SYS-CON MEDIA Authors: Liz McMillan, Yeshim Deniz, Elizabeth White, William Schmarzo, Dana Gardner

Blog Feed Post

Encryption and Healthcare Mobile Messaging

encryption healthcare mobile messaging

What’s so hard about the encryption of healthcare mobile messaging?

Last week, I came across an interesting article on encryption and healthcare mobile messaging. The article pointed out that pointed out the need for mobile device security when practitioners exchange PHI. Apparently, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued an important reminder to healthcare on the need to mitigate risks surrounding the use of mobile devices.  According to the article, OCR stresses that:

mobile devices should be included in an organization’s enterprise-wide risk analysis and that organizations implement security measures to reduce identified risks to a reasonable and appropriate level, as required by the Health Insurance Portability and Accountability Act (HIPAA) rules.

While it is obviously the OCR’s purview to issue statements on encryption in healthcare and mobile messaging, the issue remains that many physicians will continue to struggle with achieving this goal. Why is this the case? The reason for the struggle is that practitioners use non-secure, non-encrypted messaging platforms in healthcare to exchange information. As such, exchanging ePHI on non-secure platforms quickly follows. For secure exchange of ePHI, hospitals and clinics must embrace secure messaging platforms. One cannot exist without the other.

Why healthcare secure messaging is challenging

In part, secure messaging is challenging for healthcare professionals because practitioners often prefer to use a mixture of pagers, SMS, Facebook, GChat or WhatsApp to communicate with one another.  Additionally, even though WhatsApp now has end-to-end encryption, it still lacks access control that is needed to make it truly appropriate for healthcare. Without access control, anyone with the smartphone password can access information on the application.

Additionally, even if practitioners try to increase security by not naming patient names in exchanges, they still run the risk of violating HIPAA. For example, in one well publicized case, nurses began using Facebook to provide shift change updates to their coworkers. They did not use patient names, but they did post enough specifics about patients so that incoming nurses could prepare for their shift.

Disclosures were made with the best of intentions, but obviously violated HIPAA constraints. Omitting a patient’s name does not guarantee that the person cannot be identified. The conclusion that arises here is that under no circumstances should practitioners exchange PHI through non-secure methods of communication.

Another issue that makes secure messaging challenging through traditional smartphone applications is that the information cannot be wiped. In healthcare, users often face the risk of loss and theft of their device. The stolen information is then often sold on the black market where it is very valuable.

Secure messaging applications – a modest proposal   

Healthcare should not think that the solution to insecure messaging is the banning of smartphones. Indeed, doctors and nurses have their devices almost surgically attached. Banning would only be counterproductive and decrease productivity. Instead, the first critical step in switching healthcare’s mindset is to encourage adequate training.

Training needs to start at the top of the healthcare facility food chain. Physicians aren’t the only ones who need training. Directors and administrators need training as well. In this training, employees should learn about appropriate clinical secure messaging applications they can use.  OnPage, for example, provides a smartphone application which allows practitioners and administrators to exchange attachments, ePHI and text messages in a secure manner that keeps individuals HIPAA compliant.

Additionally, all users of secure messaging applications need to learn the steps of what they should do if they lose their smartphones. Individuals need to feel guilt-free about reporting this to appropriate administrators so they can have their app wiped, thus inhibiting the theft of any patient information stored on the messaging app.

Additionally, healthcare facilities need to impress upon practitioners that facilities can face significant financial and regulatory repercussions if hospitals violate HIPAA regulations by not adequately protecting patient information. Patients have been shown to be wary of visiting hospitals that have experienced HIPAA violations.

Finally, institutions need to make the switch to a secure clinical communications platform seamless and easy. Transitioning to a secure messaging application should require minimal effort. As such, sign on and sign off should be easy. Security should be on the onus of the app. Patient privacy should be easily maintained through message encryption.


It is fascinating to see how healthcare regulating agencies see the issue of mobile device security and PHI. Clearly, they see it as an important issue but one that is nowhere close to being solved.  What we can conclude from the article is that healthcare institutions need to continue their vigilance in protecting patient information. Secure messaging solutions and increased training are the best place to start.


The post Encryption and Healthcare Mobile Messaging appeared first on OnPage.

Read the original blog entry...

More Stories By OnPage Blog

OnPage is a disruptive technology and application that leverages today's technology and smartphone capabilities for priority mobile messaging. With a top notch history of ensuring uninterrupted communication for businesses and critical response organizations, OnPage is once again poised to pioneer new mobile communications methodology for business and organizational use.

Latest Stories
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
Your job is mostly boring. Many of the IT operations tasks you perform on a day-to-day basis are repetitive and dull. Utilizing automation can improve your work life, automating away the drudgery and embracing the passion for technology that got you started in the first place. In this presentation, I'll talk about what automation is, and how to approach implementing it in the context of IT Operations. Ned will discuss keys to success in the long term and include practical real-world examples. Ge...
Serveless Architectures brings the ability to independently scale, deploy and heal based on workloads and move away from monolithic designs. From the front-end, middle-ware and back-end layers, serverless workloads potentially have a larger security risk surface due to the many moving pieces. This talk will focus on key areas to consider for securing end to end, from dev to prod. We will discuss patterns for end to end TLS, session management, scaling to absorb attacks and mitigation techniques.
Crosscode Panoptics Automated Enterprise Architecture Software. Application Discovery and Dependency Mapping. Automatically generate a powerful enterprise-wide map of your organization's IT assets down to the code level. Enterprise Impact Assessment. Automatically analyze the impact, to every asset in the enterprise down to the code level. Automated IT Governance Software. Create rules and alerts based on code level insights, including security issues, to automate governance. Enterpr...
Eric Taylor, a former hacker, reveals what he's learned about cybersecurity. Taylor's life as a hacker began when he was just 12 years old and playing video games at home. Russian hackers are notorious for their hacking skills, but one American says he hacked a Russian cyber gang at just 15 years old. The government eventually caught up with Taylor and he pleaded guilty to posting the personal information on the internet, among other charges. Eric Taylor, who went by the nickname Cosmo...
Most modern computer languages embed a lot of metadata in their application. We show how this goldmine of data from a runtime environment like production or staging can be used to increase profits. Adi conceptualized the Crosscode platform after spending over 25 years working for large enterprise companies like HP, Cisco, IBM, UHG and personally experiencing the challenges that prevent companies from quickly making changes to their technology, due to the complexity of their enterprise. An accomp...
The benefits of automated cloud deployments for speed, reliability and security are undeniable. The cornerstone of this approach, immutable deployment, promotes the idea of continuously rolling safe, stable images instead of trying to keep up with managing a fixed pool of virtual or physical machines. In this talk, we'll explore the immutable infrastructure pattern and how to use continuous deployment and continuous integration (CI/CD) process to build and manage server images for any platfo...
DevOpsSUMMIT at CloudEXPO, to be held June 25-26, 2019 at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
It cannot be overseen or regulated by any one administrator, like a government or bank. Currently, there is no government regulation on them which also means there is no government safeguards over them. Although many are looking at Bitcoin to put money into, it would be wise to proceed with caution. Regular central banks are watching it and deciding whether or not to make them illegal (Criminalize them) and therefore make them worthless and eliminate them as competition. ICOs (Initial Coin Offer...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
The current environment of Continuous Disruption requires companies to transform how they work and how they engineer their products. Transformations are notoriously hard to execute, yet many companies have succeeded. What can we learn from them? Can we produce a blueprint for a transformation? This presentation will cover several distinct approaches that companies take to achieve transformation. Each approach utilizes different levers and comes with its own advantages, tradeoffs, costs, risks, a...
Organize your corporate travel faster, at lower cost. Hotailors is a next-gen AI-powered travel platform. What is Hotailors? Hotailors is a platform for organising business travels that grants access to the best real-time offers from 2.000.000+ hotels and 700+ airlines in the whole world. Thanks to our solution you can plan, book & expense business trips in less than 5 minutes. Accordingly to your travel policy, budget limits and cashless for your employees. With our reporting, int...
This sixteen (16) hour course provides an introduction to DevOps, the cultural and professional movement that stresses communication, collaboration, integration and automation in order to improve the flow of work between software developers and IT operations professionals. Improved workflows will result in an improved ability to design, develop, deploy and operate software and services faster.