Mobile technology is transforming the way medical professionals coordinate care. The widespread adoption of BYOD (bring your own device) culture within healthcare organizations and the rise of mobile messaging specifically presents many benefits, but like any means of communication in the healthcare environment, mobile messaging carries its own set of unique risks.
In an industry as closely regulated as healthcare, where stringent HIPAA guidelines allow no margin for error, it is essential that organizations approach mobile messaging with the same degree of security-consciousness as they would any other form of IT. By failing to recognize the risks introduced by non-secure messaging applications, organizations increase the chances of sensitive data being lost or stolen, which could lead to significant fines and irreversible reputational damage.
By examining the good, the bad, and the ugly sides of mobile messaging in the healthcare setting, this article is intended to help decision makers assess the pros and cons of allowing mobile messaging within their own organization, and provide advice for ensuring that any information sent via a mobile device is done so securely.
The accessibility and familiarity of mobile messaging make it relatively easy to roll out across organizations, and the ability for two-way or group communication – something traditional paging systems do not typically support – helps streamline operational efficiencies and improve the exchange of health information between care teams.
In a recent observational study of approximately 11,500 patients at two Pennsylvania hospitals, it was found that patients whose care coordination was handled with secure messaging had a 14 percent reduction in length of stay, compared to those whose care coordination was managed with pagers. While this study is currently the only one of its kind, it demonstrates how mobile messaging goes way beyond simply easing the administrative burden put on physicians and care staff, it can genuinely help improve health outcomes.
Secure mobile messaging platforms can also help minimize errors. The Joint Commission estimates that 80 percent of serious medical errors involve miscommunication between caregivers when responsibility for patients is transferred, with inadequate systems largely to blame. These concerns are backed up by various studies, such as a study undertaken in Canada in 2009, which found that 14 percent of messages sent via pager were sent to the wrong physician. Secure mobile messaging platforms can help combat this problem by informing the sender when a message has been received and read.
Introducing mobile devices into the clinical workflow is not without risk. When it comes to mobile messaging specifically, sharing sensitive data such as protected health information (PHI) via non-secure applications can have serious repercussions, should it fall into the wrong hands – a single breach can carry a fine of up to $50,000 per vulnerability, per day that the breach goes unnoticed, while also exposing the guilty organization to civil charges by the affected patient or client.
To exacerbate the issue, PHI can take many different forms under HIPAA (18 to be precise), meaning anyone sharing health information needs to be extra vigilant when deciding what constitutes PHI and what does not. Even a seemingly innocent exchange between colleagues could cause problems if a message containing personally identifiable information were to be leaked.
Messages sent via non-secure applications carry a high level of risk because the information resides on the recipient’s device indefinitely, and can be accessed easily by anyone who gains access to that device. What’s more, after a message is sent, there is no way of telling whether that message has reached its intended destination, or who has read it.
The familiar and fleeting nature of text messaging as a means of communication makes it convenient, but that does not make it any less vulnerable to security threats.
In a recent study of over 1,800 healthcare professionals, it was found that more than three quarters use mobile messaging at work, yet when asked if policies existed within their organization relating to the use of mobile messaging specifically, over half answered ‘no’ or ‘not sure’.
What’s more, the same study revealed that of the 83 percent who have sent PHI to a patient or colleague via mobile message, 70 percent have done so using a non-secure application.
These findings point to two potential issues: Firstly, that for many healthcare providers the convenience of mobile messaging outweighs the potential risks, and secondly; that organizations are not doing enough to identify, assess and manage the use of mobile messaging amongst physicians and care staff.
For HIPAA covered entities, developing a robust policy that addresses the use of mobile messaging is crucial. The first step in this process should be establishing where PHI is created, received, maintained, and transmitted, and identifying the potential threats at every point within that chain.
To help mitigate the risks associated with mobile messaging, organizations should:
- Put a complete stop to mobile messaging until an official policy has been drawn up and communicated.
- Ensure all devices are protected through encryption and adequate passcode or PIN protection.
- Develop and communicate policies that clearly define who is authorized to send and receive clinical text messages, what those messages may or may not contain, security best practices, and steps that should be taken should a device be lost or stolen.
- Develop a statement of understanding that informs patients that they have the option to choose a preferred method of communication, and clearly explains the risks of communicating via a non-secure platform.
- Invest in a HIPAA-secure messaging platform to ensure all messaging activity is centralized and secure.
These steps should serve as a good starting point, however there is no ‘one size fits all’ solution when it comes to mobile messaging security. Organizations should carefully assess whether mobile messaging is an appropriate method of communication for their specific needs, and ensure comprehensive guidelines not only exist, but that they are also understood, and adhered to by all employees.