The Secure Texting Scam

I fondly remember going deer hunting with my father and grandfather in Pennsylvania where I grew up.  We hardly ever actually killed anything.  One deer hunting technique we never used was called “putting on a drive.”   You start with a group of hunters at each end of the woods.  The first group does the “driving” by walking through the woods making lots of noise.  The other group lies hidden at the other end.  The first group scares the deer towards the second group for an easy blindside kill.  Even if you like hunting it’s not very sportsmanlike.  The deer don’t stand a chance.

Recent developments in health information technology convince me that Washington politicians and health IT vendors are putting a drive on physicians. Together they coerce physicians into technology purchases that may be redundant and unnecessary.  One such example is all the noise health IT vendors make about secure texting.

In November 2011 JCAHO posted a notice deeming the use of texting to communicate physician orders as unacceptable.   This very short statement offered two supporting arguments:  1.  The sender’s identity could not be verified, and 2.  There is no way to preserve the text message for the medical record.  The statement did NOT mention any potential for hacking, eavesdropping or any other privacy / security issue.

The following April a small (5 physician) cardiology practice was fined $100,000 for a number of HIPAA violations.  The worst of these was putting appointment and surgical schedules on a publicly accessible online calendar.  Other violations included failure to appoint a privacy officer and failure to conduct a risk analysis.  The HHS press release for this settlement does not list texting protected health information (PHI) as one of the violations.  Nonetheless many secure texting vendors have cited this settlement as evidence that the Feds are prosecuting providers for texting PHI.  My inbox has been inundated with ads: “Don’t get caught texting PHI!  Buy our secure texting product today!”

Many providers have drunk the Kool-Aid, succumbing also to strong intuitive – but unverified – arguments regarding SMS texting.  It is widely accepted that every text has at least 3 copies:  the sender phone, the receiver phone, and one or more copies on the telecom servers involved in the transmission.  The first 2 clearly exist.  But has anyone verified current practices among telecom providers regarding server storage of text messages?  There is no credible source that clearly documents what those practices are.  Many providers and IT folks also intuitively believe that text messages can be easily monitored / intercepted remotely.

One secure text vendor I reviewed offers secure texting for the “bargain” price of $10 per user per month.  For our practice that totals $12,000 per year.   The app requires installation on both sending and receiving ends, so even after all that money is spent I can text “securely” only to employees inside my practice.  Too bad I don’t need secure communication inside my practice.  My EMR already does that.  So the product is both expensive and useless.  Most secure text products are structured similarly.

The argument for secure texting products fails in several ways:

  1. The November 2011 JCAHO directive regarding texting of physician orders does not mention privacy as an issue.  The two issues it does raise, identity verification and documentation in the medical record, are not solved by secure text products.  Furthermore, the JCAHO arguments should apply to voice conversations as well.  The voice of a caller cannot be objectively identified, and voice conversations are not preserved for the record either.   Telephone orders have been the standard of care for decades.  We have tolerated those “shortcomings” without difficulty.
  2. No federal agency has investigated anyone for texting PHI – although the secure texting vendors would like you to believe otherwise.
  3. There have been no documented PHI security breaches related to texting.
  4. The biggest security issue for texting is the smart phones themselves, where stored text messages are just waiting to be lost or stolen with the phone.  Secure text products don’t solve that problem either.  This is more appropriately handled by password protecting phones and remote-erasing technology for lost or stolen phones.  There are lots of other ways to address the problem, such as storing text messages in the cloud rather than on the phone.
  5. Physicians have been using text communications for almost 20 years, since the advent of text-enabled pagers.  This far predates SMS technology.  We contacted our answering service regarding the security of the text-pages that they send to our smart phones.  We were assured that their secure server adequately addresses the issue.  Really?  Don’t their messages pass through the same telecom servers as other texts to reach our smart phones?  Am I missing something?
  6. Smart phones can be eavesdropped for both voice conversations and text using the same methods.  If the eavesdropping argument is used to outlaw unsecured text, then voice communications should be treated similarly.
  7. How exactly do the wireless carriers handle text messages?   Why isn’t anyone grilling them about securing their servers?  Current practice across the IT community is that the owner of a database is responsible for its security.  Verizon Wireless, starting last April, has expressed great interest in health care and has declared its intention to establish a role in the management of chronic diseases.  How about something simpler and much more useful…like secure texting for health care providers?

The “logical” conclusion – ignoring common sense – is that PHI would be prohibited in all wireless communications.  Doctors would have to return to 1980’s era pagers that only emit a tone.  You call the answering service – on a landline – to get the message.  The privacy policies made necessary by the Information Age would force us back to the Stone Age.

Instead consider the following plan that would serve PHI privacy needs without all the hysteria and expense of add-on products:

–       Establish a set of practices for texting medical information that avoids or minimizes the creation of PHI.  This would include referring to patients by initials and avoiding the use of identity-establishing information.  I have done this for the past few months and it works well.  You can include all the medical information you want in a text, but if the patient is identified only by initials then it is not PHI.

–       Engage telecom providers to establish adequate security measures for its servers.  They should be doing this anyway.  There would be many users willing to pay a reasonable amount to cover the expense.  This would be much better than add-on products since it would be compatible across all users.

–       Aggressively implement protection for smart phones, starting with mandatory password protection and remote erasing, and implementing more sophisticated technologies as they become practical and widely available.

How do you get a marginal product to sell?  Either have the government make people buy it (Meaningful Use) or use marketing sleight of hand to create the illusion of a legal imperative.  Secure text marketing strategy works just like the deer drive.  The “drivers” are the secure texting vendors.  They leverage poorly written and randomly enforced government regulations to make lots of noise in an attempt to scare physicians.  At the other end of the forest lurks Secure Texting Snake Oil – products that only pretend to rescue doctors from prosecution and patients from identity theft.  Their only true effect is to raise health care costs without any improvement in quality of care or data security.

About the author

Dr. Michael Koriwchak

Dr. Michael Koriwchak

Dr. Michael J. Koriwchak received his medical degree from Duke University School of Medicine in 1988. He completed both his Internship in General Surgery and Residency in Otolaryngology-Head and Neck Surgery at Vanderbilt University Medical Center. Dr. Koriwchak continued at Vanderbilt for a fellowship in Laryngology and Care of the Professional Voice. He is board certified by the American Board of Otolaryngology-Head and Neck Surgery.
After training Dr. Koriwchak moved to Atlanta in 1995 to become one of the original physicians in Ear, Nose and Throat of Georgia. He has built a thriving practice in Laryngology, Care of the Professional Voice, Thyroid/Parathyroid Surgery, Endoscopic Sinus Surgery and General Otolaryngology. A singer himself, many of his patients are people who depend on their voice for their careers, including some well-known entertainers. Dr. Koriwchak has also performed thousands of thyroid, parathyroid and head and neck cancer operations.
Dr. Koriwchak has been working with information technology since 1977. While an undergraduate at Bucknell University he taught a computer-programming course. In medical school he wrote his own software for his laboratory research. In the 1990’s he adapted generic forms software to create one the first electronic prescription applications. Soon afterward he wrote his own chart note templates using visual BASIC script. In 2003 he became the physician champion for ENT of Georgia’s EMR implementation project. This included not only design and implementation strategy but also writing code. In 2008 the EMR implementation earned the e-Technology award from the Medical Association of Georgia.
With 7 years EMR experience, 18 years in private medical practice and over 35 years of IT experience, Dr. Koriwchak seeks opportunities to merge the information technology and medical communities, bringing information technology to health care.

9 Comments

  • Dr. Koriwchak,
    I’m not going to argue about the unsavory practices of secure text messaging providers. No doubt many of them will do or say anything to make a sale. I’m sure that many of them have gone way too far and told lies in the process. No arguments there.

    However, I think you’re wrong about Text messages not being secure. I think this is true when it comes to where/how the text messages are stored and also in their unencrypted transmission. There is actually a document which I posted previously which shows how much information is collected and stored by the Telcom providers: http://www.emrandhipaa.com/emr-and-hipaa/2012/06/27/telcoms-store-sms-text-message-details-not-hipaa-compliant/

    That chart shows clearly that Verizon stores the full texts which is a HIPAA violation since they aren’t stored according to HIPAA guidelines and you don’t have a business associate agreement with them either. Even if they weren’t storing them (which they have to do at least temporarily), then the messages are still going across a clear wire unencrypted. Certainly there’s some wiggle room in the HIPAA regulations, but unencrypted PHI on a line is not one I’d like to take. You actually could pull a voice call off a line these days too, but it’s much harder to put a voice call back together than just a simple SMS message.

    Sure, it would be great if all the telcom providers would secure them properly, but that’s just not going to happen. They don’t have the motivation to do so when you consider the number of messages that need to be secured to HIPAA standards. The HIPAA law will change before Telcom supports the law.

    Your suggested strategy does solve many of the issues. If your text doesn’t contain PHI, then it doesn’t matter. However, you often want to send PHI and just not have to worry about it. Plus, the secure text messaging provider can do more than a simple lock on the phone. They can add a second factor for authentication.

    One other thing I think you’re missing is that there are a lot more benefits to secure texting versus SMS than just security. For example, many doctors send a text to a doctor and that text never gets delivered. They think it was read, but it never got to the recipient. Or it got the recipient, but the person never got the message because they were out of town. This can be solved with secure text where you can show if the messages was delivered and even when the message has been read. There are other simple features like limits on message length, supporting image messages, texting to a web browser (ie. your nurse who’s at a computer), and eventually easy transfer of text message to your EHR which won’t be possible with SMS, but will be possible with secure text.

    For full disclosure, I’ve been advising a Secure Messaging provider: http://www.docbeatapp.com for a little while now. So, I have somewhat of a vested interest in the idea. Although, as I told them, you have to provide doctors something that’s as simple as SMS, but adds on new capabilities that aren’t available in SMS. Otherwise, they won’t use it, let alone pay for it. Which as a side note, docBeat is free. Fear shouldn’t be the driving force behind adoption of a product. That’s a failed strategy.

    While you’re right that no lawsuits have been done for PHI on text, I think there will be some eventually. Although, as one doctor I talked with about this told me, they’re not going to throw us all in jail.

  • John-

    Thanks so much for your thoughts. All good stuff. I had not seen your post before regarding telecom practices’ handling of SMS data. Point well taken. It is interesting, however, that Verizon only stores content for 3-5 days, and the other carriers don’t store it at all. The risk there is actually lower than I thought.

    I have another question / point: In an era where most PHI breeches are due to gross negligence (loss / theft of physical media being the most obvious), why worry so much about texting? If I put myself in the hacker’s place, why would I go to the trouble of hacking a telecom server when the vast majority of its contents is useless to them? I bet 90% of what you would find would be monosyllabic grunts sent by teenagers like my own 2 kids. Would it be worth sifting through all of that to find the extremely rare message that had content worth stealing?

    I imagine a similar argument would apply to interception of messages during transmission as well.

    We should go after the low-hanging fruit first.

  • Mike,
    You’re right that the issue with privacy is biggest with loss/theft. However, my issue is that this is an easy issue to solve. Like in even the loss/theft breaches, the simple solution is encryption. Something that SMS doesn’t do.

    I believe the issue with breaches in text messages won’t be a random listening to sms messages that are going across the wire. That would likely produce the teenage texts. Instead, the SMS breaches are likely to happen by someone entering a doctors office with a cell phone or laptop that listens to the wireless communication that’s nearby. Similar to the way you can do other internet communication when it’s not encrypted.

    The other breach is going to happen when a doctor loses his cell phone which contains a bunch of SMS messages with PHI on them. A secure text provider’s 2 factor authentication will add an extra layer to protect when this happens. Plus, you can do things like remote wipe of the secure text messages in the event of this happening.

    I agree that many secure text providers make this into more than it is. Plus, the solo docs likely won’t be that concerned regardless. The enterprise institutions who want to save face will be more concerned. Particularly because they have a highly focused group of uses that could be hacked like I described.

    As I said in my other comment, the move to secure text message has privacy benefits, but also many other compelling reasons to use it as well. It just has to be as simple to use as SMS and have the added benefits to be a compelling option for doctors.

  • Dr, you are completely correct about “secure” SMS. My company has been in business for almost 40 years, specializing in healthcare communications. It baffles me that these other solutions out there that use SMS call their products secure!
    We created the truly secure smartdevice messaging solution and pager replacement called miSecureMessages about three years ago. It does Not use SMS (and there’s no character limit).
    I would be honored to give you and anyone else that is interested a free trial and demo.
    We have so many great features, not all are on the website.’
    For truly secure two-way messaging, that does Not use SMS, please contact me
    Ccurtin@amtelco.com
    I hope that you’ll contact me. You’ll be astounded and amazed by our innovative technology and customer-devotion.
    I am so glad you’re helping others see the light about “secure” SMS solutions that aren’t secure, and very costly, not even counting the hipaa fines that could be leveraged. I only hope that your readers understand this before it’s too late. I’m trying too.
    Thank you!
    Colleen Curtin

  • Texting patient initials is considered identifiable PHI.

    From the hhs.gov web site:

    May parts or derivatives of any of the listed identifiers be disclosed consistent with the Safe Harbor Method?

    No. For example, a data set that contained patient initials, or the last four digits of a Social Security number, would not meet the requirement of the Safe Harbor method for de-identification.

Click here to post a comment
   

Categories