The use of messaging (SMS, chat, and email) has grown substantially to the point where people across all age groups communicate more frequently via messaging than they do by phone, and far more via smartphones than any other device. This has translated to the business world, as bring-your-own-device (BYOD) policies have emerged and organizations – regardless of industry – have been forced to determine how to accommodate this trend without sacrificing the security and privacy of the data they manage.
Assessing the risk of secure messaging implementation
The healthcare industry has made significant strides in understanding how to evaluate technology risk and develop reasonable and appropriate mitigation strategies, but there is still much to be done. There are approximately a half-million healthcare-related organizations in the United States, many of them small and lacking resources (money and experienced staff), and most of the attention in the industry has been paid only to the larger ones.
This parallels the path of the payment card industry. In the early days of the Payment Card Industry Data Security Standard (PCI DSS), the focus was on the largest merchants even though their number was dwarfed by the number of smaller entities. Over time, enforcement of the DSS has moved down and now covers most of the industry. The DSS was issued at the end of 2004, and it has taken 12 years to reach this stage, so there is still hope for the healthcare industry to gain ground since real enforcement didn’t start until after the first round of audits conducted by OCR in 2012.
Use of text and other real-time messaging solutions within the clinical setting has become ubiquitous, and most every medium- to large-size organization has taken advantage of these solutions. There are still many smaller organizations (rural and small hospitals, as well as single provider offices) that need to make the transition to secure messaging. Many of these organizations are significantly behind when it comes to security, even though they have typically addressed the privacy requirements of HIPAA.
Organizations such as Health Information Trust Alliance (HITRUST) have developed methodologies and tools that can help these smaller healthcare organizations understand and address their compliance with the HIPAA security rule. These tools have been designed to lead an organization through the process of identifying its risks and suggesting controls to address them.
Unfortunately, the medical device industry is behind in addressing security, leaving organizations to determine how to address the security and privacy of data on their own. This is a bit of a reset, as the threats to these devices and the risks they pose are not as well understood as they should be. But this new challenge is being confronted, which should lead to better outcomes. What does this mean to healthcare organizations? Whether large or small, risk management processes will need to be refined to encompass new technologies that factor in the evolving threat landscape and regulatory environment.
As a first step, the risk management processes applied to the clinical setting should be a guide to the technology side of the operation. While the risks and threats are different, the processes used to identify, prioritize, and mitigate them don’t have to be. Staff needs to be dedicated to this cause, including enhanced training and education. Most of all, keep calm and carry on.