[White Paper] Secure Text Messaging. Top 10 Considerations when Selecting a Secure Text Messaging Solution

Transcription

1 [White Paper] Top 10 Considerations when Selecting a Secure Text Messaging Solution

2 [WHITE PAPER] Top 10 Considerations when Selecting a Secure Text Messaging Solution Table of Contents I: The growth of text messaging... 3 II: HIPAA Regulations Regarding Text Messaging and PHI... 3 III: Evaluating Secure HIPAA-compliant Text Messaging Solutions... 4 IIIA: Evaluating Technical Requirements?... 5 IIIB: Evaluating Functional Requirements... 5 IIIC: Evaluating Secure Text Messaging Vendors... 6 IV: Conclusion... 8 Intro Evaluating Secure Text Messaging solutions for healthcare organizations can cause anyone s eyes to glaze over in dreaded anticipation. But the process doesn t have to be laborious, overwhelming, or fraught with perils when you know the right questions to ask. This whitepaper outlines the major considerations to discuss with every vendor you evaluate to help cut through sales pitches and marketing noise so you can get to the fundamentals of each solution and its fit for your organization. Page 2

3 [WHITE PAPER] I. The Growth of Text Messaging Text messaging via mobile devic es has become a general means of communication within our culture and workplace. Due to its simplicity and speed, the use of text messaging has grown rapidly from its inception in 1992 to today, whereby according to comscore 1 more than 70% of all mobile phone users send text messages. In the US alone, more than 2 trillion text messages are sent each year, or more than 6 billion per day 2. For most healthcare organizations, the adoption of text messaging has been dramatic because of the numerous advantages it provides. Fast and direct, text messaging can greatly simplify the laborious, pager-and-callback workflow that has been the prevalent means of communication in hospitals and other organizations for years. Text messaging helps doctors, nurses, and staff stay in constant contact, relaying requests and information in real-time, and leading to improvements in the delivery of patient care. Despite all the positive benefits that text messaging can deliver, there is a fundamental security challenge for healthcare organizations because traditional SMS text messaging is inherently insecure. Messages on devices can be read by anyone, they lie unsecured on telecommunication providers servers, and they can easily be intercepted and read in transit. In addition, a flaw in the SMS system prevents you from authenticating the recipients of SMS messages so you can never be sure an SMS message has been sent to and opened by the right person. A recent survey revealed that 20% of mobile phone users had sent a text message to the wrong person and another 20% had failed to delete their phones content before selling it, giving it away, or recycling it. 3 Recognizing these facts, the Joint Commission has effectively banned traditional SMS from any communication that contains Electronic Protected Health Information (ephi) data. A single violation for unsecured communications can result in a fine of $50,000 not to mention the damage done to an organization s reputation and its ability to attract patients. In a recent agreement over HIPAA violations, Phoenix Cardiac Surgery was fined $50,000 and required to implement security measures sufficient to reduce risks and vulnerabilities to ephi to a reasonable and appropriate level for ephi in text messages that are transmitted to or from or stored on a portable device. II. HIPAA Regulations Regarding Text Messaging and PHI However, the Joint Commission did not ban all text messaging solutions with a broad stroke. Instead it set out Administrative Simplification Provisions (AS) that serve as guidelines for securing communications systems. AS identifies four major areas that are critical to compliance: the data centers where information is stored and transmitted, the encryption requirements for data on devices and in transit, the authentication of recipients, as well as the ability to archive, retrieve and monitor the system. Here is a simple overview of each area: Secure data centers Healthcare organizations typically store patient information in either onsite or offsite (cloud) data centers. HIPAA requires that these centers should have a high level of physical security, as well as policies for reviewing controls and conducting risk assessment on an ongoing basis. 1 ComScore research, December 29, Forrester Research, June 19, Opinion Matters research 07/02/2010 Page 3

4 [WHITE PAPER] Encryption AS stipulates that ephi must be encrypted both in transit and at rest. Recipient Authentication Any communication containing ephi must only be delivered to its intended recipient. A texting solution should allow the sender to know when and if a message has been delivered, and to whom. Audit Controls All messaging systems must have the ability to record and create an audit trail of activity that contains ephi. For a text messaging system, this includes the ability to archive messages and information about them, quickly retrieve that information, and monitor the system as well. Standard consumer-based messaging systems fail in many of these areas. The data centers are often not designed for the highest levels of physical and data security. The messages they send are easy to intercept and never encrypted. They do not offer recipient authentication, and while messages and delivery details may be stored indefinitely, they are not designed to provide a fully functional audit trial. III. Evaluating Secure HIPAA-compliant Text Messaging Solutions Due to the inherent security weaknesses of existing SMS, there are a host of different vendors that have developed secure text messaging solutions to satisfy the security and compliance requirements that HIPAA imposes on healthcare organizations. While a range of different vendor-offered solutions exist, many of them are lacking in relationship to application functionality, technology, or vendor support. This paper will address the key criteria for evaluating secure text-messaging solutions and vendors, including technical requirements, functional requirements, and vendor requirements. IIIA. Evaluating Technical Requirements DATA CENTERS A qualified secure texting vendor will have a state-of-the-art hosting infrastructure that provides a secure, highavailability platform for delivering your text messages 24/7. Some of the infrastructure standards that a vendor should adhere to include: Tier IV Data Centers The Telecommunications Industry Association ranks data centers according to their security and reliability, with Tier IV as the highest level. Tier IV data centers must, for example, use biometric security measures, have electrical power storage, and two, independently-powered cooling systems. Page 4

5 [WHITE PAPER] SAS-70 Type II Certification SAS-70 is an auditing standard for service organizations that assesses the controls in place for, among other things, information security. Secure text messaging vendor hosting providers should be SAS-70 Type II certified in order to ensure adherence to best practices. Message Encryption In-Transit & Encryption At-Rest In-Transit Encryption When messages are in transit, they must be secured from prying eyes. The most common way to do this is using the Secure Sockets Layer (SSL) protocol, which is a standard security method widely used for the encryption of personal information for e-commerce. Encryption At-Rest When messages are at-rest in the vendor system, the vendor must encrypted them in case their systems become compromised for any reason, to protect the security of the messages. A best practice for doing this is to employ an advanced encryption technology such as Advance Encryption Standard (AES). AES was developed and adopted by the US government and is the only open standard that has been approved by the National Security Agency (NSA) for securing Top Secret information. The 256-bit version of AES offers the highest level of encryption for this standard. Security Pacific, John was a Managing Director and Partner at E.M. Warburg, Pincus & Co., Inc., where he spent eight and a half years. During his tenure, John was involved in Warburg s investments in Computerland, Tweeds, Babbages and US Healthcare. Previously, John was an attorney with Sullivan and Cromwell. To better address message security while at rest, secure texting vendors should not store messages on a mobile device, but rather provide access to the AES-secured system via SSL. By combining these two technologies, vendors can ensure a fully secured loop for moving any type of sensitive data to and from mobile devices, tablets and computers through its messaging platform. Recipient Authentication Vendors applications should ensure correct message delivery to the intended recipient, and provide means for recalling messages or deleting from the recipients device when they are misdirected. Moreover, secure texting applications should only send individuals in the organization s corporate directory, or have a means for sending secure messages to message recipients outside of the organization s corporate directory. This process ensures that secure texting solution users will use a natural name selected from an organization s directory, not a phone number. This not only eliminates the hassle of looking up phone numbers, but also ensures that a message does not get sent to an outside number in error. Page 5

6 IIIB. Evaluating Functional Requirements When evaluating a secure text messaging vendor s application features and functionality, there are several key characteristics and capabilities that a best practices solution should provide. Some of the most important include application ease of use, message lifespan, delivery & read confirmations, corporate directory integration, and message recall. While there are numerous other features and functions that can factor into the evaluation, you should use caution when looking at any vendor that does incorporate these. Ease of use While this might be considered a subjective measure, it is also one of the most important considerations when evaluating secure text messaging solutions. Any application that users don t find as easy to use as their existing mobile texting application, will never be fully adopted or widely embraced by the user community. In addition to conducting a thorough application review with your evaluation team, look for vendors who have had more than a million users download their application, as those vendors will have a robust user community that will help validate their application usability. Vendors with a smaller number of user downloads may not have the same level of user feedback that will help ensure the application s ease of use and ability to meet a broad set of users functional needs. Delivery & Read Confirmations When messages are sent using a secure text messaging solution, they should provide the sender with key message transport alerts. These alerts include notification when a message has been delivered to the intended recipient and when the intended recipient has read the message. This functionality is a cornerstone in how secure text messaging can help improve communication in healthcare, by allowing better coordination of resources with real-time feedback on message delivery and comprehension. Message Lifespan Due to the increasing risk of HIPAA fines for mishandling PHI, a secure messaging application will limit a healthcare organization s risk and exposure by incorporating message lifespan limits. A user or organizationdefined message lifespan will wipe a message from all devices after a pre-determined length of time, eliminating this risk. As HIPAA fines are levied per-patient record and per device, the dollar amount of the fines can quickly escalate, so having a message lifespan capability is essential to reducing a healthcare organizations potential liability. Message Recall Unlike traditional SMS text messaging solutions, secure text messaging solution should allow you to maintain control of messages after they ve been sent. If you send a message using a secure text messaging solution, you should have the ability to delete it from the recipient s device before or even after they ve read it. Page 6

7 Device Security Password and Pin Lock Authentication Users should not be able to log in to the secure texting solution without entering a password that authenticates their identity. In addition, administrators should have flexibility in how they manage member and be able to take security safeguards such as requiring users to enter a PIN number if a user has gone inactive on the system for a period of time. Remote Wipe In the case when a device is lost or stolen, all secure texting solutions must provide the ability to remotely wipe user accounts. This capability, along with the best practice of not storing texts on a user s device will allow administrators to effectively prevent access to sensitive information when a device is lost. Corporate Directory Integration To ensure a quick implementation and prevent unauthorized users from gaining access to your secure texting solution, best practice vendors should provide the ability for organizations with Active Directory or LDAP to directly synchronize with the member directory. This integration will speed up deployment significantly, as an organization s members can quickly be added to the member directory. Moreover, by synchronizing with the organizations master directory store, when employees, consultants, or contractors are deleted, they will automatically also be removed from the secure texting application reducing the likelihood of an unauthorized user gaining access to the secure texting solution. Pervasive Communications One of common challenges for healthcare organizations deploying secure text messaging solutions is how to ensure that individuals who are not in the corporate directory can still receive secure text messages. According to Metcalfe s law, the value and ROI of a secure text messaging deployment increases significantly when he size of the network increases, so best practice vendors will have the ability to securely increase the network. Evaluate whether a vendor has created a secure, HIPAA-compliant capability to reach audiences outside of the corporate directory. Platform Extensibility For many organizations, the extensibility of their secure messaging solution to other applications can be a key consideration when selecting a vendor. While a high-quality secure text messaging application will solve the direct communication workflow issues in a for a healthcare organization, if the platform is not extensible, it will not provide the opportunity for future integration with other applications. A simple way to identify vendors with extensible platforms is to ascertain whether they provide an open API class to allow integration with their messaging platform. Vendors that have incorporated this capability will have API documentation that they should be readily able to provide. Vendors applications should ensure correct message delivery to the intended recipient, and provide means for recalling messages or deleting from the recipients device when they are misdirected. Moreover, secure texting applications should only send individuals in the organization s corporate directory, or have a means for sending secure messages to message recipients outside of the organization s corporate directory. This process ensures that secure texting solution users will use a natural name selected from an organization s directory, not a phone number. This not only eliminates the hassle of looking up phone numbers, but also ensures that a message does not get sent to an outside number in error. Page 7

8 It s not uncommon for vendors to have core businesses in other areas, such as scheduling software, patient billing software, or other services outside the secure text messaging arena. If the vendor is not specialized in secure text messaging, understand how they internally share resources such as a common help desk. IIIC. Evaluating Vendors In addition to specific functional and technical requirements that best practices secure text messaging vendors will adhere to, vendors must be evaluated based on their track record in providing quality text messaging solutions to the healthcare market. As the secure text messaging market has grown over the past several years, many vendors have either jumped into the market or repurposed existing applications to try to sell them to the healthcare industry. While some of these offerings might seem robust, it behooves the smart buyer to understand how the vendors businesses operate. Here are some questions to ask to help you evaluate a secure text messaging vendor: Is the vendor primarily focused on secure text messaging? Is the vendors attention divided among many other products? Where does the vendor spend its research and development efforts? From a business standpoint, if the vendor isn t primarily focused on secure text messaging, will the solution receive enough R&D resources to continually improve and keep pace, or will the solution see those funds redirected to other areas deemed more interesting, leaving you with a stagnating product that does not keep up? Technology Vision An important, but often-overlooked criteria when evaluating a secure text messaging solution is the vendor s flexibility and forward-thinking approach to the market. To be thorough, verify that a vendor is flexible enough to adapt to changing requirements over time. The secure text messaging industry is rapidly evolving. Products that do not evolve with it quickly become stagnant. Investigate each potential vendor to determine how frequently solution enhancements are provided and how much of the development activity centers around customer requests. Additionally, a vendor s history of release cycles should be reviewed as carefully as future plans. Past performance is a great indicator of future progress; a vendor with long gaps between release cycles will most likely provide the same in the future. Customer experience Best practices vendors will have a depth of understanding on how to deliver and successfully support its healthcare customers. Look for vendors who have had a commercially available product for two years or more, and who have successfully deployed at least several hundred secure text messaging customers. Finally, make sure that they have a significant number of referenceable customers that look like your organization, both in type and size. This experience will prove invaluable in ensuring that your vendor can successfully implement a secure text messaging solution for your organization. Page 8

9 IV. Conclusion While the rapid rise in importance of having a secure text messaging capabilities has caught some in the healthcare industry, evaluating secure text messaging solutions and vendors does not have to be a black box. By using these important criteria to identify a vendors strengths and weaknesses, you will have the information and confidence you need to make an informed decision about the right secure text messaging solution for your organization. About TigerText TigerText is the leader in secure, real-time messaging for the consumer and enterprise. TigerText allows healthcare providers and businesses to create a private and secure mobile messaging network with their own smartphone. This controlled platform is HIPAA compliant and replaces unsecured SMS text messages that leave protected health and other confidential information at risk. The speed, compatibility, and ease of TigerText increases workflow and employee satisfaction. For more information visit: Contact Us TigerText