Physician texting poses HITECH security challenges
Vague messages, secure network add protection
With almost 80% of cell phone owners reporting they use text messaging,1 it is no surprise that physicians are doing the same. A survey of pediatric hospitalists found that 57% of clinicians send work-related messages, and 12% of the physicians reported texting 10 or more times per shift. Messages were received on personal phones by 41% of respondents and on healthcare facility-owned phones by 18% of respondents.2
"The world is text messaging for all types of communications, so it is not surprising to find physicians taking advantage of a tool that is faster, more convenient, and more direct than other forms of communications," says Jeffrey Evans, co-founder of Santa Monica, CA-based TigerText. "Email is cluttered and not fast enough for an immediate, open conversation, even when email can be accessed by a smartphone."
Texting makes sense for physicians because a doctor's job is inherently mobile, Evans points out. "A physician is rarely sitting in front of a computer," Evans says. Performing surgery, making rounds, and seeing patients in the office means being away from a computer, he explains. "A doctor can be more efficient if he or she can check for lab results, confirm the time of surgery, or ask for a consultation while moving from place to place," Evans says.
Although texting might be more efficient for physicians and healthcare employees, there are security issues a facility must address, says Steve Hunt, CPP, CISSP, director of Neohapsis Labs, the research division of Chicago-based Neohapsis, a security risk consulting service. Although there are a several risks posed by texting protected health information (PHI), one of the more challenging risks is authentication of the sender or receiver's identity. "Unlike a telephone conversation during which you hear a voice and can exchange information to verify identity, you don't know who is holding the phone and responding to your text." A misdialed phone number or a misplaced cell phone might result in information being sent to the wrong person.
For this reason, Hunt suggests that physicians who text follow these suggestions to maintain compliance with Health Information Technology for Economic and Clinical Health Act (HITECH) privacy and security rules:
- When texting a patient with health information, keep it vague. Don't say: "Your test is positive, give me a call." Instead text: "Your test results are ready. Please call."
- When texting physician to physician, separate data into several messages so a patient's identification information is not in the same message as health information. For example, send one message with: "I'd like to inquire about Mrs. Smith." Follow this message immediately with: "Was her test positive or negative?"
Both of these steps minimize risk but will not completely eliminate it, points out Hunt. "If a phone is lost, an unauthorized person can put together multiple messages to see PHI."
Encryption is another way to minimize risk, but it is not foolproof. "Text message data is not encrypted when at rest or in transit," explains Evans. Even if a phone is password-protected, the data is available to anyone who has the password, he points out.
Providers can improve security by sending messages on a secure network that receives messages, notifies the recipient that a message is waiting, and provides a link to the message, says Evans. Whatever system a provider implements must be able to authenticate senders and receivers as well as ensure information can't be accessed by unauthorized persons, he suggests.
Personal phones used by physicians also can pose problems, points out Evans. A facility-provided phone can be encrypted and contain protection such as passwords, but it is more difficult to get someone to allow a hospital to install software on a personal phone. "It is difficult to enforce encryption or other security measures when physicians or staff members are using personal phones," he admits. A facility "needs to develop good policies about the use of mobile devices and enforce them.," Evans says. (See story on personal devices, below.)
The most important step to take is education, says Hunt. "Physicians and employees are so comfortable with text messaging, they don't think about security risks," he says. Explaining the risks of text messaging and encouraging vagueness in messaging are important now as communicating with text messages becomes more commonplace in the workplace.
"This is a good time to establish secure communication practices," he adds.
- Pew Internet and American Life Project. Mobile Health: 2012. Web: http://pewinternet.org/Commentary/2012/February/Pew-Internet-Mobile.aspx.
- Kuhlmann S, Ahlers-Schmidt CR, Steinberger E. Text Messaging As a Means of Communication Among Pediatric Hospitalists. Presented at American Academy of Pediatrics National Conference, October 2012. New Orleans, LA.
For more information about physician texting, contact:
- Jeffrey Evans, Co-Founder, TigerText, 1310 Montana Ave., Second Floor, Santa Monica, CA 90403. Telephone: (310) 401-1820, ext. 233. Email: firstname.lastname@example.org.
- Steve Hunt, CPP, CISSP, Director, Neohapsis Labs, 217 N. Jefferson St., Suite 200, Chicago, IL 60661. Telephone: (773) 269-6395. Fax: (773) 394-8314. Email: email@example.com.
BYOD policies address personal issues
Enforcement needs upfront collaboration
Smartphones, laptops, and tablets are everywhere. The convenience of mobile devices has made healthcare documentation, follow up, and communication simpler and faster. Limiting access to electronic protected health information (EPHI) to healthcare facility-owned devices that are encrypted and contain security tools such as "remote wipe" is one way to enhance EPHI security, but the reality is that physicians and employees are using personal devices as well.
"It's not a surprise that people want to use the phones with which they are most comfortable," says Steve Wu, attorney and partner at Cooke, Kobrick and Wu in Silicon Valley, CA. In most cases, personal devices such as tablets or smartphones offer more functionality than facility-provided devices. "People also don't want to carry two different devices," he says.
The increasing use of personal devices for work-related communications makes it critical for healthcare organizations to develop Bring Your Own Device (BYOD) policies, says Wu. These policies differ from typical security policies related to the use of mobile devices. "A BYOD policy can be incorporated into other policies or developed as a separate policy, but it needs to address issues related to the device being owned by someone else," not the healthcare facility, Wu says.
The first step is to include all areas of the hospital in the policy development, especially the information technology (IT) department, he says. "Too many times, the IT department is handed a policy developed by others and told to find a way to implement it," he says. In the case of mobile devices, the challenge is that people already are using their devices, so policies need to reflect the reality of use and apply security measures that make sense, he says.
"Once representatives from legal, risk management, IT, and the privacy and security officers for the organization have developed a policy together, it is easier to implement," Wu says. Some facilities require employees who have the need to access EPHI to use only facility-issued devices, he says. Employees who are not accessing EPHI are allowed to use their own devices for general communication that does not involve sharing patient information."
Organizations that do allow employees to use personal devices to access patient information should require healthcare facility-provided encryption as well as mobile device management software on each device to mitigate EPHI loss, says Wu. Requiring the programs provided by the facility raises some issues when the device is owned by the employee, he points out. "One of the key security measures is software that will wipe all data off the device if it is lost or stolen," he says. "When someone is using their device for personal as well as work-related activities, this means all family photos or personal communication is also wiped clean." Making sure physicians and employees understand the ramifications of using their own phones, tablets, or laptops, may make some decide not to use their own device.
If you do allow employees to use their own devices, be clear about whether using a personal device is an expectation. "Employees may ask the [facility] to pay for the cost of, or a portion of the cost of the device if they believe they are expected to use the device for work," says Wu.
The other issue that must be addressed by members of the IT staff is the type of mobile device platforms they want to support in the security program, says Wu. "Because different types of operating systems may require different security solutions, some IT departments may find it more effective to specify which platforms are supported," he says.
In addition to addressing the issues related to employees' access with their personal device, be aware that in addition to protecting EPHI, the facility must protect its own network, says Wu. "When people use their own devices, the network is exposed to 'shadow IT' or programs that are downloaded to the mobile device to enhance functionality," he says. These programs include Dropbox, iCloud, personal email programs, social media sites, and text messaging. "These programs increase the opportunity for malware to compromise the [facility] network when connected," Wu says. Limiting the types of mobile applications that can be downloaded to the device is one way to address the problem, he suggests. (For other mobile device management tips, see article on HHS guidance, below.)
Address employee termination in your BYOD policy as well, recommends Wu. "It's a simple process to discontinue access for an employee's password, but a [facility] must also be able to delete work-related EPHI information on the personal device as well," he says. This means having a process in place to delete information before the employee leaves.
Education is an important step to take when implementing a BYOD policy. "Although employees will view the ability to use their own smartphone, laptop, or tablet as convenient, it's important they understand that the presence of EPHI or [facility]-related information on their device lessens their privacy," he says. "In the case of a breach or a lawsuit, the employee's device becomes evidence."
A BYOD policy is important for all healthcare organizations because people are using their personal devices, but physicians and employees need to understand all of the issues, says Wu. "The best security is separate mobile devices: one for personal use and one for work."
For more information about Bring Your Own Device policies, contact:
Security tips offered for mobile devices
Healthcare providers can find free tips and information about the secure use of mobile devices at a new website launched by the Department of Health and Human Services. The site describes risk assessments, offers guidance on development of policies and procedures, and offers educational materials for staff training.
Eleven tips for mobile device security identified and explained on the site are:
Go to www.HealthIT.gov/mobiledevices to access the information.