Views & Analysis from our Experts
bd-blog-hd-hires2.png

Texting in Healthcare? Best be Secure.

Texting has become a simple, convenient, and entrenched component of our everyday lives. We use it with family, friends, coworkers—and clients. My wife and I text to coordinate day care pickup and drop off of our kids every day. It is a quick and easy alternative to our large, and sometimes overwhelming, volume of email.

And with that convenience comes the temptation for clinicians, care teams, and healthcare providers to communicate sensitive content via text in the workplace. The ability to take a photograph of a wound and share with a colleague for a consult is convenient and effective. The number of patients who want to text a non-urgent question to their providers is also growing, particularly with younger patient populations. Population health teams who want to better engage patients may see texting as an easy format to achieve that.

The problem? Texting is not a secure communication method. The native SMS (short message service) used by many phones, including iPhones (at times), is not encrypted, and messages are sent in plain text over cellular networks. SMS messages are vulnerable to “man-in-the-middle” attacks, in which a third-party eavesdrops or potentially manipulates a conversation. The native message format of iPhones has security risks, too. And when a text message contains protected patient information or images, these risks become significant.

On December 28, 2017 CMS released clarification on text messaging. The highlights:

Texting is permissible between care team members if accomplished through a secure platform.
Texting of orders: prohibited.
Computerized Physician Order Entry (CPOE) is the preferred method of provider order entry.

The first bullet allows some consideration of text messaging but with an important caveat: you must use a secure platform. The last two bullets steer providers to using their EHR systems.

What should you do if you find yourself in a position where text messaging has crept into your culture?
Assess your organization’s usage and level of risk.
Stop using unsecure text messaging for patient related communications.
Establish a policy to govern the use of text messaging and update your mobile device policy.
Determine whether you will implement (and allow your care team to use) a secure texting platform or prohibit texting all together.
Consider how secure texting impacts your policies and procedures related to data retention, discovery, and the legal health record. 
Educate your patients about secure messaging available on your patient portal.

For more information, contact me.

Related content:
Watch our video on adopting technology for success
Read Dan's article on soft cybersecurity skills.

 

Leave a comment

STAY CONNECTED