I recently was talking with a doctor who told me about a healthcare communications company called YouCall MD. The doctor liked many of the features that YouCall MD provided. He loved that they would answer your Live Calls, transcribe a message to you and send you that message by SMS. Well, he loved all of it except the part that YouCallMD was using insecure SMS messages to send protected health information (PHI).
I wrote about this before in my post called “Texting is Not HIPAA Secure.” I know that many doctors sit on all sides of this. I heard one doctor tell me, “They’re not going to throw us all in jail.” Other doctors won’t use SMS at all because of the HIPAA violations.
While a doctor probably won’t get thrown in jail for sending PHI over SMS, they could get large fines. I think this is an even greater risk when sending PHI over SMS becomes institutionalized through a service like YouCallMD. This isn’t a risk I’d want to take if I were a doctor.
Plus, the thing that baffles me is that there are a lot of secure text message services out there. Using these services would accomplish the same thing for the doctor and YouCall MD and they wouldn’t put a doctor or institution at risk for violating HIPAA. Soon the day will come when doctors can send SMS like messages on their phones in a secure way and they won’t have to worry about it. I just think it’s a big mistake for them to be using their phone’s default SMS.
A friend of mine is an Android programmer who once gave me a really good idea of how insecure SMS is as a communication technology.
With little more than an Android phone and his programming skills, he was able to write a script that would just listen to the messages going back and forth. The receiving side is encrypted, so he couldn’t read those, but the sending side is not, so he could read half of every conversation at the time.
Of course, TCP/IP is quite similar. Every network device on a network hears and sees the traffic from every other network device. There’s a reason in networking that throughput tends to be about half of bandwidth.
Tim
13,050 days
Tim,
That’s exactly my point. SMS isn’t encrypted. However, there are many SMS like options out there that are encrypted and your friends script wouldn’t crack. In fact, there are even some free options for doctor too.
Same applies to TCP/IP and is why all EHR vendors use encryption for all their communication. It’s not a hard problem to solve if people just do it.
I was agreeing with you. I thought it was helpful to offer a real live example of exactly what “insecure” can mean with SMS. 🙂
Beyond the SMS topic, it’s less the transmissions of the information that make me nervous, and more the destinations that we assume are secure at the other end. And I’m not even talking about data breaches when I say that so much as figuring out why HITECH needed to expand HIPAA access and disclosure to 701,325 entities and 1.5 million business associates.
Tim
13,050 days
I was agreeing with you too Tim.
My friend offered a helpful clarification: Just because something is encrypted does not mean it is secure.
Tim
13,050 days
That’s true. Encrypted doesn’t always mean secure. Although, it’s a big step in the right direction. You still have to secure the end points and ensure the identity of the sender and receiver, etc.
In addition to getting the information into and out of encryption, as you correctly raise here, I think he was also referring to the information when its encrypted itself. There are varying levels of encryption quality or difficulty, and a programmer can write code to directly decrypt the transmission with brute force.
Tim
13,051 days