The Secure Texting Scam

Posted on September 6, 2012 I Written By

Dr. Michael J. Koriwchak received his medical degree from Duke University School of Medicine in 1988. He completed both his Internship in General Surgery and Residency in Otolaryngology-Head and Neck Surgery at Vanderbilt University Medical Center. Dr. Koriwchak continued at Vanderbilt for a fellowship in Laryngology and Care of the Professional Voice. He is board certified by the American Board of Otolaryngology-Head and Neck Surgery. After training Dr. Koriwchak moved to Atlanta in 1995 to become one of the original physicians in Ear, Nose and Throat of Georgia. He has built a thriving practice in Laryngology, Care of the Professional Voice, Thyroid/Parathyroid Surgery, Endoscopic Sinus Surgery and General Otolaryngology. A singer himself, many of his patients are people who depend on their voice for their careers, including some well-known entertainers. Dr. Koriwchak has also performed thousands of thyroid, parathyroid and head and neck cancer operations. Dr. Koriwchak has been working with information technology since 1977. While an undergraduate at Bucknell University he taught a computer-programming course. In medical school he wrote his own software for his laboratory research. In the 1990’s he adapted generic forms software to create one the first electronic prescription applications. Soon afterward he wrote his own chart note templates using visual BASIC script. In 2003 he became the physician champion for ENT of Georgia’s EMR implementation project. This included not only design and implementation strategy but also writing code. In 2008 the EMR implementation earned the e-Technology award from the Medical Association of Georgia. With 7 years EMR experience, 18 years in private medical practice and over 35 years of IT experience, Dr. Koriwchak seeks opportunities to merge the information technology and medical communities, bringing information technology to health care.

I fondly remember going deer hunting with my father and grandfather in Pennsylvania where I grew up.  We hardly ever actually killed anything.  One deer hunting technique we never used was called “putting on a drive.”   You start with a group of hunters at each end of the woods.  The first group does the “driving” by walking through the woods making lots of noise.  The other group lies hidden at the other end.  The first group scares the deer towards the second group for an easy blindside kill.  Even if you like hunting it’s not very sportsmanlike.  The deer don’t stand a chance.

Recent developments in health information technology convince me that Washington politicians and health IT vendors are putting a drive on physicians. Together they coerce physicians into technology purchases that may be redundant and unnecessary.  One such example is all the noise health IT vendors make about secure texting.

In November 2011 JCAHO posted a notice deeming the use of texting to communicate physician orders as unacceptable.   This very short statement offered two supporting arguments:  1.  The sender’s identity could not be verified, and 2.  There is no way to preserve the text message for the medical record.  The statement did NOT mention any potential for hacking, eavesdropping or any other privacy / security issue.

The following April a small (5 physician) cardiology practice was fined $100,000 for a number of HIPAA violations.  The worst of these was putting appointment and surgical schedules on a publicly accessible online calendar.  Other violations included failure to appoint a privacy officer and failure to conduct a risk analysis.  The HHS press release for this settlement does not list texting protected health information (PHI) as one of the violations.  Nonetheless many secure texting vendors have cited this settlement as evidence that the Feds are prosecuting providers for texting PHI.  My inbox has been inundated with ads: “Don’t get caught texting PHI!  Buy our secure texting product today!”

Many providers have drunk the Kool-Aid, succumbing also to strong intuitive – but unverified – arguments regarding SMS texting.  It is widely accepted that every text has at least 3 copies:  the sender phone, the receiver phone, and one or more copies on the telecom servers involved in the transmission.  The first 2 clearly exist.  But has anyone verified current practices among telecom providers regarding server storage of text messages?  There is no credible source that clearly documents what those practices are.  Many providers and IT folks also intuitively believe that text messages can be easily monitored / intercepted remotely.

One secure text vendor I reviewed offers secure texting for the “bargain” price of $10 per user per month.  For our practice that totals $12,000 per year.   The app requires installation on both sending and receiving ends, so even after all that money is spent I can text “securely” only to employees inside my practice.  Too bad I don’t need secure communication inside my practice.  My EMR already does that.  So the product is both expensive and useless.  Most secure text products are structured similarly.

The argument for secure texting products fails in several ways:

  1. The November 2011 JCAHO directive regarding texting of physician orders does not mention privacy as an issue.  The two issues it does raise, identity verification and documentation in the medical record, are not solved by secure text products.  Furthermore, the JCAHO arguments should apply to voice conversations as well.  The voice of a caller cannot be objectively identified, and voice conversations are not preserved for the record either.   Telephone orders have been the standard of care for decades.  We have tolerated those “shortcomings” without difficulty.
  2. No federal agency has investigated anyone for texting PHI – although the secure texting vendors would like you to believe otherwise.
  3. There have been no documented PHI security breaches related to texting.
  4. The biggest security issue for texting is the smart phones themselves, where stored text messages are just waiting to be lost or stolen with the phone.  Secure text products don’t solve that problem either.  This is more appropriately handled by password protecting phones and remote-erasing technology for lost or stolen phones.  There are lots of other ways to address the problem, such as storing text messages in the cloud rather than on the phone.
  5. Physicians have been using text communications for almost 20 years, since the advent of text-enabled pagers.  This far predates SMS technology.  We contacted our answering service regarding the security of the text-pages that they send to our smart phones.  We were assured that their secure server adequately addresses the issue.  Really?  Don’t their messages pass through the same telecom servers as other texts to reach our smart phones?  Am I missing something?
  6. Smart phones can be eavesdropped for both voice conversations and text using the same methods.  If the eavesdropping argument is used to outlaw unsecured text, then voice communications should be treated similarly.
  7. How exactly do the wireless carriers handle text messages?   Why isn’t anyone grilling them about securing their servers?  Current practice across the IT community is that the owner of a database is responsible for its security.  Verizon Wireless, starting last April, has expressed great interest in health care and has declared its intention to establish a role in the management of chronic diseases.  How about something simpler and much more useful…like secure texting for health care providers?

The “logical” conclusion – ignoring common sense – is that PHI would be prohibited in all wireless communications.  Doctors would have to return to 1980’s era pagers that only emit a tone.  You call the answering service – on a landline – to get the message.  The privacy policies made necessary by the Information Age would force us back to the Stone Age.

Instead consider the following plan that would serve PHI privacy needs without all the hysteria and expense of add-on products:

–       Establish a set of practices for texting medical information that avoids or minimizes the creation of PHI.  This would include referring to patients by initials and avoiding the use of identity-establishing information.  I have done this for the past few months and it works well.  You can include all the medical information you want in a text, but if the patient is identified only by initials then it is not PHI.

–       Engage telecom providers to establish adequate security measures for its servers.  They should be doing this anyway.  There would be many users willing to pay a reasonable amount to cover the expense.  This would be much better than add-on products since it would be compatible across all users.

–       Aggressively implement protection for smart phones, starting with mandatory password protection and remote erasing, and implementing more sophisticated technologies as they become practical and widely available.

How do you get a marginal product to sell?  Either have the government make people buy it (Meaningful Use) or use marketing sleight of hand to create the illusion of a legal imperative.  Secure text marketing strategy works just like the deer drive.  The “drivers” are the secure texting vendors.  They leverage poorly written and randomly enforced government regulations to make lots of noise in an attempt to scare physicians.  At the other end of the forest lurks Secure Texting Snake Oil – products that only pretend to rescue doctors from prosecution and patients from identity theft.  Their only true effect is to raise health care costs without any improvement in quality of care or data security.