Healthcare // Security & Privacy
News
7/28/2014
02:28 PM
Connect Directly
RSS
E-Mail

Insecure Communications Costly For Hospitals

Even one insecure text message can be expensive, as one North Carolina facility discovered. It's time for healthcare organizations to implement efficient, secure communication systems.
1 of 2

(Source: Ponemon Institute Research Report)
(Source: Ponemon Institute Research Report)

1 of 2
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
R Dennis Steed
50%
50%
R Dennis Steed,
User Rank: Apprentice
7/31/2014 | 1:18:19 PM
Re: Medical SMS: a data breach waiting to happen
We are still allowed to talk by landline, but the cell phone was deemed insecure by the HIPAA compliance officer.

It's not totally surprising, given the numerous scandals involved with celebrity cell phones being hacked:  http://en.wikipedia.org/wiki/News_International_phone_hacking_scandal.

I agree 100% about the rules being confusing.

As far as your friend emailing a pdf to the hospital, if it is her personal information, there is no rule against her emailing her information to anyone she wants.  I suspect the hospital simply is not set up to deal with email that contains protected health information once it is received.  In other words, your friend is free to risk the information being intercepted and read on its way to the hospital's mail server, but once it reaches the server, the hospital is responsible for maintaining the privacy of your friend's information.

 

 

 

 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/31/2014 | 11:35:42 AM
Re: Medical SMS: a data breach waiting to happen
I am not sure, but I think doctors and patients are still allowed to talk on the phone! It's just the sharing of data via written means, like text, isn't it? As a friend remarked online earlier today, she can send a fax to her hospital but wasn't allowed to email a PDF of lab results... the rules are confusing for patients and staff, which is why some breaches (and non-breaches, as in the case of this NC facility) undoubtedly occur.
R Dennis Steed
50%
50%
R Dennis Steed,
User Rank: Apprentice
7/30/2014 | 10:15:49 PM
Re: Medical SMS: a data breach waiting to happen
I was on the medical staff of a hospital where the security policy forbids communicating PHI to a physician on a cell phone.  Given this article, it sounds like it is probably a sound policy for avoiding fines and penalties.

I'm not so sure it is a sound policy for taking care of patients.  I suppose a physician can look for the nearest pay phone to talk about a patient, but I can't remember seeing a pay phone recently.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/28/2014 | 5:15:25 PM
Re: Medical SMS: a data breach waiting to happen
What I had hoped to show with the example at the beginning was that the opposite is actually true: A nursing facility got penalized when nobody was damaged. The violation occurred when the doctor and nurse traded a text about a patient's lab results, but nobody else viewed the text. It wasn't hacked. It wasn't accidentally shared or anything else. But when CMS discovered the text as part of a HIPAA audit, the government agency penalized the healthcare organization, including making the facility tell patients about the occurence. 

So while an organization may not be audited and, yes, get away with conducting unencrypted texting, if a breach does occur it's such an easy thing to prove that healthcare organizations will likely be paying out a big sum of money: Once to the government in fines, once to the patient in penalties. And if the patient is a celeb, then yes, most likely it will be worse because people are oftennosier in those cases.

The CIO I interviewed for this piece was pretty upfront, I thought. Since she was a nurse and had grappled with this issue in the ranks, she realized they needed something that was easy to use and not onerous otherwise clinicians wouldn't use it. 
asksqn
50%
50%
asksqn,
User Rank: Ninja
7/28/2014 | 4:43:20 PM
Medical SMS: a data breach waiting to happen
It sounds like encrypted text messaging is used only if it was convenient for the IT department to have implemented it and convenient for staff to learn how to use it, which pretty much describes the shoddy security practices of any given organization.  I'm sure the only time this particular data-breach-in-waiting will be substantively addressed in the law is when a high profile celebrity/politician incurs an injury as a result of the flagrant HIPAA violations going on with text messaging.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.