As we continue to navigate COVID, we find ourselves transitioning to a new PIO phase of the pandemic. Vaccination sites are popping up all over the country; with mass vaccination sites in the works as well. Clear, concise communications to your customers and targeted audience is extremely important, especially now.
As many observed, messaging in the early days of vaccination availability were very rushed, clumsy and at times confusing. Additionally, many PR/PIO errors were made in both the government and the private sectors. Rushing to put a message out leads to errors, miss interpretations and even operational security concerns, which is our topic this quarter.
Celebrating the Vaccine
As soon as the vaccine arrived, media rushed to cover the story. Looking for imaging of the vaccines arriving at hospitals and health departments. PR/Spokespersons rushed to post images of vaccination operations and filled their social media feeds with imaging, video and at times, personal information that created some operational concerns. In Pinellas County Florida, someone set up and shared, via multiple platforms, a fake vaccination registration site. Florida announced early into the vaccination process that many of their counties were experiencing some sort of technology issue. I believe that was a similar issue across the country.
Once vaccinations began to flow, we began to see an influx of folks posting their vaccination cards publicly — social media, news interviews etc. Information shared publicly included full names and birthdates, with some folks even posting their Social Security numbers. A quick image search via GOOGLE returned quite a few posts.
So many people were posting their “proof of vaccine” that the Federal Trade Commission released a public warning regarding the practice: “Social Media is no place for COVID-19 vaccination cards.” One must understand that the oversharing of information could tip off information predators on what your passwords or pin numbers could be as well as specific personal data they could use to steal your identity. ACCORDING TO MANEESHA MITHAL, associate director of the Federal Trade Commission’s Division of Privacy and Identity Protection; “Scammers can sometimes figure out most digits of your Social Security number by knowing your date and place of birth, and can open new accounts in your name, claim your tax refund for themselves, and engage in other identity theft. It is also recommended that you do a health check up on your social media privacy settings. It is recommended that you keep your social media circle tight, and to limit access to a small group of family and friends, making sure your settings are configured to avoid sharing information with strangers. As you can see, your personal information can be easily jeopardized, and was, during the vaccination phase of the pandemic. Unintentional exposures occur frequently. It’s important to know that folks, I called them “information predators” earlier, are out there actively looking for these unintentional exposures.
If you really, really want to share your vaccine card, consider using photo editing software or APP to “smudge” or blur the information. In the next photograph, I took an actual vaccine card, that I found on the Internet, it contained the persons full name, date of birth and patient account information. I saved the photograph on my phone, then blurred some of the data for this article.
So, I’ve been discussing personal security, but this is a PIO column, so let’s dive into “Operational Security.” Operational Security (also known as OPSEC) is a fundamental process used by the military and federal agencies to protect sensitive information and to keep it from falling into the wrong hands. The history of OPSEC dates to 1966, during the Vietnam War, when U.S. leaders discovered that open source data (also called SBU-sensitive but unclassified information) fell into enemy targeting operations and eventually led to the loss of U.S. bombers. OPSEC is very important in the public safety world as well. While executing our daily mission, assisting folks in a time of need, we become aware of intimate facts and details regarding our customers — the citizens we serve. We must always treat these facts and details with confidentiality. We should not share anything with others, especially anything as it relates to Health Insurance Portability and Accountability Act (HIPAA). You may recall the old saying — “Loose Lips Sink Ships” dating back to World War II.
Operational Security Social Media
Nowadays, information is shared at a rapid pace, by many, and social media has a direct impact on OPSEC. As PIOs, it is our responsibility to protect operational security and on occasion our social media posts can have a negative affect (albeit unintentional).
When we’re making posts and sharing information with our customers, we need to make sure we’re not sharing too much. This can easily occur, if we’re not careful, or in a rush to get information out. When I am on the scene of an incident, I make sure to gather all the information that I’m planning to share and review with the incident commander prior to sharing. As I document the scene to share via social media — photographs and or video — I make sure to go back and review each photo and video before I share it. Once you make the post, you can’t really take it back — especially if you have a photo or video attached. You need to make sure you’re sharing information that can identify victims, patients or parties uninvolved. Our citizens invite us into their homes, without hesitation, so we must be good stewards of this trust and not share photos or videos from the inside of their residences or businesses without specific permission. A photograph of a kitchen fire could be very beneficial for fire prevention education, but you should never post without the permission of the owner.
Additional OPSEC concerns to consider is when you’re sharing posts of your operations, are all your folks wearing appropriate PPE, operating safely? No need to share something that’s going to fire up the Monday morning quarterbacks or keyboard incident commanders. You don’t want your agency’s operations to appear on a firefighting forum about what NOT to do.
Finally, there is OPSEC that could expose vulnerabilities within your agency. If/when you share or post from within your fire stations, headquarters, command posts, communications centers or even your emergency operations center, you MUST review the photographs and videos in detail prior to posting. Look in the background. Are your CAD machines exposing actual calls, addresses or notes on them? Does your command post have Wi-Fi passwords on the wall or dry erase board that can be seen in the photograph or video? There are many incidences of this occurring. I’ve seen photographs from major events such as Superbowl, disaster responses etc., that have listed the Wi-Fi password as well as login and passwords to APPs associated to event operations. Below I will share some photographs of real time posts that contain OPSEC information.
The first picture is a picture from a 911 Communications center. As you can see the PIO blurred all the sensitive information on the screens to prevention an OPSEC compromise.
The second picture is of a PR story, on television, about the unprecedented security measures being taken to protect the Superbowl, however in the video, they shared the command posts Wi-Fi login and password information. An OPSEC compromise.
The third picture involved the FIFA World Cup. The security agency responsible for keeping the event protected, tweeted a photograph of its state-of-the-art monitoring center, but also accidentally exposed the World Cup security center’s internal Wi-Fi password to the whole world. An OPSEC compromise.
The final picture is from a vendor’s visit to a large, busy communication’s operations center. The center was excited for the visit and posted pictures of the visit on multiple social media platforms. Unfortunately, in the background of one photograph was everything a hacker would want to know. It contained APP information, login, password and the port identifier the APP was working from. Of note: I contacted that agency when I saw the photograph and they deleted it, but only after it was up on social media for 23 hours. An OPSEC compromise.
As a PIO your job is to share information with your customers, but you must be very careful at what you share. As you saw within this article, its easy to “overshare” information and expose personal information or agency information to the information predators that are out there, lurking and looking for a way to benefit off what you share. As always, be active and post daily, but slow down, be careful and watch that background!