Text Messages in the ICU: Are They Secure?

2014 - 1 February – Critical Care in Underserved Areas
Christine C. Toevs, MD, FCCM; Brian Toevs, PhD
Experts explore the potential risks of sending text messages in the ICU.
 
In 2014, Critical Connections will feature a series of articles highlighting the challenges and benefits of emerging technologies in the intensive care unit.
 
About 10 years ago, if you were working in the intensive care unit and you needed to know the lab results on the patient in bed 6 you would call the resident. If he didn’t know the results, he would look them up and maybe remember to call you back. If you got the resident’s voicemail, it took even more time as you had to either return the call or in some way verify that the resident received and understood your message. Pagers were more troublesome and added even more steps. Isn’t it easier to simply send a text message to the resident or even directly to the lab and wait for an answer? 

Short message service (SMS), commonly referred to as text messaging, has come a long way since it was introduced in 1992. Thankfully, long gone are the days of 160-character limits relentlessly punched out on the keypad of a “dumb” cell phone. Initially, the system took advantage of the signaling paths in cellular networks that perform functions such as connecting two callers or terminating the connection; most of the time these paths weren’t in use. A simple software upgrade permitted the gaps to be filled with 160 seven-bit characters. Today SMS is a much more complicated system involving mobile message centers and an entirely new message transfer protocol. The system must interact across networks (e.g., AT&T, Sprint, Verizon), across smartphone platforms (e.g., Android, iPhone, Microsoft), and even across languages (English is not the only text language). As one might imagine, modifying this system is a tremendous undertaking and one of the primary reasons additional security features haven’t been added. Thus, your message can still be intercepted.

What are the chances of interception? In reality, not much. Unless you happen to be the healthcare provider of someone famous, the lab report of the patient in bed 6 simply isn’t a very high-profile target for a phreaker (a computer hacker who specializes in phones). Still, the possibility does exist, and because text messages are sent without encryption, anyone who does intercept the message can easily read it.

How is protected health information (PHI) released? The primary concern is that someone other than the intended recipient will intercept the information. What if a criminal hacks into the system and intercepts your message? While that is an abhorrent thought, it really is a very small and trivial threat. The greater threat is that you cannot verify that recipient of the text message is the right person. How many times have you sent a text message to the wrong person? Phones can be shared, phone numbers are reassigned by the provider, and strangers or even family members can pick up an unattended cell phone and peruse the message log. Phone sharing and the advent of cell number portability have made the first two threats almost trivial, but the default interface on smartphones is not very secure. Text messages simply don’t beat speaking to someone over a voice connection and verifying that you have the correct party before discussing PHI.

The big concern is that patients’ PHI will be released inappropriately. This has been a real and valid concern of the public and the government. Medical identity theft is a significant threat, with one study reporting that as many as 500,000 individuals have already been victims. A thief typically pursues one identity to falsify with the intention of getting medical services with it. The Health Insurance Portability and Accountability Act (HIPAA) is very specific about protecting the public from this threat, but it is vague about the type of PHI that might be used in a text message. HIPAA is typically more concerned about PHI that can be used for medical identity theft. Often cited is the Department of Health and Human Services settlement against Phoenix Cardiac Surgery, P.C. as a case study for HIPAA enforcement, but text messaging had practically no role in that case. The Joint Commission is much more specific regarding text messaging: “Physicians who need to quickly communicate time-sensitive information about their patients should no longer use text messages.” This is a pretty clear message that healthcare providers should not use SMS text messaging for transmitting any patient information. The Joint Commission warning suggests that those who want to utilize the convenience of messaging should use mobile applications (apps) that incorporate message encryption.

Why aren’t we using apps as recommended by The Joint Commission and other governing bodies? Unfortunately, they aren’t always compatible. Using the SMS on your phone, you are able to send your message to anyone with a smartphone (and in many cases, tablet computers and even desktops) without any special downloaded program or even any special effort on your part. Apps are different; the one that you use on your Android phone won’t talk to the resident’s iPhone. Further, the nurse anesthetist’s Verizon iPhone may not be able to talk to the one on the resident’s AT&T iPhone. Bringing your own device to work drives your information technology department crazy.
 
Carriers should encrypt SMS text messages, but getting all the players to agree on an encryption protocol and then implementing it simultaneously are huge challenges. Additional clarification is necessary from the Centers for Medicare & Medicaid Services (CMS) and The Joint Commission. What content could be permitted in an unencrypted SMS text message? Would it allow appointment reminders? Would it be permissible for a healthcare provider to send a message asking the patient to call the office? Is it okay to send de-identified information? We now eagerly await the responses from CMS and The Joint Commission.

References:

1. DeGrasse M. Doctors need mobile apps, oversight panel says. http://www.rcrwireless.com/article/20111130/app-corner/doctors-need-mobile-apps. Posted November 30, 2011. Accessed December 9, 2013.
2. Dreiling GL. Medical ID theft. ABA Journal. 2007;93:36.