OnPage Report: The impact of not securing healthcare communications

Recent data from the Journal of Hospital Medicine highlights the battle for secure healthcare communications. Unfortunately, the battle is not progressing as well as one could hope. The statistics cited in the Journal’s July 2017 publication cite the following statistics:

• Almost 80% of clinicians continue to use pagers. It is the most commonly used technology by hospital-based clinicians
• 53% of clinicians use text messaging to exchange patient care information
• 22% exchange text messages that include identifiable patient information
• Relatively few hospitals have fully implemented secure mobile messaging applications

Besides pointing to the progress that remains to be done, these statistics also force us to consider what are the impacts that result from this lack of adoption? Yes, there will probably be more HIPAA fines. Some of those fines might be quite large and expensive. But are there damages beyond fines? The answer is, unfortunately, yes. Beyond the fines are the damages that will result from breached data as a direct result of unencrypted data.

Breadth of unsecure messaging

Many nurses, physicians and administrators continue to remain uneducated about the necessity of using secure messaging in their exchanges with colleagues.  Simply stated, healthcare workers don’t enter their industry to think about message security and encryption. For most healthcare providers, encryption in healthcare is just another nuisance that gets between them and their patients. As one source noted,

[I]t is unclear if resident providers are aware of the security concerns of SMS text messaging when communicating about patient care.

To further highlight this fact, many practitioners continue to routinely use unsecure applications for communications such as Facebook and GChat. In fact 52 percent of respondents in a survey said they use SMS/MMS text messages in addition to other popular messaging platforms such as Facebook Messenger, GChat, and WhatsApp. Sadly, many users believe that these third-party platforms are at least somewhat secure.

A major reason why practitioners often text is to avoid the time consuming “message and wait” protocols that pagers demand. By using text messaging, users get much quicker responses and can resolve issues more quickly. But while texting addresses timeliness, standard SMS is not HIPAA-compliant. For that matter, neither are the GChat, WhatsApp or other applications that practitioners often use.

One journal noted that hospital administrators can continue telling nurses and clinicians that they cannot text and that it is unsafe. However, at the end of the day:

Not [texting] is not practical. Without us providing some kind of an option, telling them not to do it is an exercise in futility.

As a result of this lack of encryption, the healthcare industry, from doctors to insurance companies are hemorrhaging patient data. Since 2009, over 29.3 million patient health records have been compromised in data breaches. Despite calls for more security, and legislation like HITECH and HIPAA, the healthcare industry is still struggling to protect its patients.

Messages going rogue

When unsecured devices are used, the exchanged messages are not encrypted and password protected. Additionally, there is no defined list of who can receive the messages so messages can be passed to an unintended individual. As such, if the content of those messages gets into the wrong hands then the content can be used for unintended purposes.

Healthcare is the most vulnerable sector of the US economy when it comes to breaches of patient health information. Healthcare tops the list of the most cyber-attacked industries.  In 2015, one in three Americans were the victim of healthcare data breaches. This figure translates into more than 11 million[6] individuals’ data being lost due to hacking or IT incidents in the U.S. alone. The leading cause of breaches was lost and stolen devices such as smartphone.

In the case of smartphones, many hospitals either explicitly or implicitly allow practitioners to bring their own device (BYOD). With the inherent challenges around developing adequate security measures for messaging on personal devices, sensitive data is left exposed. Many executive have stories of doctors and nurses designing work-arounds that bypass safety and security protocols, or simply using their devices in defiance of HIPAA standards. The issue becomes that if these devices are lost or stolen devices, hospitals and clinics have no way to wipe the device nor do they have encryption and passwords on messaging applications that would prevent improper use of the information.

Mobile devices remain a key access point for PHI and when lost or stolen, the information on the devices often results in costly data leaks. Demand for BYOD is significant among healthcare professionals with approximately 85 percent of healthcare professionals bringing their own devices to work. Given these statistics, it is likely that smartphone use will continue to grow in healthcare and that possibilities for stolen healthcare information will grow alongside it.

Further heightening insecurity about data leaks and cyberattacks, cybersecurity experts agree that it’s not a matter of if or when your data will be hacked, but whether you’ll know your data was hacked.

Download the White Paper to read the rest.