March 2015
Keep Text Messaging Secure
By Nathan Collier
For The Record
Vol. 27 No. 3 P. 25
Text messaging has become one of the most widely used forms of communication. This is likely due to how easy and quick it is to send a text. Even if someone is too busy to answer a call, rarely are they too preoccupied to check a text message. Listening to a voice message or returning a notice from a pager can also be time consuming compared with sending a text. For these reasons, many health care professionals are using text messaging to increase efficiency.
Issues With SMS
Although text messaging can be fast and easy, the most common format of texting, short message service (SMS) is not sufficiently secure for a health care environment. SMS text messages, which are sent and stored on servers in plain text, can be intercepted during transit. Moreover, it's possible for SMS messages to be sent to the wrong number. And when messages reach the correct number, there is no notification from the recipient as to whether the message was read or even received.
Once a SMS message is sent, it is saved indefinitely on the recipient's phone with no way of recalling the text. SMS messages can remain in a phone for months or years. If a phone is lost, stolen, sold, or donated without erasing those SMS messages, it can become a security nightmare. For this reason, The Joint Commission forbids the use of SMS for the transmission of electronic protected health information under HIPAA regulations. Violators can expect harsh penalties, including a fine as high as $50,000, not to mention damage to their reputation.
Assessing a Secure Text Messaging App
Instead of banning all forms of text messaging, The Joint Commission, under the Administrative Simplification provisions, set guidelines for securing communication systems. These guidelines specify four major areas of compliance: secure data centers, encryption of data both at rest and in transit, recipient authentication, and auditing controls. When selecting a secure text messaging app, also consider its ease of use and ability to remotely wipe or erase an account if the phone is lost or stolen.
If a health care organization is using a secure text messaging app for internal use only, it can be a safe and efficient way to communicate. But when the communication form is used outside the facility, more caution must be taken. For example, organizations must ensure their contact list is accurate to prevent texts being sent to wrong numbers.
External Text Messaging
Organizations must determine the extent to which they want to utilize text messaging. On a basic level, text messaging is used to send appointment reminders, notify patients of available test results, and answer rudimentary medical questions. Should an organization elect to accept patient queries, it should keep in mind the following questions:
• Are texts that answer medical questions billable?
• What time of day would be appropriate to receive text message questions?
• What if patients are OK with texting, but refuse to come into the office?
Deeper Analysis
Security is only as strong as its weakest link. No matter how secure the data center, in order for users to access the sensitive information stored on its servers, an account containing a username and password must be created. Because consumers manage various Internet accounts, it's easy for them to choose simplicity over security when creating usernames and passwords. To combat having to commit usernames and passwords to memory, some consumers will opt to save the information either as an auto-fill or in plain text on a notepad application.
If a device is lost or stolen without being locked, there is a chance it can be compromised. Even if the secure messaging app is capable of wiping the account, it can't be activated until the loss or theft is reported. Internally, hospital leadership can set policies and procedures to lower these risks, but externally, it's more difficult to get a handle on risks.
It's also important to consider mobile malware, which has grown exponentially in the past few years. The potential for a malicious app that can steal account credentials is a legitimate security concern. Having a free antimalware scanner on mobile devices helps lower the risk.
Weigh the Risks
A secure text messaging app can help eliminate inefficiencies on the care continuum and improve patient engagement. TigerText, ArmorText, Doc Halo, and Sprint Enterprise Messenger – Secure are a few of the market leaders helping reshape how patients and physicians communicate.
Examine their features and weigh the potential risks to properly assess whether text messaging is the right fit for your organization. Also decide how to employ text messaging and establish guidelines for its use. Taking these steps will improve the initiative's chances to succeed without sacrificing security.
— Nathan Collier is a senior malware intelligence analyst at Malwarebytes (www.malwarebytes.org) with more than 10 years of experience in IT.