Danger, Will Robinson! Danger!

It’s just a matter of time before our current health care e-communication methods fail

July 12, 2017

Contributed by:
Andrew Binne | Communications Coordinator, Microquest Inc.
Vanda Killeen, BA, Dip Ad/PR | Senior Communications Consultant, AMA Public Affairs

Quality and efficiency are key elements of professional patient care and because many patients receive care from two or more providers, physicians need to communicate and consult quickly. When e-communicating, however, the last thing you want is for your message, often containing confidential patient information, to be “Lost in Space.” (If you're under the age of 50 you might want to look up this campy 1960s television sci-fi on Wikipedia). Yet, it’s extremely rare to see a health care professional or medical clinic that isn’t using email and text messaging via smartphones and tablets – despite the serious security risks. In the words of that famous robot from Lost in Space, “That does not compute!"

While email led the health care e-communications charge, smartphone and tablet use has been rapidly increasing, making text messaging as popular as email, if not more so. For physicians, smartphones and tablets mean you don’t have to go back to your desk to respond to that email, send that message or conduct other online activities, such as referencing drug data, researching or carrying out clinical calculations, or making prescribing decisions; you just pull out your phone or tablet and conduct your business.

Oops! Wrong address!

Every day, physicians use digital devices to manage the coordination and transition of patient care. The problem is that all the convenience and accessibility comes at a price: the security and protection of patients’ personal health information (PHI). Unfortunately, the improper securing of health care e-communications leaves patients vulnerable to PHI security breaches, resulting in liability issues for physicians. As so often happens, it’s only after breaches occur that security measures are reviewed.

It isn’t difficult to find examples of PHI breaches where the use of email was the culprit. An SC Magazine¹ post describes how an employee at Massachusetts General Hospital emailed the PHI (names, lab results and social security numbers) of 648 patients to the wrong email address. In another American example in 2015,2 Georgia’s Department of Human Services reported that a community care employee emailed the PHI of over 3,000 patients to the wrong recipient.

Risky storage

Smartphone and tablet use introduces another area of privacy concern for physicians: the secure storage of PHI on their devices. Consider what would happen if your device was stolen. Is the risk of a breach of patients’ PHI stored on your stolen device and the resulting issue of liability worth the convenience?

On the Office of the Information and Privacy Commissioner (OIPC) of Alberta website, you can find numerous investigative reports and news releases that describe instances of the theft, loss or unauthorized access of partially or completely unsecured systems and portable devices containing PHI.

In its 2014 Healthcare Breach Report,³ Bitglass, an American data protection company, analyzed health care data breaches from the past three years and found that 68% of breaches since 2010 occurred because devices or files were lost or stolen; only 23% were due to hacking. The report also found that more than 76% of all breached records were the result of loss or theft.

It’s clear that the theft and unauthorized access of unsecured, private information from electronic and digital devices is not lessening and that the solution is to exchange and store information with a secure messaging system. The increasing incidents of PHI data theft and the resulting security breaches undermine public trust in our health care system and our health care providers.

Shaken faith

A USA based Black Book consumer survey⁴ from December 2016 (“Healthcare's digital divide widens”) reported some surprising responses from consumers to questions of privacy in the health care sector. According to the survey, “57% of consumers are skeptical of the overall benefits of health information technologies, mainly because of recently reported data hacking and a perceived lack of privacy protection by providers.” Additionally, 89% of respondents reported withholding health information during visits.

While these are USA statistics, Canada demonstrates similar numbers. In a Canadian Medical Protective Association (CMPA) article,⁵ the results of a 2012 Canada-wide survey revealed that 43% of respondents “would withhold information from their care provider based on privacy concerns.”

A 2015 news release from the Office of the Privacy Commissioner of Canada⁶ shows no waning of that concern. In a telephone poll, nearly half of respondents said they were extremely concerned about what might happen to their personal information stored on a mobile device if it was lost or stolen, and 78% of respondents have become “less willing to share their personal information.”

The health care sector should find these statistics alarming. Trust is essential in successful doctor-patient relationships, yet the prevailing public attitude is one of distrust and a lack of faith or belief that personal information is safe and secure in the hands (and devices) of others, to the point where patients are choosing privacy and security over the disclosure of potentially vital PHI.

The solution: Encryption and off-device data storage

Yes, email, texting and instant messaging are unquestionably quick and convenient ways to e-communicate. And in most everyday situations and layperson exchanges of information, they’re secure enough. But that’s not the case with health care. As a physician, you’re obligated by legislation, regulations and standards of practice to safeguard and respect your patients’ PHI.

There is a solution. AMA dr2dr Secure Messaging is as quick and convenient as email and texting, while providing 256-bit data encryption. With patient data stored on a central website, you’re guaranteed that a stolen device will never create an opportunity for a data breach.

Secure communication isn’t the future of health care; it’s the NOW.

The false security of messaging apps Messaging apps provide transmission encryption; that is, text messages you send are encrypted until they reach the recipient’s phone (e.g., iMessage7 and WhatsApp8). Transmission security, however, is not the same as on-device encryption. Transmission encryption occurs between devices, not on the device. What would happen if your phone was lost or stolen? Someone with access to your device could simply open your messaging app and view all the PHI you sent via text. As for accessing your device, that’s simpler than you think. Protecting access to your phone or iPad with either a password or PIN is absolutely a first step in securing PHI on your device, but it’s not enough. A University of Pennsylvania study9 tested smartphones and found multiple instances where the oil left by the users’ fingers created a visible smudge pattern on the screen. This smudge pattern shows not only where on the screen the user has touched, but also the direction of their swipes across the PIN entry screen, which indicates the order in which keys were touched. The high probability of theft or loss of devices, the lack of on-device encryption and relatively visible PIN patterns (as an example of just one method of password hacking) illustrate why password protection of devices is not the only security measure that must be taken. Along with passwords, encryption should be used on devices where PHI is stored. Section 60 of the Health Information Act requires that reasonable steps be taken to protect health information. In their 2007 “Investigation report concerning stolen laptops containing health information,” the OIPC of Alberta concluded, “It is well known that theft of laptops or other mobile devices is a foreseeable threat” and that practitioners using mobile devices must “use encryption to protect the data – password protection alone is not sufficient.” References available upon request.