Keeping a Watchful Eye

2014 - 6 December - Disaster Management
Christine C. Toevs, MD, FCCM; Brian Toevs, PhD
Cybersecurity experts discuss employee monitoring in the workplace.

This article is part of a series that highlights the challenges and benefits of emerging technologies in the intensive care unit.

The pervasiveness of the Internet and the almost complete integration of computing technology, laptops, tablets, and smartphones into our lives mean that we're digitizing practically everything we know, communicate, transact, or keep. All of it is on our phone, in the cloud and on our computer drive. But are you taking care of personal matters on a company device? Did you pay that bill on your home computer or the one at work? Did you compose that personal email on the laptop that was issued to you by the hospital? Did you text your spouse on the phone belonging to your employer? It's important to know who has access to what you are doing on that device. It may be "your" information, but if you accessed it using the employer’s equipment or network, that organization has a right and a responsibility to monitor it.

You are sitting at your desk when you receive an email from the information technology (IT) security team that the email you sent a few minutes ago contained personal identifying information in violation of the hospital's computer use policy. But the email was sent from your personal Google account, and it was your own information! How in the world, you wonder, are you in violation, and what is the IT team doing snooping around in your personal email account? The place where you work has proximate liability for any actions on its equipment or premises. That means if your actions have violated a law, policy or industry restriction, they have threatened the operations of your employer. That employer shares the blame for any breach, because it provided the means for you to commit the breach. This is a threat that your employer must take seriously, because many small breaches can add up to a big threat.

The facility where you work faces threats from internal and external sources. Unfortunately, many of those sources are internal, where they can do the most damage with the fewest barriers. These are your coworkers, who routinely threaten the security of the computer networks and, therefore, the backbone of the business. Most of the time, these threats come in the form of negligence and ignorance. The insider threat often takes the form of malware attacks, entering through an email attachment opened by an unsuspecting fellow employee or a credit card number included inside an email. The threat might also take the form of an employee stealing insurance or credit card information directly from the patient database. Whatever the case, the IT security team is charged with protecting the network and the data stored on the servers. How does it do this? It spies on you.

Your employer is monitoring what you do on its equipment or its network. This should not come as a surprise to you. In fact, you probably gave them permission to do so when you agreed to your employer’s technology use policy during the hiring process. With many employees and only a few IT staffers, you don't have to worry that someone is holed up in a dark room looking at a screen that's tracking every keystroke. For the most part, the security team is using computer programs installed on the network to watch for indications that you're doing something that you shouldn't be doing. For example, if you put a 16-digit number in your email, the email system probably will recognize that as a credit card number. Sending unencrypted credit card numbers though email is a breach of the Payment Card Industry Data Security Standards. This is similar to storing patient charts on your local computer drive, which is a Health Insurance Portability and Accountability Act (HIPAA) violation that will lead to a visit from the compliance officer. Visiting websites that you shouldn't be visiting is also noticed very quickly. This is passive monitoring.

Active monitoring is initiated when a prohibited action comes to the attention of IT security, human resources or the compliance officer. Sending harassing emails to another employee will generate active monitoring. In this situation, all electronic activities are watched by a person or recorded for later review or evidence. Typically, the IT department isn't interested until an action is flagged by the passive monitoring systems.

Smartphones have added an entirely new dimension to employee monitoring capabilities. These devices allow a myriad of personal tasks to be accomplished conveniently and somewhat securely, but they also provide some less-attractive clandestine features. Practically all smartphones now have a global positioning system (GPS) feature to pinpoint your location and provide directions, but it can also track where you are going and how long you stay there. Additionally, all smartphones have cameras. How many photos are on your phone right now? How many are personal? Do you have a Facebook app on your phone? If so, case precedents indicate that an employer can legitimately use it to access a private Facebook page. If the employer provided the smartphone, it has access to everything on that device. Personal emails, text messages and location logs are all available to an employer for review.

Those of us who don't use an employer-provided smartphone are safe from that type of monitoring, right? Not exactly. Many employers, especially large hospitals with greater HIPAA exposure, are requiring employees to install monitoring apps on their personal smartphones if they wish to use those phones to access hospital electronic services. If you want to have your phone sync with your work email and calendar, you have to install a mobile app that allows the employer to erase your phone remotely in the event it is lost or stolen. That app also provides access to all content on your phone. That's not to say that the employer would look at personal information— but it could.

You do have significant legal protection of your privacy. Several laws explicitly protect individual privacy of digital content, and significant case law supports it at both the state and federal levels. You surrender those rights when you sign computer use policies and agree to use your employer’s digital services and equipment. You should understand how and why an employer is monitoring electronic activity and what you can do to protect your personal privacy.