Secure Messaging via the Cloud and Mobile Devices

EXECUTIVE SUMMARY:

The secure messaging space is alive with new innovations that are moving the industry forward. Key in this space is the push toward moving secure messaging to the cloud and pushing it out to mobile devices. Among the examples are solutions that allow physicians to receive encrypted email on mobile devices, as well as ones that allow doctors to securely text-message each other to coordinate care. However, the security issues around these emerging technologies in this very active space must be further explored.

With more and more clinical information systems moving to the cloud, a small but growing number of healthcare organizations are also moving their core email messaging systems to the cloud. According to the Cambridge, Mass.-based Forrester Research, the main players in the cloud email space are Google Apps, Microsoft's Exchange Online, Cisco's WebEx Mail, and IBM's LotusLive Notes.

JUST SWITCHING OVER TO GOOGLE GOT THE SERVERS OUT OF OUR DATA CENTER AND INTO THE CLOUD, WHICH MEANS LESS ADMINISTRATIVE OVERHEAD FOR EMAIL AND MORE TIME TO SPEND ON THE CLINICAL APPLICATIONS THAT WE MAINTAIN HERE. -JON ROENICK

When the Westminster, Md.-based Carroll Hospital Center started experiencing reliability and performance issues with its email, alternatives to its legacy Novell GroupWise (Waltham, Mass.) messaging system needed to be investigated. Slow email, even slower servers, and increasing amounts of monthly maintenance, were becoming too much for the 195-bed hospital to handle.

Hunt Regional Healthcare, which has a main 202-bed hospital in Greenville, Texas and a 24-bed critical access hospital in Commerce, Texas, had been using IBM's Aptrix messaging system. The hospital had a hybrid system, an external, Internet-facing email and an internal exchange server for personal health information (PHI). “Either possibly with a case of ignorance or maliciousness, the capacity of some user to be able to send unencrypted PHI was just looming greater and greater on the horizon, so we had to do something,” says Joe Hartley, director of information systems at Hunt Regional. Hartley also cited outages before and after Aptrix's acquisition by the Cambridge, Mass.-based IBM as another reason for moving to Google Apps.

EFFICIENCIES IN THE CLOUD

Those interviewed for this article cite many efficiencies that the cloud can provide their messaging services. Jon Roenick, systems engineer at Carroll Hospital, says his organization's new cloud-based messaging system has more storage than the legacy system, and email doesn't have to be deleted as regularly. “Just switching over to Google got the servers out of our data center and into the cloud, which means less administrative overhead for email and more time to spend on the clinical applications that we maintain here,” he says. Carroll Hospital was also able to get rid of the BlackBerry (Research in Motion, Waterloo, Canada) server, and save approximately $100,000 yearly with the switch.

For legal purposes, Carroll Hospital retains emails for 10 years. Doing this in the cloud with Google's Message Discovery tool makes compliance much easier and more cost-effective, according to Kim Moreau, assistant vice president of information systems. With 11,000 accounts to migrate, Moreau says there were only a couple of blips along the way. To avoid unforeseen problems, she set up “lunch-and-learns” to educate her users, but many of them were already familiar with Gmail's functionality.

WE STILL HAVE A LOT OF INSTITUTIONS THAT DON'T HAVE DLP AND THAT ARE ALLOWING WEBMAIL. IT'S BASICALLY A BACKDOOR FOR SENSITIVE DATA TO LEAVE WITHOUT ANY ENCRYPTION. - MAC McMillan

Mac McMillan, chair of the Privacy and Security Steering Committee of the Chicago-based Health Information and Management Systems Society, notes that Google's commercial products have good security track records, as data are stored in encrypted volumes, and when paired with Google's Postini security and encryption products, it's an even better option.

Martin Littmann, director IT systems, uses the software as a solution (SaaS) ProofPoint (Sunnyvale, Calif.) at Kelsey Seybold Clinic in Houston, Texas, a 20-location community-based physician group, as a part of his organization's email security strategy. “I could recall in years past there would be days when I'd get two or three calls from executives saying, ‘Hey, I'm getting this SPAM; I never got this kind of stuff before,’” Littman says. “But I don't have those types of events happen at all anymore.”

Littman notes that organizations can't actually quantify the cost savings of preventing a security breach. “You only have to look at the press of the [organizations] who have had breaches or events that occurred like email or networking disclosures and see what it has cost them to deal with that-not just in terms of a real mitigation standpoint, but in terms of loss of reputation,” he says. “That is the real cost associated with it.”

CLOUD COUNTERPOINT

A survey by Apptio, a Seattle, Wash.-based provider of on-demand technology business management solutions, and the Scottsdale, Ariz.-based research firm Worldwide Executive Council, found that IT decision makers didn't have the necessary metrics to build intelligent business cases for moving applications and infrastructure components to the cloud. Case in point, Matt Green, director of information systems at Methodist Healthcare, a seven-hospital system based in Memphis, Tenn., feels cloud-based email is not the best solution for his organization right now. “At this point in time from our research, there are not a whole lot of healthcare organizations using cloud-based solutions, so I think it's going to take some time before those solutions are ready for a regulated environment like healthcare,” he adds. His organization is, however, using the London-based SaaS email management company Mimecast for email archival and disaster recovery.

With the new developments in the cloud space, McMillan, who is also CEO of the Austin-based CynergisTek, has his concerns about security. He explains that that some cloud vendors sell bandwidth by buying space in several different servers, relying on the security of spreading out the data so much that attackers won't be able to find it as easily. Other services disperse data in the same data center, which allows for more control over the security of that data, McMillan says. He cautions organizations to make sure to ask how the vendor manages data and to question any other business associate that handles PHI on how and where data are stored.

Lee Barrett, president of the Farmington, Conn.-based Electronic Healthcare Network Accreditation Commission (EHNAC), says it's not a technology issue to provide for secure messaging, which has been a mainstay of other industries, like banking, for years. It's the disparate implementations, which can lead to breaches that Barrett cites as healthcare's main problem. “It comes down to making sure we have a level of standardization,” Barrett says. “That's where an organization like an EHNAC comes into play to ensure a third-party review, so we're getting some consistency.”

SECURE MOBILE MESSAGING

Amazing strides are being made in the mobile secure messaging space. McMillan is excited about a product that will be launched later this year that will offer encrypted mail on clinicians' mobile devices. “It's going to be a complete game-changer,” he says. To send an encrypted message via the mobile device, the user will only need to authenticate once, he says, and then the product will recognize the same user for subsequent emails. McMillan adds that there's no risk to information because the email won't live on the device, only through the encrypted connection. After the user connects with another customer, their device recognizes the other for all subsequent messages, so no re-authentication needs to take place.

WHAT JEFF HAS DONE IS SAY THAT DOCTORS ARE A CERTAIN GROUP THAT HAS A UNIQUE NEED FOR A PRODUCT FOR THAT PROFESSION. -GREG WALTON

Another exciting app that recently launched allows physicians to send secure text messages to other physicians. The free application from the San Mateo, Calif.-based Doximity was launched by Jeff Tangney, the co-founder and former president and COO of Epocrates (San Mateo). Greg Walton, CIO of El Camino Hospital in Mountain View, Calif., says that Doximity had a “lunch-and-learn” about the product at his hospital, and by the end of the meeting, several doctors were already using the free service.

Walton notes that the physicians at his hospital like the service for the ability to network with other colleagues and find classmates who went to their medical school. He notes that other social media sites are problematic for doctors, as they can be plagued with what he terms “marketplace consults,” where people ask for medical advice outside of a formal consultation, which creates complexities with billing and paperwork. “What Jeff has done is say that doctors are a certain group that has a unique need for a product for that profession,” says Walton.

Vikas Jain, M.D., chief resident of the Department of Family and Preventative Medicine at the University of Oklahoma (Oklahoma City), started using Doximity in October 2010 for several tasks. For instance, when Jain needs to do a transition of care with a specialist or primary care physician when he admits or discharges a patient, he can access every licensed physician with the phone list feature to find the appropriate phone number. He also uses the text feature in the inpatient setting to communicate a test result to a radiologist, specialist, or to the physician on that shift. “Being able to relay patient-related information in a fast and secure and efficient manner has definitely sped up being able to take care of patients-and not only admit them, take care of them, and discharge them, but be able to get that information back to their primary care physician,” Jain says.

WHAT ARE ORGANIZATIONS OVERLOOKING?

There are several security areas that industry experts agree organizations tend to overlook when it comes to messaging. One major area McMillan mentions is when institutions allow Webmail access like Gmail, Yahoo, and Hotmail that staff can use to intentionally or unintentionally send PHI, which defeats the purpose of the organization's email encryption solution. McMillan suggests organizations employ a data loss prevention (DLP) solution that monitors outbound Webmail content and either disallows emails which include PHI or redirects the message to be sent through the main encrypted email solution. “We still have a lot of institutions that don't have DLP and that are allowing Webmail,” he says. “It's basically a backdoor for sensitive data to leave without any encryption.”

WE FIND A LOT OF ORGANIZATIONS NOT HAVING THE APPROPRIATE INDIVIDUAL IN THE ROLE, AND IN MANY CASES, THEY JUST DON'T HAVE THE POLICIES AND PROCEDURES IN PLACE FOR THE SIZE OF THE ORGANIZATION AND [MAKE IT] SCALABLE FOR THE ORGANIZATION. -LEE BARRETT

Another area for concern, McMillan notes, is when organizations allow staff members to push their work email to their personal account. Once the message is outside the organization's encrypted walls, it has no control over where it can end up. McMillan advises institutions to be smarter in how they control the information-which he says is where the real leakage occurs-rather than focusing on the device.

EHNAC's Barrett adds that institutions, especially smaller healthcare organizations, don't give a lot thought to their physical security like access to computer or server rooms, or if there are windows in those rooms. He notes that “any disgruntled employee can get in and harm data,” when organizations don't securely control access to their physical servers.

OVERCOMING CHALLENGES

Barrett notes that organizations' major barriers to secure messaging are in developing appropriate policies and procedures that are scalable to ensure protected data sharing within the organization and beyond. He also notes that the evolution of security roles, like the chief privacy officer, have been a bit stymied as organizations will assign a privacy officer, but the person won't truly understand the role and responsibilities. “We find a lot of organizations not having the appropriate individual in the role, and in many cases, they just don't have the policies and procedures in place for the size of the organization and [make it] scalable for the organization,” Barrett says. “They don't really go through any type of adequate training or simulation so that the person knows in the event of a breach exactly what's going to be done.”

McMillan says the biggest challenge for organizations is affordability. “The technology is available; it's not like they can't do it,' he says. “If they can't do it today, it's generally because it's too expensive. The better question is can you afford not to have it?”

Healthcare Informatics 2011 May;28(5):24-29