- A new survey finds that health systems can follow all the rules for protecting patient data in mHealth messaging platforms, but that won’t work if their employees have a cavalier attitude toward security.
About half of healthcare providers recently surveyed by Scrypt on their mHealth security habits aren’t confident that health information sent by text message is secure. Yet 83 percent said they’ve sent or received patient information that way – and 70 percent said they knowingly use a non-secure app.
“We understand the challenges healthcare providers face when it comes to managing and exchanging PHI,” Scrypt CEO Aleks Szymanski said in remarks accompanying the October 2016 survey. “In an industry as closely regulated as healthcare, where the margin for error is minimal, it is essential that organizations invest not only in the best HIPAA-secure technology, but also in instilling a culture of security through appropriate training and education.”
For its survey, the Austin-based company interviewed some 1,800 healthcare professionals about their mobile habits. They found that 62 percent use a mobile device at work – and of those who do, 65 percent use the same device outside the workplace.
When asked if their organization has a text messaging policy in place, only about half – 48 percent – said yes, while another 21 percent said they weren’t sure and 31 percent said nothing specific to text messaging was on the books.
“The fact that fewer than half of respondents confess to their organization having any specific text messaging policies in place is concerning,” the report states. “Messages sent via non-secure applications carry a high level of risk because they reside on a device indefinitely, and can be accessed easily by anyone who gains access to that device. Every healthcare organization must decide whether it will allow the use of text messaging, and if so should implement stringent policies which clearly define safe usage.”
The results of two specific survey questions point to a concern that health system employees may not understand the risks. About half of those surveyed said they were moderately or very confident that health information sent or received via text message is secure. Yet 80 percent rated their knowledge of HIPAA compliance as “good” or “very good.”
According to the survey, only 11 percent know they’re using a secure messaging solution, while 28 percent say they use whatever messaging client comes with the device. And of those using a secure messaging app, more than 60 percent also use at least one non-secure app – such as iMessage, Skype, Facebook Messenger or Whatsapp.
“Non-secure applications carry risks because there is no guarantee that sent information will arrive at the intended destination uncompromised, or at all,” the report notes. “The fact that some respondents use up to six different messaging applications only complicates matters further.”
Scrypt also noted a pervasive use of “shadow IT” – or the use of software and applications that are managed outside the healthcare setting. A 2015 survey, in fact, indicated that more than 85 percent of cloud applications used in the U.S. were unsanctioned, or originated outside the enterprise, and that 85 percent of those applications were risky.
“The fact that half of respondents claim to have free reign over the applications they download at work is a worrying statistic,” Scrypt indicated in its report. “Employees themselves rarely have the knowledge to make sound judgement (sic) on whether … an application complies with internal security and compliance policies, let alone HIPAA more generally, so the onus is on employers to extinguish the use of non-secure applications in the workplace through clearly communicated policies.”
While the survey doesn’t break new ground in identifying why healthcare providers have issues with protecting patient data, it does highlight the fact that administration and employees share the same responsibilities for ensuring privacy and security. And while 56 percent of those surveyed said their organization could do more to educate employees on HIPAA guidance, 98 percent rated their own knowledge of HIPAA as average to very good.
“So long as people make up part of the security equation, they remain one of the biggest vulnerabilities,” the Scrypt report concluded. “When it comes to text messaging specifically, it is critical that organizations identify the risks and develop policies which serve to ensure all inbound and outbound communications remain secure.”
To that end, the report offered five steps to better mHealth messaging security:
- Stop all test messaging now until risk reduction policies are in place;
- Encrypt all devices, regardless of whether they can be used for texting;
- Implement a policy and make sure everyone knows what it is;
- Develop a written statement of understanding that is communicated to both providers and patients; and
- Use a secure messaging platform.