- Healthcare secure texting and secure messaging options are quickly increasing in popularity for covered entities. Providers are not only looking for secure, convenient ways to communicate internally, but externally as well. More patients have smartphones and are seeking numerous options when it comes to communicating with their physician.
However, covered entities must ensure they are not implementing new technologies simply for the sake of implementation. Federal regulations that relate to mobile device usage should be considered. Moreover, healthcare organizations need to consider what they hope to accomplish, and determine what types of problems or obstacles a secure texting or messaging option might help them overcome.
HealthITSecurity.com will review the basics of secure texting and messaging options in healthcare, and touch on what current regulations dictate. We will also round up some of the more recent ways that healthcare providers have integrated secure texting or secure messaging.
What rules and regulations are currently in place?
HIPAA compliance should be a top priority as healthcare organizations begin to consider secure texting, messaging implementation.
While the HIPAA Security Rule does not require specific technical solutions, it does dictate that healthcare organizations must determine reasonable and appropriate safeguards.
“It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so,” explains the HHS HIPAA Security Series.
For example, covered entities that have a BYOD strategy in place might want to opt for mobile device management (MDM) options, device encryption, or remote wipe capability. This could further ensure that any secure texting or messaging platforms cannot be infiltrated should a device be lost or stolen.
However, smaller practices that do not use BYOD may prefer to focus on securing their email access.
Another important piece of recent requirements that concerns secure messaging was released by the Office of the National Coordinator (ONC). To help clarify certain aspects of its Health IT Certification Criteria, ONC released “Certification Companion Guides” (CCGs) to help health IT developers.
Specifically, the CCG for secure messaging stated that “when a single quality management system (QMS) is used, the QMS only needs to be identified once. Otherwise, the QMS’ need to be identified for every capability to which it was applied.”
The encryption requirements of this certification criterion also only apply to the message content and not to the patient’s device(s), according to the secure messaging CCG.
“Only encryption and hashing algorithms are in scope for this certification criterion,” the CCG stated. “Random number generator standards are not in scope.”
Considering the entire health IT environment
Healthcare data security cannot be an afterthought when organizations implement new tools. It should be one of the first things considered.
Not only does a secure communications platform need to be able to integrate in seamlessly with the existing environment, but all end-points must also be considered. For example, whether or not personal devices are allowed for work purposes is a decision left to each covered entity. However, the final decision made needs to be clearly communicated to all employees.
It is critical that staff members at all levels do not purposely or accidentally overlook a device when encryption options and other technical safeguards are being discussed and considered.
Furthermore, as HealthITSecurity.com contributor Bill Kleyman explained in an article, it is important to not rely on the user to necessarly have the best security practices in mind when it comes to creating a secure mobile healthcare worker. Implementing a platform that allows organizations to control how data is passed between the enterprise network layer and the variety of end-point devices would be a wise approach.
“You can port users from a medical group to one set of servers and network devices, while allowing guests to access a segmented network for very limited access,” Kleyman wrote. “All of this is done intelligently through policy controls. It helps keep your healthcare environment up and running while still dealing with the vast number of new kinds of devices.”
Kleyman added that it is important to find a way to let users maintain productivity, while still allowing the business to stay competitive.
“This means adopting new end-point strategies, involving mobility, and expanding how you work with the end-user,” Kleyman wrote. “The future of secure mobile healthcare will revolve around proactive devices helping keep us running better, longer.”
What progress have providers recently made?
As previously mentioned, numerous providers have been making strides when it comes to integrating secure texting and messaging options. Whether it’s allowing physicians to securely text back and forth or have a secure email option, there are various ways to communicate without inadvertently exposing sensitive information.
For example, California-based Premier Nephrology Medical Group implemented a secure messaging program last year through Lua. The move was in an effort to better assist staff members in their everyday communications.
Lua allows Premier employees to stay HIPAA compliant “but also use technology like doctors do in the 21st century,” Premier Project Manager Rena Greenfield told HealthITSecurity.com.
In Premier’s case, it was important to find an efficient and convenient option for secure texting because many hospitals and dialysis centers Premier works at typically only offer free texting solutions for doctors that are staff members at those facilities.
“It was pretty problematic because our doctors don’t only text doctors that work at the same facilities as them, and they also text me and our office manager and people who coordinate dialysis at the hospital, dialysis nurses, and the vascular care team,” Greenfield explained. “So there’s a variety of people they’re in contact with throughout the day.”
Greenfield added that the Lua option also encrypts the data, and has all reporting information needed to conduct an audit drill if needed.
“We want our data to be encrypted,” she said. “We don’t even really think about texting as not being secure. Most of the obstacles aren’t that people don’t want to be, it’s just that it’s hard to find programs that work well for doctors.”
Similarly, University Health Systems (UHS) announced last year that it had implemented secure messaging options from Spok.
UHS CIO William Phillips told HealthITSecurity.com that UHS also wanted a more efficient way for physicians to get information. However, secure texting that was HIPAA-compliant was also necessary.
“I can't from a HIPAA standpoint, just allow unencrypted free texting of patient information,” Phillips said, adding that physicians are increasingly wanting the option to be able to text information. “We really knew that to get a tighter control over texting, and what was being controlled in the text, that we needed to have a secure texting platform that would enable the physicians to actually have those types of texts to continue to treat patients in the proper manner.”
For long-term secure messaging benefits, Phillips explained that he hoped physicians will benefit in their on-call scheduling.
“Also, it can enable a texting platform that will allow clinical texts, or patient information texts, that are secured, which will enable the physicians for better patient care,” Phillips maintained. “And then the third thing, having critical alerts is great improvement in patient safety and outcomes.”
Smaller facilities can also benefit from secure texting and messaging options, as Annapolis Internal Medicine showed when it implemented athenaText last year.
Dr. Kevin Groszkowki told HealthITSecurity.com that Annapolis Internal Medicine has 11 physicians, 10 internists and one endocrinologist. The practice wanted a secure messaging option that was also HIPAA-compliant, he said.
The platform we chose has been great for us because it allows us to communicate as solid unit," Groszkowki said. "Our clinical support staff can instantly reach physicians and NPs and vice versa. Previously, we had been using everything from iMessage to chat programs like Yahoo chat and Google chat, but they’re not HIPAA-compliant, which severely limited what we could actually say about a patient."
Another challenge that the secure messaging option helped Annapolis overcome was communicating between different floors. According to Groszkowki, the Annapolis acute care clinic is on a different floor than its office, and staff members were making phone calls to communicate.
"Our process was pretty disjointed," he recalled. "We used different methods to talk with each other — instant chat, instant messaging, and the phone, which was often the most disruptive to the workflow. It was distracting and it wasn’t guaranteed you would reach someone. That’s why a secure, integrated solution, like athenaText, was such an easy decision for us."