In 2012, approximately 184.3 billion text messages were sent in the U.S. each month, an increase from 28.9 billion a month just five years before. And every day an increasing number of physicians and other health care providers are exchanging clinical information through a wide range of modes – including smart phones, pagers, CPOE, emails, texts and messaging features in an EMR. So it’s no surprise that hospital and health system leaders are honing in on securing protected health information in electronic form (ePHI).
At the same time, changes in the HIPAA regulations released earlier this year, as well as misleading hype from vendors, have made HIPAA compliance more important and yet more challenging to achieve. Delays in addressing the issue can result in expensive legal fees and settlements, divert resources and staff from other important activities, tarnish an organization’s reputation, and, most critically, undermine patient trust. But it’s time to set the record straight on secure communications.
Time and time again I see health systems looking to implement stop-gap measures and point solutions that address part – but not all – of a problem. And how some in the industry are approaching the security risks associated with electronic communication is no different. Tackling secure texting in and of itself it not enough. In order to identify all potential areas of vulnerability, health care leaders need to consider ALL mechanisms by which ePHI is transmitted – and the security of those mechanisms and processes.
Let me paint a picture of all of various ways PHI can travel in today’s complex healthcare environment and expose a health system to risk. Texts are commonly sent between two individuals via their mobile phones – but the communication “universe” into which a text enters is actually much bigger. It also includes sending messages from mobile carrier web sites, web-based paging applications, call centers, answering services and switchboards. For example, a nurse might create a message by logging onto the website of a mobile carrier. The message may be sent via an unsecure network to a pager or via SMS to a physician’s mobile phone. A pharmacist might telephone a call center with a message for a physician; the call center agent may create an electronic message that is then sent to the physician via an unsecure network. In addition, voice messages that include PHI may be stored on mobile phones or on a carrier’s server – in some cases without sufficient security protections. If these messages contain ePHI and are transmitted through unsecure networks or stored in an unencrypted format, they represent a potential security risk.
SMS text is just one piece of the communications puzzle at this 364-bed hospital
We’ve all heard the buzz in the market about “secure text messaging” – but health systems need to realize that texting or any other mode of communication can’t be viewed in isolation. By failing to address all transmitted ePHI, organizations become vulnerable to security breaches with adverse legal and financial consequences, as well as loss of patient trust and reputation in marketplace.
In Part II of this series on security, I’ll be going into more detail about HIPAA’s revisions.