American Academy of Ophthalmology Web Site: www.aao.org
Practice Perfect: Information Technology
3 Keys for Taking Charge of Web Use in Your Practice
Here’s a disturbing statistic: 70 percent of all pornography use on the Web occurs during normal working hours. Can you be sure your employees aren’t accessing pornography sites, buying and selling items on eBay or participating in long chat sessions with their friends when they should be working?
And if employees are abusing their Internet privileges, what can you do about it?
“A small practice has to protect itself,” said Dana Holtz, JD, a health care attorney with Wade, Goldstein, Landau and Abruzzo of Berwyn, Penn. Ms. Holtz will teach an AAOE course at the Academy’s Joint Meeting on this problem.
The stakes are high. Not only does abuse of Internet access result in lower productivity for your office, but also your practice can be held liable in cases involving offensive material, Ms. Holtz said. In addition, unchecked abuse of this sort can increase the amount you must spend on technology and can lead to security breaches.
You can’t keep an eye on every employee every minute of the day. But like the related problem of overuse of office phones for personal matters, there are policies you can put in place and actions you can take to discourage abuse and deal with the problem if it does occur.
#1 Know the Risks
While protections are needed, it’s generally agreed that abuse of the Internet isn’t as much of a problem in small- and medium-sized medical practices as it is in most business settings. “In the corporate world, people can hide much easier because they’re in an office or cubicle,” said Michelle Drolet, CEO of Conqwest, a Holliston, Mass., Internet security vendor that counts small practices among its clients. “In most small practices, typically the PCs are out in the open and they’re shared, so you don’t usually find as much abuse.”
But the fact that Internet abuse is less likely to be a problem in your practice doesn’t mean it won’t happen, Ms. Holtz and Ms. Drolet agreed. And the stakes are just as high for you as they are for any other type of company, Ms. Holtz said.
Legal. “Employers have been sued for copyright infringement for downloading copyrighted material,” Ms. Holtz said. “They’ve been sued for racial discrimination or sexual harassment because of Internet usage.” For instance, in a widely known case involving a nonmedical business, a woman passed a coworker’s computer screen that was displaying pornographic material and successfully sued the company for sexual harassment.
Financial. Another obvious problem is a drop-off in productivity, said Ms. Drolet.
Plus, this abuse can cost you money in extra equipment for faster access, she noted. Employees who download or upload pictures and music can eat up a lot of precious bandwidth, slowing down legitimate Internet-related operations, said Ms. Drolet. Many organizations, she added, have upgraded their equipment and Internet access when, in fact, they could have solved the problem by cracking down on personal use of the Internet.
Security-related. Unauthorized use of popular instant messaging products can open the way for hackers to infect your system with viruses or, even worse, gather data from your records, Ms. Drolet said. Besides disrupting your business, this could compromise the safety and security of protected health information, which represents a potential violation of HIPAA regulations, she said.
#2 Find Tech Solutions
Software. One solution frequently used by large businesses is special software that monitors employee Internet and e-mail usage. This class of software collects data about who is sending e-mail and whom they are sending it to. It can monitor the contents of that e-mail and send up red flags if it encounters certain words or phrases. In addition, software can actively prevent users from accessing specific Web sites or monitor what Web sites employees go to.
Ms. Drolet noted, however, that these solutions are typically used by large enterprises and not smaller ones because they are expensive and take a lot of technical expertise to administer. However, hardware and software solutions are available for small offices. You could, for instance, use consumer-oriented PC software such as Net Nanny to prevent access to specific sites, she said. (Net Nanny from LookSmart and another Internet filtering product called CyberSitter from Solid Oak Software cost approximately $40. Similar programs range from $25 to $50.)
Hardware. Plus, you have some additional options if your office uses a firewall to prevent intrusions—and given the existence of so many security threats plus the HIPAA security and privacy regulations, more and more small practices are using hardware firewalls.
“Even my ophthalmologist’s office has one, and they only have two PCs,” Ms. Drolet said. She should know: She installed their firewall.
It is possible to build e-mail monitoring and Web filtering into firewalls used by small businesses. That will increase your cost slightly, but it’s worth it. Ms. Drolet said that such firewalls cost about $1,000 for companies such as her ophthalmologist’s, and she charged them about $150 to set it up.
“You’ll want somebody who knows what they’re doing [for installation] so you pay once, get it set up correctly and then it’s done,” she said.
#3 Set the Policy
By far the most important thing you can do to prevent employee abuse of the Internet is to establish a policy, communicate it clearly and enforce it consistently, Ms. Drolet and Ms. Holtz agreed.
“You need a policy that says we can and will monitor Internet usage in the workplace,” Ms. Holtz said. “Otherwise, employees have the expectation that they have privacy when they’re using the Internet for their own purposes.”
The policy should be in writing because it minimizes your liability if abuse occurs, Ms. Holtz said. She said the four key elements of an Internet usage policy are straightforward statements that address the following:
You may want to allow some personal use of the Internet. For instance, some businesses allow employees to access nonoffensive Web sites during the lunch hour or before or after normal work hours.
Personal Business/Electronic Monitoring
The computer system is company property and should be used for company business only. Employee use of the network is considered consent to the policy and to management's right to review email or listen to telephone conversations or voicemail and monitor Internet activity.
Notwithstanding the foregoing, employers should limit their monitoring to the extent necessary for legitimate business purposes. Employers should generally access an employee's voicemail only if, as the provider of the service, it has a legitimate business reason, in the ordinary course of business, to do so. In addition, if an employer has a policy allowing the monitoring of employee telephone conversations, once the subject matter of the conversation becomes personal, the employer should discontinue further monitoring (although it may log the length of time of the personal phone call).