News Feature | June 2, 2014

How Secure Are Healthcare's Text Messages?

By Megan Williams, contributing writer

Healthcare Text Message Security

The journal, Telemedicine and e-Health published a study revealing that 61 percent of pediatric doctors in the U.S. have received work-related text messages on their personal phones, and 60 percent have sent them themselves.

As much as security in healthcare has been the talk of IT professionals lately, protection around text messaging still leaves room to be developed. Chances are, your clients either have not considered, or have not taken action on securing the messages their practitioners are sending.

Doctors Are Concerned

While the pager has been a staple of physician communication for decades, it’s slowly being replaced by texting via mobile phone, and doctors are concerned — 46 percent of respondents to the Telemedicine and e-Health study said they were concerned about the protection of patient privacy. Considering that 30 percent of respondents said they’d received PHI (protected health information) via text message, that’s a valid concern.

Additionally, decision-makers (and their business associates) have regulations under the Final Omnibus Rule of March 2013 to be concerned about. The new safeguards clearly identify the risk that mobile devices pose, and touch on the sensitivity of patient information transmitted via text and its usual lack of encryption (a particularly disconcerting threat considering the ease with which mobile devices are stolen).


While text messaging provides a simple, and familiar mode of communication for hospital employees, getting them to use it in a secure manner is far from easy. According to Spyglass managing director Gregg Malkary, “I suspected nurses were using their devices. I just didn't realize how widespread it was. And it’s not just nurses, it’s doctors as well. Nobody wants to use a secure text messaging app. They don't want to have to use two apps, they want one, and the prevailing attitude is that unsecured SMS is just fine. They know it’s a violation, but it's more fluid, they know everyone else’s smart phone number, and they can coordinate care. They’re leveraging consumer grade tools to facilitate closed loop communication, and to support multidisciplinary care. Unfortunately, it's outside the firewall.”

Potential Solutions

The answer for your clients will depend on their risk, so solutions providers will need to evaluate whether text usage poses an actual security risk to an organization through a HIPAA risk analysis. Since HIPAA doesn’t provide for cookie-cutter solutions to security risk, the best solution will need to fit organizational needs.

After a risk analysis, your client may decide to require deletion of texts under specific circumstances, to implement a passcode protection or encryption solution, use a device registry or even ban texting altogether.

Acknowledge that any solution that users bypass isn’t a solution at all. Solutions providers interested in giving their clients answers that will genuinely improve their security, could consider containerization options — specifically, app wrapping — among other possible solutions for securing text messages.