10 practical ways to keep text messaging in your hospital safe and secure 

Technology is only as effective as the security measures that support it 

What comes to mind when you think about security? Locks, alarms, uniformed guards, or a wireless home monitoring system? When most of us think about security, we tend to consider “physical security” – or the protection of a building and the “stuff” (property and equipment) therein. If you work in health IT, your consideration of security is much broader. IT teams must consider precautions far beyond these countermeasures when trying to secure IT systems and applications.   

Have you established policies that define and govern security practices? 

IT departments must establish comprehensive security policies to ensure intended outcomes. This is particularly important in healthcare environments, where the security and efficiency of security practices can be critical to patient care and safety.  

For instance, workflows that support the use of secure messaging can substantially increase communication efficiency and security—yet they can do quite the opposite if the security practices in place aren’t carefully developed and governed.  

“Before implementing secure messaging, IT leaders, clinical leaders, security officials, legal teams, and human resources teams should work together to develop policies to help ensure that all people, processes, and technology involved will be effective and secure.” 

Let’s explore ten key policies and procedures that hospitals should consider when implementing a secure messaging application. 

1. Eligibility  

Define which users are eligible to access the secure messaging solution, and on what devices. From patient floors to the lab to transport, who uses secure pagers, Wi-Fi phones, smartphones, or other devices? 

 2. Expense allocation 

Who pays for what? Do you allow only hospital-issued devices? Are you a BYOD facility? Are both methods used for different departments or positions? Answers to these questions will help determine who will pay for the hardware, cellular plans, and data, whether that means individuals, departments, or other groups.  

3. User roles and responsibilities 

Define what users are responsible for regarding usage and maintenance of the technology. Establish your policy for lost devices. Consider details such as what someone should do if a device is lost or forgotten at home. Does your facility provide spares? Can you forward messages to a pager or another device to ensure shift coverage? Is the employee financially responsible for anything if the device is owned by the hospital?  

In addition, you will need to decide if there will be penalties for failing to install and use the new secure messaging app. If so, plan in detail what these penalties will be, who is tasked with enforcing them, and how penalties will be applied. 

4. Security and feature management 

Define how data shared within secure messages will be secured in transit and at rest. This will likely include using mobile device management (MDM) for enforcing passcodes, device encryption, and restrictions. 

Also, which systems and applications will end users need to access? Examples may include drug references, directory lookup, on-call information, the EHR, and alerts from clinical systems. 

5. IT support 

Define what devices, networks, services, and features IT will support and what is out of scope. 

6. Consumer application usage 

Define whether or not users are allowed to use other consumer messaging apps (iMessage®, WhatsApp®) in any workflows, or whether they will be prohibited. 

7. Texting orders 

Define whether staff can use secure messaging to text orders.

8. Screenshots 

Create a procedure to prohibit screenshots of secure messages. (Note: Most secure solutions natively prevent copy/paste, but they cannot prevent screenshots without an MDM solution.)

9. Dictation 

Create a procedure to prohibit the use of keyboard dictation for any messages containing protected health information (PHI.) (Note: If your secure solution uses the native keyboard, this is not a HIPAA-compliant workflow.) 

10. Attachments 

Create a procedure to prevent the ability to attach images or videos that contain PHI from the device’s camera roll. Instead, make it so users must add attachments from the camera within the app when including PHI. Pictures in the camera roll can be unencrypted and unprotected if they aren’t managed by an MDM solution. 

How can you learn more?   

  • Download the step-by-step guide for rolling out a secure messaging app here  
  • Read this article about the 5 common HIPAA violations in mobile communications here  
  • If you’d like to learn more about how Spok can help advance your contact center, please talk to us  

Join the Spok blog and stay informed on the latest updates in clinical communications.

Related Blogs