Encryption and Healthcare Mobile Messaging

What’s so hard about the encryption of healthcare mobile messaging?

Last week, I came across an interesting article on encryption and healthcare mobile messaging. The article pointed out that pointed out the need for mobile device security when practitioners exchange PHI. Apparently, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued an important reminder to healthcare on the need to mitigate risks surrounding the use of mobile devices.  According to the article, OCR stresses that:

mobile devices should be included in an organization’s enterprise-wide risk analysis and that organizations implement security measures to reduce identified risks to a reasonable and appropriate level, as required by the Health Insurance Portability and Accountability Act (HIPAA) rules.

While it is obviously the OCR’s purview to issue statements on encryption in healthcare and mobile messaging, the issue remains that many physicians will continue to struggle with achieving this goal. Why is this the case? The reason for the struggle is that practitioners use non-secure, non-encrypted messaging platforms in healthcare to exchange information. As such, exchanging ePHI on non-secure platforms quickly follows. For secure exchange of ePHI, hospitals and clinics must embrace secure messaging platforms. One cannot exist without the other.

Why healthcare secure messaging is challenging

In part, secure messaging is challenging for healthcare professionals because practitioners often prefer to use a mixture of pagers, SMS, Facebook, GChat or WhatsApp to communicate with one another.  Additionally, even though WhatsApp now has end-to-end encryption, it still lacks access control that is needed to make it truly appropriate for healthcare. Without access control, anyone with the smartphone password can access information on the application.

Additionally, even if practitioners try to increase security by not naming patient names in exchanges, they still run the risk of violating HIPAA. For example, in one well publicized case, nurses began using Facebook to provide shift change updates to their coworkers. They did not use patient names, but they did post enough specifics about patients so that incoming nurses could prepare for their shift.

Disclosures were made with the best of intentions, but obviously violated HIPAA constraints. Omitting a patient’s name does not guarantee that the person cannot be identified. The conclusion that arises here is that under no circumstances should practitioners exchange PHI through non-secure methods of communication.

Another issue that makes secure messaging challenging through traditional smartphone applications is that the information cannot be wiped. In healthcare, users often face the risk of loss and theft of their device. The stolen information is then often sold on the black market where it is very valuable.

Secure messaging applications – a modest proposal   

Healthcare should not think that the solution to insecure messaging is the banning of smartphones. Indeed, doctors and nurses have their devices almost surgically attached. Banning would only be counterproductive and decrease productivity. Instead, the first critical step in switching healthcare’s mindset is to encourage adequate training.

Training needs to start at the top of the healthcare facility food chain. Physicians aren’t the only ones who need training. Directors and administrators need training as well. In this training, employees should learn about appropriate clinical secure messaging applications they can use.  OnPage, for example, provides a smartphone application which allows practitioners and administrators to exchange attachments, ePHI and text messages in a secure manner that keeps individuals HIPAA compliant.

Additionally, all users of secure messaging applications need to learn the steps of what they should do if they lose their smartphones. Individuals need to feel guilt-free about reporting this to appropriate administrators so they can have their app wiped, thus inhibiting the theft of any patient information stored on the messaging app.

Additionally, healthcare facilities need to impress upon practitioners that facilities can face significant financial and regulatory repercussions if hospitals violate HIPAA regulations by not adequately protecting patient information. Patients have been shown to be wary of visiting hospitals that have experienced HIPAA violations.

Finally, institutions need to make the switch to a secure clinical communications platform seamless and easy. Transitioning to a secure messaging application should require minimal effort. As such, sign on and sign off should be easy. Security should be on the onus of the app. Patient privacy should be easily maintained through message encryption.

Conclusion

It is fascinating to see how healthcare regulating agencies see the issue of mobile device security and PHI. Clearly, they see it as an important issue but one that is nowhere close to being solved.  What we can conclude from the article is that healthcare institutions need to continue their vigilance in protecting patient information. Secure messaging solutions and increased training are the best place to start.