Healthcare // Security & Privacy
News
7/28/2014
02:28 PM
Connect Directly
RSS
E-Mail
50%
50%

Insecure Communications Costly For Hospitals

Even one insecure text message can be expensive, as one North Carolina facility discovered. It's time for healthcare organizations to implement efficient, secure communication systems.

Healthcare IT Cloud Safety: 5 Basics
Healthcare IT Cloud Safety: 5 Basics
(Click image for larger view and slideshow.)

When a doctor treating a North Carolina nursing home patient asked a nurse to text the resident's lab results, only the two authorized medical professionals saw the message -- but the residential facility ended up paying a high price for using this inherently insecure messaging medium.

The Centers for Medicare & Medicaid Services (CMS) gave the unnamed skilled nursing facility an "e-level deficiency," meaning there was "no actual harm but potential for more than minimal harm," according to a blog by law firm Poyner Spruill. As a result, CMS imposed a 10-point Directed Plan of Correction (DPOC) to be implemented within 15 days, which included:

  • Revising HIPAA policies and procedures, including training on identity theft
  • Hiring an external contractor -- unrelated to all staff and preapproved by CMS -- to educate employees, physicians, and the governing body during "on-site, in-person, face-to-face" training
  • Designating a HIPAA compliance officer for the facility
  • Determining how to address any loss of personal health information (PHI) by former employees
  • Sending a letter to all residents and families notifying them of the alleged HIPAA violation and the steps the facility is taking to fix and prevent new occurrences

"Neither of these elements was included in CMS's DPOC, nor was there ever any allegation [by CMS] that any PHI was 'lost,' only that it was communicated in isolated instances between a facility nurse and an attending physician, both of whom were authorized to received such information under HIPAA," read the Poyner Spruill blog.

This incident underscores both the government's newly invigorated focus on potential HIPAA violations and the risks associated with unsecured communications.

[Wearable devices could be a boon for healthcare workers, but they must be managed carefully. Read Wearables In Healthcare: Privacy Rules Needed.]

Yet medical professionals continue to rely on texting. In one small study of pediatric hospitalists, 60% admitted to sending texts, 61% received them, and 12% sent or received messages more than 10 times per shift. Almost one third received PHI within a text, and 46% confessed to security concerns with texting. Only 11% of those queried worked at organizations with secure texting services available.

(Source: TigerText)
(Source: TigerText)

Often medical staff members text to avoid time-consuming alternatives such as paging or using hospital operators, according to Linda Reed, CIO at Atlantic Health System. But while texting addresses timeliness, standard SMS is not HIPAA-compliant. Atlantic discovered that more than half its clinicians used text messaging despite repeated warnings from IT, she noted in an interview.

"We are blue in the face telling our clinicians and nurses, 'You can't do this. SMS is not safe.' At the end of the day, not doing it is not practical," Reed said. "Without us providing some kind of an option, telling them not to do it is an exercise in futility."

Atlantic Health System uses Imprivata's Cortext to ensure secure communications between clinicians, although it also continues to use pagers for some dead zones within its hospitals and physicians' home regions. Because the system is HIPAA-compliant, clinicians can safely text patient information.

Dr. Alex Shen of Torrance Memorial Hospital can get responses in 30 seconds instead of an hour using TigerText. The best part? "I buy back more hours of my day to spend with patients," said Shen.

Secure texting enhances patient safety and physician productivity, Dr. Anthony Hedley, an orthopedic surgeon and founder of Hedley Orthopaedic Institute, told InformationWeek. Hedley uses Photon, a HIPAA-compliant messaging and records-sharing platform that enables doctors to see patients' records and images and add their comments.

"If someone in the hospital, for instance, has a case they would like to consult me on, they can ping me on Photon [and] send me X-rays, CT scans, whatever they want to send on my phone. So I can sit in my home and look at a fractured ankle and either go in to see the patient or advise a referral," he explained. "It's really become like having an intern in your pocket. It is a huge labor saving from that point of view."

Poor communication can force patients to spend unnecessary time in hospital, Dr. Gregory Grant, an orthopedic surgeon and chairman and CEO of Photon Medical Communications, pointed out. When ER doctors cannot reach orthopedic surgeons to review X-rays or CT scans, he said, they may admit patients who don't need a bed -- or conversely, patients with severe injuries may be sent home when non-orthopedic experts cannot pick out major problems on their medical images. In one case, Grant recalled, an ER doctor determined a patient had a severe arm injury and medevac'd the individual to a trauma center.

In another case, an elderly patient scheduled for surgery was given a blood thinner hours before the operation due to a communication lapse. As a result, the surgery was postponed and the patient was hospitalized for an extra day, resulting in potential additional complications and disruption in the hospital's surgery schedule.

(Source: Ponemon Institute Research Report)
(Source: Ponemon Institute Research Report)

Such scenarios worsen patient care and cost hospitals an average of $1.75 million each; in total, US hospitals lose about $11 billion annually because of inefficient pagers, poor communication practices, and cumbersome coordination processes, according to the Imprivata Report on the Economic Impact of Inefficient Communications on Healthcare, conducted by the Ponemon Institute.

Improving communication involves more than just texting, pointed out Reed, who's a nurse by training. At Atlantic Health System, enhanced communication is part of the organization's overriding goal to improve patient care. To achieve that, she said, he provider also bolstered WiFi, implemented virtual desktops, and added Vocera roaming technology for nurses. Videoconferencing is next on the agenda.

"To improve patient care, you need to improve care coordination. And to improve care coordination, you need to improve communication," Reed added.

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
R Dennis Steed
50%
50%
R Dennis Steed,
User Rank: Apprentice
7/31/2014 | 1:18:19 PM
Re: Medical SMS: a data breach waiting to happen
We are still allowed to talk by landline, but the cell phone was deemed insecure by the HIPAA compliance officer.

It's not totally surprising, given the numerous scandals involved with celebrity cell phones being hacked:  http://en.wikipedia.org/wiki/News_International_phone_hacking_scandal.

I agree 100% about the rules being confusing.

As far as your friend emailing a pdf to the hospital, if it is her personal information, there is no rule against her emailing her information to anyone she wants.  I suspect the hospital simply is not set up to deal with email that contains protected health information once it is received.  In other words, your friend is free to risk the information being intercepted and read on its way to the hospital's mail server, but once it reaches the server, the hospital is responsible for maintaining the privacy of your friend's information.

 

 

 

 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/31/2014 | 11:35:42 AM
Re: Medical SMS: a data breach waiting to happen
I am not sure, but I think doctors and patients are still allowed to talk on the phone! It's just the sharing of data via written means, like text, isn't it? As a friend remarked online earlier today, she can send a fax to her hospital but wasn't allowed to email a PDF of lab results... the rules are confusing for patients and staff, which is why some breaches (and non-breaches, as in the case of this NC facility) undoubtedly occur.
R Dennis Steed
50%
50%
R Dennis Steed,
User Rank: Apprentice
7/30/2014 | 10:15:49 PM
Re: Medical SMS: a data breach waiting to happen
I was on the medical staff of a hospital where the security policy forbids communicating PHI to a physician on a cell phone.  Given this article, it sounds like it is probably a sound policy for avoiding fines and penalties.

I'm not so sure it is a sound policy for taking care of patients.  I suppose a physician can look for the nearest pay phone to talk about a patient, but I can't remember seeing a pay phone recently.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/28/2014 | 5:15:25 PM
Re: Medical SMS: a data breach waiting to happen
What I had hoped to show with the example at the beginning was that the opposite is actually true: A nursing facility got penalized when nobody was damaged. The violation occurred when the doctor and nurse traded a text about a patient's lab results, but nobody else viewed the text. It wasn't hacked. It wasn't accidentally shared or anything else. But when CMS discovered the text as part of a HIPAA audit, the government agency penalized the healthcare organization, including making the facility tell patients about the occurence. 

So while an organization may not be audited and, yes, get away with conducting unencrypted texting, if a breach does occur it's such an easy thing to prove that healthcare organizations will likely be paying out a big sum of money: Once to the government in fines, once to the patient in penalties. And if the patient is a celeb, then yes, most likely it will be worse because people are oftennosier in those cases.

The CIO I interviewed for this piece was pretty upfront, I thought. Since she was a nurse and had grappled with this issue in the ranks, she realized they needed something that was easy to use and not onerous otherwise clinicians wouldn't use it. 
asksqn
50%
50%
asksqn,
User Rank: Ninja
7/28/2014 | 4:43:20 PM
Medical SMS: a data breach waiting to happen
It sounds like encrypted text messaging is used only if it was convenient for the IT department to have implemented it and convenient for staff to learn how to use it, which pretty much describes the shoddy security practices of any given organization.  I'm sure the only time this particular data-breach-in-waiting will be substantively addressed in the law is when a high profile celebrity/politician incurs an injury as a result of the flagrant HIPAA violations going on with text messaging.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.