Moubarak et al conclude that "Residents and fellows frequently use
Facebook and display personal information on their profiles. Insufficient
privacy protection might have an impact the doctor-patient relationship".
I agree strongly; users of Online Social Networking sites clearly need to
take care with their postings, and exercise the same sort of social
graces, including inhibition, as we do in the real world.
Yet I caution that the medical profession should worry about more
than incidental privacy breaches by doctors who might in effect simply
'forget where they are'. There are more serious systemic risks that can
automatically identify select patients of doctors and make that
information public.
The "find friends" feature of Facebook surreptitiously imports
members' web mail address books in their entirety. The feature's overt
purpose is to allow Facebook to find individuals that are common to pairs
of people, so that those pairs can be suggested as potential friends. The
"find friends" process is not clearly explained to users; in particular,
Facebook does not mention that the entire address book is uploaded and
retained [1].
I want to raise a new and distinct privacy risk for doctors and their
patients: if doctors on Facebook happen to have patients in their web mail
address books, and they use "find friends", then it is possible for
associations between individuals and their doctors to inadvertently become
public. For doctors working in mental health, sexual health, family
planning, substance abuse and so on, naming their patients could have
catastrophic consequences.
"Find friends" operates through an automatic web interface provided
by Facebook to participating web mail services, such as Gmail, Hotmail and
Yahoo. How likely is it that a patient might appear in their doctor's web
mail address book? E-mail increasingly figures in the way many
healthcare professionals interact with their patients. More and more
patients are pressing their doctors to make use of e-mail and other online
media, since they are routine now in so many walks of life.
Usually, doctors will have a specific workplace e-mail account, but
some don't have the option. Many allied health professionals,
counsellors, specialists and the like run their sole practices as small
businesses. They don't have a major investment in IT, nor a deep
understanding of the technology. Many such medicos do use web mail with
patients. Further, web mail is being re-branded in the market as a
"cloud" service, offered to businesses as a cost-effective alternative to
managing their own e-mail domains (I note that the e-mail address for
correspondence with the authors of the paper in question is a Gmail
address). So the line may blur between private and workplace e-mail
usage. Chillingly, Facebook CEO Mark Zuckerberg has shown a degree of
contempt for people who feel the need to operate separate digital
identities [2].
One way or another, including simply by accident, patient contact
details will inevitably appear in some doctors' web mail address books.
As a result, if a doctor signs up to Facebook and innocently allows "find
friends" then Facebook will import e-mail addresses, some of which may be
for patients. Note carefully that these individuals never have the chance
to consent to being imported; they don't even know it's happening.
Subsequently, others on Facebook will come automatically to learn that
individuals are associated with doctors, indicating they may be patients
of those doctors.
In conclusion, healthcare professionals using web mail should be
warned against the risks to patient privacy should they join Facebook and
use "find friends". Wherever possible, providers should use separate
professional and personal e-mail accounts, but because this may not always
be possible, and because accidental crossover may occur, the warning about
"find friends" remains important.
[1] Wilson S, Johnston J, More trouble with Facebook. Privacy Law
Bulletin 2010;7.2:25-8.
[2] Michael Zimmer blog, Facebook's Zuckerberg: "Having two
identities for yourself is an example of a lack of integrity" 14 May 2010
http://michaelzimmer.org/2010/05/14/facebooks-zuckerberg-having-two-
identities-for-yourself-is-an-example-of-a-lack-of-integrity (accessed 18
Dec 2010).
Conflict of Interest:
None declared
Moubarak et al conclude that "Residents and fellows frequently use Facebook and display personal information on their profiles. Insufficient privacy protection might have an impact the doctor-patient relationship". I agree strongly; users of Online Social Networking sites clearly need to take care with their postings, and exercise the same sort of social graces, including inhibition, as we do in the real world.
Yet I caution that the medical profession should worry about more than incidental privacy breaches by doctors who might in effect simply 'forget where they are'. There are more serious systemic risks that can automatically identify select patients of doctors and make that information public.
The "find friends" feature of Facebook surreptitiously imports members' web mail address books in their entirety. The feature's overt purpose is to allow Facebook to find individuals that are common to pairs of people, so that those pairs can be suggested as potential friends. The "find friends" process is not clearly explained to users; in particular, Facebook does not mention that the entire address book is uploaded and retained [1].
I want to raise a new and distinct privacy risk for doctors and their patients: if doctors on Facebook happen to have patients in their web mail address books, and they use "find friends", then it is possible for associations between individuals and their doctors to inadvertently become public. For doctors working in mental health, sexual health, family planning, substance abuse and so on, naming their patients could have catastrophic consequences.
"Find friends" operates through an automatic web interface provided by Facebook to participating web mail services, such as Gmail, Hotmail and Yahoo. How likely is it that a patient might appear in their doctor's web mail address book? E-mail increasingly figures in the way many healthcare professionals interact with their patients. More and more patients are pressing their doctors to make use of e-mail and other online media, since they are routine now in so many walks of life.
Usually, doctors will have a specific workplace e-mail account, but some don't have the option. Many allied health professionals, counsellors, specialists and the like run their sole practices as small businesses. They don't have a major investment in IT, nor a deep understanding of the technology. Many such medicos do use web mail with patients. Further, web mail is being re-branded in the market as a "cloud" service, offered to businesses as a cost-effective alternative to managing their own e-mail domains (I note that the e-mail address for correspondence with the authors of the paper in question is a Gmail address). So the line may blur between private and workplace e-mail usage. Chillingly, Facebook CEO Mark Zuckerberg has shown a degree of contempt for people who feel the need to operate separate digital identities [2].
One way or another, including simply by accident, patient contact details will inevitably appear in some doctors' web mail address books. As a result, if a doctor signs up to Facebook and innocently allows "find friends" then Facebook will import e-mail addresses, some of which may be for patients. Note carefully that these individuals never have the chance to consent to being imported; they don't even know it's happening. Subsequently, others on Facebook will come automatically to learn that individuals are associated with doctors, indicating they may be patients of those doctors.
In conclusion, healthcare professionals using web mail should be warned against the risks to patient privacy should they join Facebook and use "find friends". Wherever possible, providers should use separate professional and personal e-mail accounts, but because this may not always be possible, and because accidental crossover may occur, the warning about "find friends" remains important.
[1] Wilson S, Johnston J, More trouble with Facebook. Privacy Law Bulletin 2010;7.2:25-8.
[2] Michael Zimmer blog, Facebook's Zuckerberg: "Having two identities for yourself is an example of a lack of integrity" 14 May 2010 http://michaelzimmer.org/2010/05/14/facebooks-zuckerberg-having-two- identities-for-yourself-is-an-example-of-a-lack-of-integrity (accessed 18 Dec 2010).
Conflict of Interest:
None declared