Risky Business: Consumer Apps Put PHI in Jeopardy

Consumer messaging applications have become ubiquitous in everyday society. Their intuitive nature, simplicity, and instant messaging capabilities have caught on quickly, and now their use is second nature among most smartphone users. As popular as these apps are, there is a dark side: When they are being used in the healthcare enterprise, governance, risk, and compliance get thrown out with the bath water.

Protected health information (PHI) is not secure in transit or at rest on the device. Just a quick review of the terms and conditions of consumer messaging applications immediately identifies that the information sent using these solutions is not safe. So, patient identifiable information should never be shared using these consumer-based messaging applications. But, it is very probable that some of your staff are relying on these technologies within your organization today: A 2015 study of over 2,000 physicians from five hospital sites found that 65 percent had sent PHI via unsecure SMS and 33 percent had used consumer messaging applications like WhatsApp®.

The challenge is simple: healthcare professionals are mobile, and they need to communicate quickly and efficiently to improve care coordination and patient outcomes. But the risks of using third-party consumer applications in healthcare are significant. So healthcare organizations have to ensure staff can leverage the functionality and usability of messaging applications while keeping PHI safe.

So, is there a solution?

The good news is yes: There are secure text messaging applications available today that are designed to keep PHI safe while improving communications in healthcare organizations. But the longer answer is a little more complex. There are several areas an organization must assess to ensure that a messaging application is appropriate for the information being shared.

  1. Is the information protected, and who owns that data? The best way to minimize
    risk is to keep protected information on the corporate network at all times and not allow the data to reside on the user’s device unless it is encrypted. Bring your own device (BYOD) and mobile device management (MDM) solutions provide some control of the device itself, but not at the message level. It is essential to have remote wipe capabilities so messages can be removed easily if a device is lost or stolen.
  2. Is the application intuitive? Requiring hours of user training will reduce adoption rates significantly. Organizations must select a secure text messaging application that is easy to use, and similar to the consumer messaging applications that users rely on in their personal lives.
  3. Do you have organizational control of the application? Consumer applications available on smartphones are outside the control of the corporate administration.
    A centrally managed application, hosted on premise or across a private WAN or private cloud allows the organization to safely implement compliance and governance.
  4. Has your organization evaluated the integration of the secure text messaging app into other clinical systems and directories? If you have a vision to provide high quality care in a mobile environment, then the messaging application should integrate with electronic health record (EHR) systems, on-call schedules, and directories in order to support clinical workflows. It should also support clinical alerting and enable secure alerts from patient monitoring and nurse call systems to be sent to clinicians’ smartphones. All of these capabilities help your organization provide higher quality care and increase staff efficiency because the secure text messaging app becomes much more than a simple communication tool.
  5. Do the applications provide a transparent audit trail? Communication breakdowns and miscommunications can occur no matter what technology is in place. It is important that your organization be able to determine where and when any breakdowns are occurring.

In short, fast messaging capabilities can enhance communication efficiency in healthcare environments, and users will continue to rely on them. But, it’s vital that healthcare organizations provide a safe, secure alternative to unmanaged consumer app options. Your staff—and your patients—need technology that is built for the healthcare enterprise and can provide far greater security and protection than simply sending a message.