preston pennington December 5, 2012, 10:55 am The first question healthcare organizations want a provider of a secure messaging application to answer,” Is the application HIPAA compliant?”. Actually, the first consideration should be the strength of an application’s data encryption and security. It is important to realize that being HIPAA and HITECH compliant does not guarantee that an application has a high level of security or that the PHI is not vulnerable to unauthorized access. A robust secure messaging application will have security features that work on both organization issued devices or in a “bring your own device” (BYOD) environment. These features include: strength of data encryption , storage of Patient Health Information (PHI) on user owned devices/servers, central administration of users/devices, a consistent level of protection regardless of device used (Apple, Android, PC), and portability of the application. It is also important to consider the total cost to the organization. This not only includes the cost of the application and services, but also the cost of certifying third party vendors for HIPAA compliance. It may be quite challenging to gather the security information, so it is important to see how easy or difficult the vendor makes it for you to compare their security features versus the cost of implementation. The security of a secure messaging system should consist of end to end data encryption while in transit and at rest. It should be encoded by the sender and only the receiver should be able to decode the message. As a way to prevent unauthorized access to the data, the application on the device must only be accessible through the use of a password or pin code, a distributed model (data storage across multiple devices) should be employed, and a central administrator should be able to lock or remotely wipe the device. In addition, the central administrator should be able to automatically sync all devices when a member is added or removed, set group policies for password strength, idle lockout time, failure attempts, and message retention time. It is also important that PHI is not presented in the message alerts. The next factor to consider is data storage and control. It is critical that all data is 100% under your control by being stored on your servers or in your cloud and on the end user’s device. In this way, you decide who will have access to your PHI and other sensitive data, when they will have access to it, and can ensure that a third party provider will not be able to access your data. Many vendors of secure messaging solutions use third party servers, such as Amazon, to store data which increases the vulnerability of your PHI to unauthorized access. They will tell you that a business associate agreement is not needed because the Federal Register, Vol. 75, No. 134, p. 40873 states that “…entities that act as mere conduits for the transportation of protected health information, but do not access the information other than on a random or infrequent basis are not business associates”. Are you comfortable with the fact that an Amazon employee or your vendor can access your PHI and other sensitive data at any time? At qliqSoft, we believe that only the members of your organization should have access to your data. This is why we do not store PHI on our servers and only buffer the encrypted data. By doing this, we decrease the likelihood of unauthorized access or breaches. It is important to keep in mind that most data breaches occur after you stop using a service or by a rogue employee within your vendor’s organization. So, if your vendor does not have control or access over the data, a major threat to your PHI is eliminated. Data portability is an important feature for a secure messaging application. To have true data portability, the healthcare organization must have 100% control over the data. In this way, there are no issues with potential breaches after a switch is made to another vendor. Unfortunately with most vendors, your desire to switch creates a potential security problem for you and them. Along with this, it is also important to consider the portability of the application. The application must be able to work with software ranging from Apple to Android to Windows to Mac and on any device (tablets, smartphones, laptops, and desktops) that a healthcare organization chooses to use. This flexibility allows the organization to grow organically and not get locked into certain products or pricing. At qliqSoft, we took care of message security so you don’t have to. We use strong end to end data encryption that works across multiple platforms; we ensure that all PHI and other sensitive data is stored on your resources in a distributed model that is 100% under your control ensuring portability. Since only your organization can access the data, you do not have to worry about unauthorized access from a third-party vendor. In other words, we lower the risk of a potential breach while minimizing its impact. Each day we leverage our 18 plus years of experience in secure communications to further develop and improve the infrastructure we spent over 18 months in R&D developing. The best thing is that our secure messaging product, qliqConnect, is free and that we exceed the HIPAA and HITECH compliance standards saving you time and money on lengthy third-party validation procedures.
karl walter keirstead December 5, 2012, 9:51 am Advanced interoperability is alive and well at MCOs. Coast Healthcare LLC recently announced an “e-clinical Hub” application that allows member agencies to request consolidated patient Continuity of Care (CCD) information encapsulated along with doc, pdf, spreadsheet, imaged material, even videos. The functionality is being expanded to include hospital visit information and lab test results. No reason why patients could not be allowed to log into an e-Hub portal such as the Coast eHub to request personalized narrative summaries of their healthcare data or view a video summarizing their status as recorded by their physician. The encapsulations require a utility to open/expand downloaded material such that the data is secure during data transport. Each request for information can have its own unique unlock code.
Kevin Pereau December 5, 2012, 8:47 am Both Dr. Tippett and Donna Cryor gave excellent presentations and many things to think about. We are seeing a confluence of health care industry need, changing consumer behavior and technology that is pushing information and solutions out to the consumer in ways we've never seen. Verizon is clearly one of the leaders. We make a Health Score which is something the industry absolutely needs. It is a fun and easy way for people to measure how every day lifestyle choices like exercise, nutrition, stress and sleep affect your overall health. We have integrated (or are integrating) about every popular device out there that makes collecting biometrics daily a snap. Connecting that information to medical professionals who help keep us healthy is why we created the platform. Connecting this to a comprehensive portfolio of offerings like Verizon is hammer for everyone from insurers, hospitals and consumers. Dr. Tippett is spot on, mHealth is doing to healthcare what PCs did to the computing industry...pushing solutions out to the individual. I have no doubt, Verizon will be leading the charges.
Krishna Kurapati December 5, 2012, 7:34 am Everything has to be more secure. PHI breach risk has to be minimized. Security should be transparent and user should not worry about it on a daily basis. Device control, Remote lock and wipe of data on the device when a user looses the device. Password/PIN authentication on the device, Data should be encrypted on the device and in transfer. Only intended recipient of the data transfer should be able to decrypt the data. All these features must be transparent to make and model of the device.
