Secure Communications in Healthcare: Do You Know All Your Options?
From the debate over smartphones to ongoing concerns about corporate data breaches, information security touches everyone from government officials to corporate CEOs to consumers. But it’s an especially important concern when it comes to healthcare. The sensitive nature of personal health information along with the imperative for easy, constant—and mobile—communication among healthcare professionals and organizations presents a unique challenge for the industry. Add in healthcare information privacy laws and other regulations, and things get even more complex.
Strategies for keeping data as secure as possible need to be a top priority for healthcare professionals. Healthcare data breaches have been steadily increasing in frequency and severity since 2010, according to HealthITSecurity.1 Breaches can be damaging in many ways, impacting patient care as well as the bottom line. An annual study by the Ponemon Institute and ID Experts found that the average cost of a data breach for a healthcare provider is around $2.2 million and $1 million for a business associate. Overall, healthcare data breaches have cost the industry about $6.2 billion.2
Those surveyed for the study attributed the rise in healthcare data breaches to “the sensitivity of health-related information and the large number of ‘data touch’ points, such as different healthcare employees or third parties accessing patient information." The study revealed that almost 70 percent of providers believe that the healthcare industry is at a greater risk for data security incidents than any other industry.3
So how can sensitive patient data be protected in such an environment? A key aspect of data security is encryption. Used in concert with administrative policies addressing authentication, data retention and HIPAA business associate agreements, encryption can be a powerful tool for shielding data. But what exactly is it, and how can it be implemented at your organization?
What is Encryption?
According to the National Institute of Standards and Technology, encryption is the “conversion of plaintext to ciphertext through the use of a cryptographic algorithm.4 The process involves “combining the contents of a message ('plaintext') with a secret password (the encryption 'key') in such a way that scrambles the content into a totally new form ('ciphertext') that is unintelligible to unauthorized users.5
What Does it Mean to Be HIPAA Compliant?
The challenge for healthcare organizations is that although many of the popular messaging apps and services that consumers regularly use do offer encryption, they do not meet the interoperability and flexibility needs—or the strict standards—of the healthcare environment. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that put in place rules about “who can look at, receive, and use patients’ health information as well as measures that protect the confidentiality, integrity, and security of the information.6
Included is the HIPAA Security Rule, which sets national standards “for the security of electronic health information.7 A major goal of this rule is to “protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.8
Complying with these regulations can be challenging. Many organizations don’t have a standard policy and administrative guidelines to govern messaging services or approved
devices, and many clinicians aren’t aware that their consumer messaging services don’t offer appropriate safeguards. To make things even more complicated, workflows are increasingly based on communication among a mobile care team exchanging protected health information (PHI) such as prescriptions, images, test results and more. The average consumer app isn’t designed to interoperate with clinical directories and databases and still maintain the appropriate level of information security.
Your Options for Encrypted Communications
Communication solutions designed for the healthcare environment can bridge the security and integration gaps: They can integrate with other solutions and third-party applications, permeating and enhancing clinical workflows. Intended for use in a clinical environment, they are designed to meet the technical and administrative standards required to comply with HIPAA. These systems are created to integrate seamlessly with current operations on any type of device or combination of devices.
Secure Texting Apps on Smartphones and Tablets
Smartphone apps specifically designed for the healthcare environment should allow users to communicate securely with any type of mobile device in your organization’s directory—and only a few can truly accomplish this. These secure text messaging apps deliver fast, accurate, HIPAA-compliant communications inside and beyond hospital walls.
Secure texting allows physicians and nurses to use their personal mobile devices to communicate and collaborate in real time with key care team members over a secure network. This enhances clinical workflows and maintains patient privacy while improving your organization’s overall care and safety. The best apps provide solutions that are intuitive, enabling users to link to a powerful communications platform. You should make sure you can access your hospital’s full directory of accurate contact information; send secure text messages, images, and videos to smartphones and other devices; and ensure critical communications are logged—all with security, traceability, and reliability in mind. Having a mobile API can also establish interoperability with third-party mobile applications, enabling secure patient discussions via an electronic health record (EHR) app, communication with proprietary hospital apps, and access to content on a cloud-based drive.
Secure Messaging on Wi-Fi Phones
Many hospitals rely on Wi-Fi phones for nurses and other roles that don’t require the full functionality of a smartphone or tablet. There are secure texting apps designed to be deployed on Wi-Fi phones as well as smartphones, enabling seamless—and encrypted—communication among all devices. Because of their integration with a hospital’s phone network, Wi-Fi phones can serve as clinical workflow tools, allowing, for example, a mobile nurse to communicate with a patient in their room.
Many leading hospitals today seek to integrate pagers into their workflows and secure communications along with smartphones for maximum benefit and coverage. A lot of hospital IT teams don't realize that some pagers now offer an important advantage previously only available on smartphones equipped with a secure texting app: encrypted communications.
Encrypted pagers like the T5 and T52 from Spok® can provide a secure communication option that is also highly reliable even when cellular and Wi-Fi coverage is spotty. This means PHI can be shared among staff on pagers and smartphones seamlessly to meet industry guidelines for sharing sensitive information. There are pagers available that support message encryption using the industry standard AES‐128* encryption algorithm. The devices are programmed with a unique key, and messages are encrypted as they enter the network and travel over the air to the device where they are decrypted for display to the user.
*Advanced Encryption Standard (AES) algorithm, 128-bit key
Workflow Example - Nurse Call Pain Request
Patient hits nurse call
Alert received on mobile device
Nurse messages doctor
Patient quickly gets meds
The healthcare environment is complex and constantly changing, but technology exists that can assist with security and communication challenges. Specially designed apps offer secure interoperability with virtually all communication output devices. Whether your organization uses in-building wireless phones, LED signs, voice communication badges, pagers, smartphones, or even all of them in the same facility, there are ways to send staff alarms and updates on the appropriate devices at all times.
Encryption, accompanied by the right administrative policies and standards, can and should be employed by healthcare organizations as they work to safeguard their patients’ sensitive data. Implementing security standards around communication doesn’t need to interfere with the important work of medical professionals. It can be a seamless enhancement to top-notch patient care.