies be adapted and applied by the incoming U.S. CTO, particularly with regards to e-health records?

Dr. William Yasnoff

William A. Yasnoff is founder and managing partner of National Health Information Infrastructure (NHII) Advisors, a consulting firm that helps communities and organizations successfully develop health information infrastructure systems and solutions. Previously, as senior advisor, NHII, Department of Health and Human Services, he initiated and organized the activities leading to the president’s creation of the Office of the National Coordinator for Health Information Technology, establishing the NHII as a widely recognized goal for the nation. As vice president of research for Cell Analysis Systems Inc., he developed the first PC-based commercial system for quantifying DNA content of cells on slides in 1986. He later served as medical director of AMA/Net, the American Medical Association’s first online electronic information system for physicians. He subsequently restarted the network as U.S. HealthLink in Oregon. Dr. Yasnoff is an associate editor of the Journal of Biomedical Informatics, adjunct professor of Health Sciences Informatics at The Johns Hopkins University, a board member of the nonprofit Public Health Foundation Enterprises Inc., and the author of more than 250 publications and presentations, including co-editor of the textbook ‘Public Health Informatics and Information Systems.’ He earned his Ph.D. in computer science and M.D. from Northwestern University, and was elected a fellow of the American College of Medical Informatics in 1989.

Subscribe | Contact Us | What is RSS? | What is podcasting?