A recent study conducted and released by NetSfere Enterprise Messaging took a close look at how messaging apps are being used in today’s business world. Some of the study’s findings regarding security practices are, unfortunately, rather disturbing. Based in these findings, it would seem that many healthcare businesses and organizations who handle PHI (providers, practices, insurers, and payers alike) are playing HIPAA-Russian roulette when it comes to the use of mobile SMS/MMS tools.
Luckily, mobile messaging usage is still in the minority when it comes to the healthcare industry. Only 22 percent of respondents in the study claimed mobile messaging as their most frequently used form of business communication (the vast majority, 65 percent, claimed to still use email most frequently and 60 percent said they still used email as their default communication tool). Of those who claimed email and phone as their primary communication methods, security issues were cited as the number one concern they had with mobile messaging. And for good reason.
Very few SMS/MMS services are considered HIPAA compliant, which makes this next part all the more concerning.
52 percent of respondents in the study claimed to use SMS/MMS to communicate (in at least some capacity), including publically available third-party apps such as GoogleChat, Facebook Messenger, and WhatsApp (which is insane, from a cybersecurity standpoint).
Frighteningly enough, only eight percent of respondents said that their companies expressly forbid using third-party messaging apps. Another little nugget of terror is the fact that 42 percent of respondents claimed that they considered third-party messaging apps to be a secure method for business correspondence.
Cue the “Why would they think this?” face-palm in 3… 2… and 1.
I hate to be the one to break it to everyone, but third-party mobile messaging is probably one of the most vulnerable and least secure methods of electronic communication currently available. Just a few months back, an article in Fortune showed that most Android phone (that’s nearly 1 billion phones) could be hacked with just a single text message. And don’t even get me started on the terrifying implications of SMS/MMS tools not having any sort of verification or authentication processes. This means there is no way for you, as a sender, to verify that the intended recipient is in possession of the device to which information is being sent (not exactly the kind of thing you’d want to try explaining to an HHS rep when you find your practice being investigated for HIPAA violations, is it?). Sending PHI via third-party SMS/MMS is just as much of a HIPAA “no-no” as choosing to leave a patient’s specific lab results on his/her home answering machine (yes, I know that no one under the age of 80 actually owns an answering machine anymore… but you still get my point).
Does this mean mobile messaging should just be abandoned altogether? Of course not. As with most technology, you just need to know how to use it properly. There is nothing wrong with, for example, using an MMS/SMS tool that direct patients to a secure, HIPAA-compliant portal where they can view their PHI safely and securely. Generic appointment reminders can also be sent out via mobile messaging without any problems, just as long as no specific PHI is included. When it comes to internal messaging, such as between staff, the best option is to use a secure messaging system that is strictly for business use (for example, services such as Skype for Business or PinkNotes).
As we have talked about many times in the past, PHI violations can get expensive… fast. While using unsecured third-party mobile messaging tools is just a bad idea all around when it comes to business cybersecurity, doing so in healthcare could be incredibly costly. A single violation for using unsecure electronic communication can result in a $50,000 fine, and repeated violations can add up to as much as $1.5 million in fines for a year.
So remember to be smart when using SMS/MMS in your practice, and be aware of when and how your staff members are using such tools for work purposes. To find out more about what heathit.gov has to say on this topic, click here.