Social media has become a very important part of our lives. It is the easiest way to connect with friends, family and even promote your business. If not secured properly, it can also be an easy way for someone to hack into your account and become “you” or be the spokesperson for your business.

A 5 star review is all we ask from our listeners.

Free HIPAA Training

Subscribe to the weekly email update from HMWH

In this episode:

5 Steps For Securing Your Social Media – Ep 339

Today’s Episode is brought to you by:


 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Sign up NOW!

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

More details coming soon…

Learn about offerings from the Kardon Club

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

5 Steps For Securing Your Social Media

[03:40] Everyone knows someone (or has experienced it themselves) who has had their Facebook, Instagram or other social media account taken over. It’s not fun. From a social media standpoint, the hacker becomes you. They will start sending everyone in your friends or followers list messages and try to have them click links and such.

The same thing can happen if you have a similar account for your business. Social media accounts are an extension of your business. Just like with your personal accounts, if someone has access to your business account, they basically become the spokesperson for your business. Hackers can contact your followers and even change the content of your account.

And let’s not forget that some of us use our social media accounts to log into another online website or service. If your social media account gets hacked, then the hacker can potentially get into that site as well.

Just like with anything else, you need to secure your social media accounts. Many times people don’t consider the security of these accounts because they feel they are for play, they are not reality or they don’t feel these kinds of accounts have any valuable information that anyone would want. This is simply not true. These accounts typically contain photos, personal information about you, your likes, your friends, sometimes your location, etc. Those can be valuable to a hacker.

As for healthcare businesses, you have to worry about not releasing inappropriate information on your social media accounts. You have to worry about your business’ social media accounts as well as your employees’ accounts. Imagine if someone took over a practice’s social media account and started posting inappropriate content or messages and patients started mouthing off at them. It could be ugly and damage your business reputation. So, securing them is very important.

Securing Social Media Accounts

[09:54] CISA has published their Capacity Enhancement Guide Social Media Protections. The guide points out their recommendations to securing social media accounts from unauthorized access. We’ve summarized their list below into 5 main steps.

  1. Make a policy – Start at the beginning and create a policy of how you want to handle social media accounts. Create a plan that states how these accounts can be used. When you have employees that are using your social media account, there needs to be a policy so they understand what they should do and what they should not do, especially when it comes to interactions with patients or the community posting comments or asking questions through your social media account. Same goes for if you are outsourcing the management of your accounts. The vendor needs to know what your policy is and how you expect them to do things.
  2. [13:41] Access controls – Determine who you are going to authorize to manage your social media accounts and how you are going to let them do it. And also implement the minimum necessary rule when giving access to the account. There are a lot of access control features in the social media apps. Make sure you set up the multifactor authentication (MFA) on your apps as well. And if you have a choice to use an app to get your MFA code, use that vs receiving the code via a text message to your phone. That’s one the least secure methods of MFA. But, if that’s the only option available, use it. Also, set account privacy controls within the apps designating trusted locations and devices that can access your accounts.
  3. Vet the vendors – Some vendors that manage your social media accounts won’t be considered a BA because they don’t have or need access to PHI to do their job. However, they couple potentially cause you to violate HIPAA. They are acting on your behalf. So, vet them!
  4. [26:46] Situational Awareness – CISA is a good resource to help us stay situationally aware of new cyber attacks or vulnerabilities identified in systems, applications, social media platforms, etc. A lot of these things do not make it to mainstream media or appear on the nightly news. Your security team should be doing a lot of this for you and addressing issues that affect your busing and notify you when something big happens so you stay in the loop. But this goes back to vetting your vendor. Ask them if they are doing this for you.
  5. Incident Response – You always need an incident response plan for when things go wrong. As Ben Franklin said “If you fail to plan, you are planning to fail.” If something inappropriate is posted on your social media page, what are you going to do? How do you get the post off your page? The folks at CISA have included detailed guidance on creating incident response plans that encompass the complete organization and not just focusing on IT. Check out this guidance from CISA to get you started on creating your incident response plans – Federal Government Cybersecurity Incident and Vulnerability Response Playbooks 508C

Don’t let social media lure you into complacency. Make sure you have a policy. Make sure that in your policy you’ve thought through access controls, privacy controls, controls for any third party that you’re going to allow in and how are you going to manage that. Pay attention to what’s going on around you and in the world that might affect your business and its presence online. And then make sure you have a plan because it will go wrong at some point.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.