Can mobile messaging be a secure platform for physicians?

During my last visit to the dentist, my dental hygienist lamented to me that whenever she has young children in her chair, she can barely make eye contact with them or engage them in conversation because of their constant texting. I’m lucky in that my hygienist is a real chatterbox, so we spent five minutes or so having a very one-sided conversation (typical for a dental appointment, I assume) about how technology like texting — and the fact that nearly everyone has the capability on their phones — is affecting people’s social skills.

One part of our population that isn’t taking advantage of this technology to the degree that they should be is physicians, which strikes me as terribly behind the times. If kids — current patients and future healthcare workers — today are texting as a primary form of communication, they will expect to be able to do so professionally in the very near future.

Now as we’ve all been made aware, non-secure texting between providers leaves information within those exchanges wide open during a potential breach of private health information. And HIPAA concerns abound. We’ve also heard stories of providers that disregard these concerns, texting private patient health information to colleagues on unsecured devices because it is the quickest way to get that information from point A to point B.

So, like most things in healthcare, it seems we’re going to need vendors to step up to the plate and offer a solution that providers will embrace, and we’ll need those same providers to develop protective strategies around use of such devices. I decided to poke around and see if there was anyone doing this right now, and came across a company called TigerText — a company that provides secure, HIPAA-compliant, mobile messaging.

I chatted via email with Jeffrey Evans and Brad Brooks to learn more about the technology, and the future of texting in healthcare.

Many healthcare organizations admit they do nothing to protect data on mobile devices, and even fewer use encryption. Why do you think this is? Was the technology not available before now? Were there too many types of devices? Did hospitals just have bigger priorities?

JE and BB: The shift from storing and transmitting health information data within the controlled confines of an office or hospital-based paper system to an electronic, digital data-to-mobile device system happened very quickly, so hospitals are behind the curve when it comes to properly securing the flow of this information.
When you think about how quickly this shift occurred, it’s useful to think in terms of the smartphone. Even three years ago, people weren’t constantly connected. People, especially physicians, weren’t texting all the time as a form of transmitting information, and they weren’t walking around with mini computers at the touch of a hand like they are today. Hospitals need to figure out a way to use this connectivity to benefit patients and improve overall care, but they also need to control it simultaneously. This shift happened so quickly, that many healthcare organizations simply buried their head in the sands, and resigned on finding a solution, which is why you see such high numbers in terms of failing to secure these devices.

Can you give me an example of a legal case that resulted from non-secure texting between providers?  What impact did it have on their facility and patient(s)?

JE and BB: We aren’t aware of any lawsuits based on non-secure texting, but HIPAA violations, which can carry civil penalties, are happening all the time: Breaches of protected health information (PHI) increased 525 percent in 2011, and 39 percent of PHI breaches have come on laptops and other mobile devices since 2009, according to a recent analysis of federal data.
Breaches from mobile devices are likely to increase rapidly as more and more organizations adopt a bring-your-own-device approach to smartphones and tablets. Hospitals also risk their accreditation status with the Joint Commission, which announced last fall that transmitting PHI over unsecured texting channels was “not acceptable.” Additionally, the Department of Health and Human Services is now auditing mobile device compliance in its latest round of HIPAA audits that began this quarter.