Patient data is at the core of any digitised healthcare system. Through it, researchers and doctors can develop a deeper understanding of causes and risks in certain conditions, improve treatments, and develop new ways to prevent disease.
But if medical records fall into the wrong hands, they can be used for identity fraud or to jeopardize patient security in myriad other ways.
Modern-day patients are looking forward to mobile solutions: more than half of all US physicians already offer in-app appointment bookings, and more often than not, these apps feature messaging functionality.
In a 2017 Patient-Provider Relationship Study, the majority of participants indicated a preference for mobile-based channels of communication with doctors. Already in 2014, 57 per cent of physicians electronically shared health information with patients and 26 per cent shared data with other providers.
Besides messaging programs connecting patients and doctors, there are channels for physician-to-physician communication and data exchange between doctors and labs. In each case, the issue of protecting valuable data is a stumbling block.
We have an in-depth understanding of these issues. MadAppGang have worked on several health applications including Secure My Health, a prescription tracking app. We also developed Strongbox, a chat app and an SDK that delivers a securely encrypted communication system.
With intensive digitalisation and the adoption of electronic health records – promoted at the national level, for instance, by the US HITECH Act – the question of security looms large. Let’s reveal what secure messaging in healthcare is and how mobile messaging is handled in current solutions.
Firstly, any medical app, whether it has a messaging feature or not, is subject to governmental regulations. We described major regulatory practices in the USA, Australia, and Europe in our post on healthcare app compliance.
Regulatory bodies set the framework of what can be defined as patient information and secure messaging. For example, HIPAA encryption requirements specify how data transmission is managed in compliant messaging platforms.
In the US, the Centers for Medicare & Medicaid Services (CMS) set new standards for healthcare messaging in 2017. According to CMS, patient data exchange between healthcare professionals is permissible only through a secure platform, while texting medical reports is prohibited regardless of platform. It’s also advised to use Computerized Provider Order Entry (CPOE) systems to enter and send treatment instructions.
In Australia, the Australian Digital Health Agency has a Secure Messaging Program dedicated to provider-to-provider messaging. The program aims at the creation of implementable and interoperable solutions for document exchange and clinical workflow management.
There’s another challenge when addressing security risks: if a healthcare institution has a secure messaging program, it doesn’t guarantee that every worker will adopt it and abandon less secure practices.
There’s a myth that prohibiting personal device use will ensure secure messaging, but the fact is that BYOD is a part of healthcare that’s unlikely to change. This is why any secure healthcare messaging app should have specific protection measures while displaying and storing any information on a device.
A regulatory requirement stipulates the ability to remotely delete messages with sensitive information from a device. The system should work in such a way that if a hospital employee resigns or has their phone lost or stolen, all messages containing protected health information should be erased, leaving the rest of the data in place. There are two options for that: use the platform’s own instruments (like Find My on Apple devices) or implement the Sesame algorithm. With remote access to all devices involved in communication, companies can mark stolen devices in the system and they won’t be able to send or receive any data.
There are common practices that ensure the security of messaging applications:
Previously, data exchange between healthcare workers and patients was performed via pagers, fax machines, and hospital pages. These technologies are inconvenient and mostly obsolete. Modern healthcare facilities are striving for intuitive and secure data transmission.
Let’s see which technologies are currently used for messaging and which are the most secure.
Emails and SMSs, though still used in the industry, are recognised as unsafe and vulnerable to data leakage. They allow unauthorised access to information, and such messages can be intercepted if devices are connected to unsecured networks or accessed on a lost device.
What is required for a HIPAA compliant email? Monitoring how personal health information is communicated and protecting it from unauthorised access.
Instant messaging offers the obvious benefit of speed and is widely used by healthcare professionals. A record 97 per cent of respondents in a 2017 survey admitted sending patient information on WhatsApp.
Instant messaging programs are not a safe choice for a number of reasons: messages can be intercepted over unsecured Wi-Fi networks, information can be vulnerable because of BYOD policies, and there’s no clear ownership of the data people exchange via such messengers.
Regulatory bodies don’t forbid emails, SMS, and other instant messaging services but they set certain rules: assign a unique login username and PIN for each user, prevent unauthorized access with an automatic logoff feature, and encrypt data attachments. Fines for violating security measures can reach up to $1.5 million.
Even though these communication means are permitted under certain regulations, regulatory authorities recommend applying secure messaging systems instead of SMS, email, or IM.
Making a mobile app specifically for provider communication or implementing messaging into healthcare apps is the most secure and efficient way forward. Moreover, a custom app can be integrated into identity management systems for employees such as ActiveDirectory or Okta, which simplifies control over access to data.
Even if popular third-party messengers provided top-quality encryption, it’s still better to have separate secure messaging solutions for healthcare.
There are several medical data types (basic patient information and lab results) which should be seamlessly integrated into a healthcare app. For doctor-patient applications, it’s a good idea to implement messaging and scheduling, while an app for a specific hospital should probably have a feed with important news, a map of the facility and so on.
We described the essential features of different medical solutions in our post on healthcare app development. Here’s what a healthcare chat app should have:
There are several ready-to-use chat solutions like Firebase, Layer, or PubNub. However, they are a bad choice for secure healthcare messaging apps for the following reasons:
MadAppGang developed Strongbox, a highly secure team messenger. In Strongbox, we used Signal, which has the following benefits:
There are many messaging platforms developed for healthcare teams. Here are some examples:
While these solutions are helpful in terms of streamlining communication workflows and protecting patient data, the market is segmented and data interoperability remains a pressing issue.
Interoperability means healthcare workers that use different messaging platforms can't interpret data from one another. A cycle of treatment can require one patient to visit several professionals, which makes it crucial to have a unified data exchange channel.
Healthcare facilities need to adopt interoperability in tandem with secure messaging.
Since healthcare requires multiple interactions on a daily basis, and some with pressing time concerns, secure messaging is fundamental.
To prevent medical data from being stolen and used for the wrong purpose, healthcare providers should implement messaging solutions strictly compliant with national regulations and test regularly for potential breaches.
It’s essential that patient data is protected but healthcare cybersecurity measures shouldn’t affect the workforce’s efficiency. Messaging platforms and apps have to be helpful. They need to improve clinical decisions not generate delays and communication inconsistencies.
Several studies have shown that patients benefit from patient-to-physician communication tools. Patients engaged in ongoing communication with doctors were more involved in their care and more likely to remain healthy.
Secure messaging has an important role to play in today’s healthcare industry, so long as the messenger is built with a full awareness of industry demands and the inherent vulnerabilities in existing systems.
If you're looking at building a secure, compliant messaging platform, talk to our experts today.
10 February 2020 secure messaging