Healthcare Information Security


How Healthcare Secure Texting, Messaging Impact the Industry

Not only will secure texting and secure messaging impact provider-to-provider communication, but also provider-to-patient.

Secure texting, messaging are increasing in usefulness in healthcare

Source: Thinkstock

With the continued push for patient-centered care and ever-evolving technological options available to healthcare providers, secure texting and secure messaging have become an increasingly popular path for providers.

Not only will secure texting and secure messaging impact provider-to-provider communication, but also provider-to-patient.

For example, secure messaging use increased 30 percent from 2013 to 2014, according to a data brief released by the Office of the National Coordinator for Health Information Technology (ONC). Specifically, 52 percent of physicians said they exchanged secure messages in 2014.

Moreover, 42 percent more physicians granted their patients view, download, or transmit access to their electronic health information.

ONC also found that there was just a small increase in the number of physicians electronically sharing patient health information with other providers. Between 2013 and 2014, there was just a 7 percent increase in that area, with less than 1 in 10 physicians sharing patient data with hospitals with which they were not affiliated.

When it comes to BYOD strategies, healthcare providers need to ensure that their employees – the end-users — receive comprehensive training and education so they understand what their responsibilities are, according to Spok CIO Tom Saine.

“Security is not just the responsibility of the security officer or the IT department,” Saine told “In all aspects of security, the biggest weakest link in any security policy, procedure, or practice is the human being.”

However, it’s also essential to deploy solutions that are not overly cumbersome for the end users, he added.

“You have to figure out how to do that where it's not an overly burdensome impact to the end users doing his or her job,” Saine explained. “There has to be some things in there that make it a little bit more difficult, but you have to be able to find that happy medium.

Electronic capabilities offered by non-federal acute care hospitals to their patients (excluding view, download, and transmit patient health information), 2014
Electronic capabilities offered by non-federal acute care hospitals to their patients (excluding view, download, and transmit patient health information), 2014

Source: ONC

Best practices for implementing secure texting

While it’s important to secure the people who have access or the providers within the facility itself, it’s also becoming increasingly important to protect from anonymous attacks that are coming from outside organizations, according to Ed Gaudet, GM of Imprivata Cortext.

“There’s a lot of money and effort going in to auditing these [issues] and dealing with these events and breaches,” Gaudet told “More and more hospitals are going to need a consistent approach to access what is within their environment and then set up sufficient risk indicators and security processes in response to attacks.”

It will also be essential for covered entities to ensure they have the requisite amount of security based on a particular process or workflow. For example, security solutions such as identity management and the use of two-factor authentication may be appropriate based on the workflows, Gaudet explained.

“The weakest link in any security program is the user,” he maintained. “So, it’s important that the user understands what a phishing attack is, for example, and how to make sure that they are doing the right thing, and that they’re being vigilant about ensuring that they’re not becoming the point of entry for folks.”

The key thing right now, according to Cureatr Co-founder and CEO Joe Mayer, is that the industry is driven by a shift to population health. It is also necessary to use a fully integrated communication system to support a fully integrated delivery system.

“From a security perspective in 2016, the big challenges are what you need to do with regards to policies, technologies, and procedures around security to facilitate all of the new channels of communication from your acute to post-acute care provider system, for example,” Mayer explained.

“The weakest link in any security program is the user.”

Managing the security inside the four walls of an organization is one thing, Mayer added, but it becomes more complicated when communication is being managed across the continuum for a population. The risk for potential exposure cannot be overlooked, and 2016 will likely see an increase in the cross-continuum communication and integration.

The publicity of data breaches in 2015 is really moving data security front and center in a lot of healthcare organizations, explained Spok’s Tom Saine.

“We're seeing more and more where the perpetrators are targeting healthcare specifically because you can get so much personal data out of the healthcare environment for identity theft, credit card theft, and manipulation of people's information, such as insurance fraud,” Saine said. “There's a wide gamut of what the perpetrators can do with that data that is becoming more and more forefront in everybody's thought process.”

With the recent healthcare data breaches, Saine added that it’s becoming more imperative that the administration in healthcare organizations put more focus on taking preventative actions to ensure that patient data and personnel data is protected across the board.

Mobile secure texting and messaging are a very critical part of it, he stated, because the workforce is so mobile these days.

“It is an across-the-board data protection environment, and the challenge is going to be implementing the right security protocols and procedures that help that organization protect the data and identify potential breaches as they happen as well as respond to them,” Saine said. “But, they need to do it in a fashion that does not retard the efficiencies of the workforce.”

Overcoming common secure texting, messaging concerns

Strong communication is central to care coordination, according to Gaudet, and the proper communication tools and channels help providers communicate, collaborate and deliver care across the continuum.

“If you look at the state of the industry as a whole, we just spent a bunch of years and money moving from paper-based care – paper-based documentation, and charts for example – to electronic systems,” he stated. “And multiple billions of dollars went into that transformation for healthcare.”

Gaudet added that now, providers have everything they need electronically about the patient, but they haven’t really approached the way that care is coordinated.

“What we find is that communication is broken in healthcare. And hospitals are using outdated forms of technology and processes like pagers, and call centers with operators to route calls, and faxes to send documents.”

However, that line of communication is clearly becoming more important in terms of working directly with patients.

Another recent ONC data brief found that 51 percent of hospitals in 2014 allowed their patients to send and receive secure messages. Furthermore, there was a significant increase between 2013 and 2014 of hospitals that provided patients with the capability to electronically view, download, and transmit their health information. Specifically, 10 percent of hospitals provided this option in 2013, while 64 percent of hospitals provided it last year.

Proportion of physicians who electronically shared health information with patients in 2013 and 2014
Proportion of physicians who electronically shared health information with patients in 2013 and 2014

Source: ONC

The healthcare industry digitized EHRs and moved care documentation and processes, like e-prescribing, to the electronic systems, but it’s still communicating with analog devices like pagers, Gaudet explained. In healthcare especially, what’s really important is eliminating steps, and on the electronic side, eliminating clicks.

That has been a key step when it comes to secure messaging options, he said, and is often something that providers look for when they approach Imprivata.

“One of the things we learned early on with Imprivata OneSign, which is our single sign-on and authentication solution, is that providers really want the minimum number of clicks to get the information they want regardless of where they are,” Gaudet stated.  

Hospitals are also increasingly mobile, and providers are used to communicating to family, and friends, and colleagues using SMS texting. That is where the need for secure texting comes into play because SMS texting is not secure.  

“What we have to do as an industry is provide them the right level of tools, and security, and availability of those systems so that they can continue delivering care in the context in which they need to.”

Similarly, healthcare providers often have a challenge today with provider-to-provider communication, according to Mayer. It’s often not so much just inside their facility, but it’s across multiple providers and they need to communicate and share patient information across numerous organizations.

“Yes, they want to use it inside the four walls, but increasingly, because of the way healthcare's going with ACOs and with bundled payments and care transitions, they really do need to be able to extend communication across a kind of poorly, often interoperable, disparate network,” he said.

“What we have to do as an industry is provide them the right level of tools, and security, and availability of those systems so that they can continue delivering care in the context in which they need to.”

Mayer added that another common concern that healthcare providers have while looking for a secure messaging option is that they want everything to be patient-centric. For example, if information is going back and forth, the provider wants to ensure that it’s easily tied back to that patient.

“A lot of our customers like what we do because we build tools to make everything patient-centric,” Mayer maintained. “We integrate in with the EMR in our systems, and we also have the ability for providers to communicate about shared patients, again, across different organizations and meet all of the compliance and security needs around that.”

It is also common for providers to want to do more than just secure messaging in the same application. For example, covered entities don’t want one for messaging, one for notifications, and one for patient information lookup.

“Ideally, they want their providers to have to look into one application for a suite of that different functionality,” according to Mayer.

The advent of HIPAA regulations and the HITECH Rule have also affected provider’s concerns, explained Spok VP of Product Strategy Brian Edds, especially as they have helped increase the awareness of the importance of PHI security.

“Oftentimes, one of the big topics that comes up is BYOD,” according to Edds. “And so, within healthcare institutions, it's been a trend really for the last five years where, increasingly, doctors and nurses are bringing their own personal devices into the workplace and starting to use them for communications.”

The challenge is that there’s really no governance, Edds added. There’s no control over how that device is being used and what PHI may be used on it.

Healthcare providers might be using text messaging, but it is the built-in text messaging on the phone. The problem with that is that if the device is lost or stolen, there’s no control for the IT department to ensure that PHI is not lost or accessed by unauthorized individuals.

Saine agreed, reiterating the point that a common challenge healthcare leaders face is finding the right balance between security and convenience.

Healthcare organizations need to find the happy medium so there is an environment that is secure from a risk mitigation perspective, but that is also user friendly. That way, end users will not work around the security processes. 

“We have to figure out how to allow them to be that self-supporting, that efficient end user of technology, and place in parallel with them enough risk mitigation to protect the data to meet regulatory requirements, et cetera,” according to Saine.

Providers can become so accustomed to seeing data, they might lose sight that it is really protected data, Saine added. It is necessary to continually reinforce that through standard communications and training.

“You have the right to know and the right to have access to that [data] to do your job, but just because you do does not mean that someone down the hall has that same need to know,” Saine said. “It’s important to help reinforce that education throughout the organizations on a continuous basis.”

Why healthcare organizations need a different approach to security

Gaudet stressed the fact that when healthcare organizations begin the search for secure messaging options, it is important that the vendor be healthcare-focused because the industry is different.

“It’s different than finance, and energy for example, and it has very specific workflows, and maturity with technology,” he urged. “You have to be able to support those differences.”

Gaudet added that it’s important to understand how people work with the technology within the context of those workflows, and that they will therefore need to provide support for those workflows.

“With secure communications, you’ve got, basically, at the same economics of a pager, a thousand times more power and capabilities. And so, it seems like it’s a very easy economic decision for hospitals to move off of pagers today.”

In terms of new technology in general, Cureatr’s Mayer said that the mentality of the IT department needs to change. Secure messaging products, for example, are typically cloud-based. Oftentimes, IT departments might be used to having a server sitting in their system that they control. But being able to understand that that’s not always the case anymore is important.

Mayer added that HIPAA regulations are not always in the forefront of physicians’ minds because they’re focused on caring for patients. It’s not that it’s not important, he maintained, but it’s not always the first thing considered.

“With secure communications, you’ve got, basically, at the same economics of a pager, a thousand times more power and capabilities.

Therefore, using secure messaging often has to be tied back to real-world scenarios. For example, if a healthcare provider is having trouble communicating with the pharmacy to get patients discharged in a reasonable amount of time. There are tools available to help with that, and it can be done in a HIPAA-compliant way. 

Spok’s Edds explained that most secure messaging solutions being provided currently are secure, but the real differentiator is the workflows that the solution can be tied back to.

“Just worrying about secure messaging back and forth between people is not enough,” he urged. “It needs to be integrated into the critical test results, the nurse call, the consult request, the code blues, the emergency notification, the answering service, the on-call system. There’s a whole series of systems and workflows that it needs to be integrated into.”

Regardless of whether a covered entity is looking to implement secure messaging options for provider-to-provider communications, provider-to-patient, or a combination of both, it is clear that privacy and security cannot be overlooked.

Healthcare secure messaging is only going to continue to evolve, and organizations must ensure that they are keeping pace in order to keep PHI secure.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks