Microsoft Send
-
I've talked to my physicians about using a secure text client, but the push back was that they didn't want to have to maintain two apps for the same function. i.e. chatting with family vs chatting with other physicians and staff.
As far as I can tell though, considering the secure requirement of Personal Health Information (PHI) and unlikeliness of getting everyone in the world to switch to a single secure texting platform, I don't see this happening. They will be forced to use two separate apps.
In my case, fortunately a huge name in healthcare, Epocrates, has created a free secure text client that any physician can use. Even better, as physicians join, they are all able to find and text each through the app.
-
@Dashrender said:
I've talked to my physicians about using a secure text client, but the push back was that they didn't want to have to maintain two apps for the same function. i.e. chatting with family vs chatting with other physicians and staff.
How do they deal with phone call security and email security then? Wouldn't the same issues apply?
-
@Dashrender said:
As far as I can tell though, considering the secure requirement of Personal Health Information (PHI) and unlikeliness of getting everyone in the world to switch to a single secure texting platform, I don't see this happening. They will be forced to use two separate apps.
You could always secure text messages. That would be the most annoying thing ever Imagine a third part encryption scheme for SMS!!
Or course it would either be crazy insecure or would break the 144 character limitation.
-
@scottalanmiller said:
@dafyre said:
@scottalanmiller They should also make it part of Outlook... Any reason they couldn't make Skype for Business do this? (or just Skype in general)?
I don't have an iPhone so I have to wait for them to come out with an Android Phone version. This could also make sense as a Windows 10 metro app.
Skype is a different platform. This is not, this is just an interface to email for those people, and there are a lot of them, that have complained about how "hard" email is. This leverages the core infrastructure of communications in a different way, but the value is in that it is still all a single system and just end users choosing to use it differently.
Hard - wow - and texting is easier? only because has no subject line? shakes head in shame!
We have the opposite problem here - people don't put anything in the body and only type their messages into the subject line.
-
@Dashrender said:
In my case, fortunately a huge name in healthcare, Epocrates, has created a free secure text client that any physician can use. Even better, as physicians join, they are all able to find and text each through the app.
It's really just a third party IM tool though, right? It's not actually related to texting, not sure it could possibly be.
Microsoft has done the same thing here for free. Secure text-like functionality through the existing security system that is already approved (if you have O365 for email, of course.)
-
@Dashrender said:
Hard - wow - and texting is easier? only because has no subject line? shakes head in shame!
Seriously, have heard this one several times!
-
@Dashrender said:
We have the opposite problem here - people don't put anything in the body and only type their messages into the subject line.
Well that IS much more like texting. ALL conversations with one person is a single conversation with SMS. The idea of conversations doesn't exist there. So crippling email and using it poorly is a way to mimic texting more closely. And the subject line feels more length limited like SMS.
-
@scottalanmiller said:
How do they deal with phone call security and email security then? Wouldn't the same issues apply?
The government doesn't place a burden on medical to secure voice conversations, so we don't care about those.
As for email, they are not suppose to email PHI outside of the company. Inside is fine because all communication between the clients and the server are encrypted. For example - since the BOD didn't want to purchase a third party secure texting solution, they use email to communicate about patients when they are off site.
Emailing everyone else (especially family) generally doesn't include PHI, so those just come and go as desired. Unlike texting, the email does provide the needed security for the internal communications, and then tacks on the desired external communications when desired. -
@Dashrender said:
The government doesn't place a burden on medical to secure voice conversations, so we don't care about those.
Are you sure? I thought that HIPAA made a point of all communications needing to be secure, I didn't know that they had a specific relaxation of the requirement for voice.
-
@scottalanmiller said:
@Dashrender said:
As far as I can tell though, considering the secure requirement of Personal Health Information (PHI) and unlikeliness of getting everyone in the world to switch to a single secure texting platform, I don't see this happening. They will be forced to use two separate apps.
You could always secure text messages. That would be the most annoying thing ever Imagine a third part encryption scheme for SMS!!
Or course it would either be crazy insecure or would break the 144 character limitation.
That's why you replace it with an IM client that encrypts real time - something like Threema (which is free).
-
@Dashrender said:
As for email, they are not suppose to email PHI outside of the company. Inside is fine because all communication between the clients and the server are encrypted. For example - since the BOD didn't want to purchase a third party secure texting solution, they use email to communicate about patients when they are off site.
Emailing everyone else (especially family) generally doesn't include PHI, so those just come and go as desired. Unlike texting, the email does provide the needed security for the internal communications, and then tacks on the desired external communications when desired.What I meant was how do they handle their family email vs. their business one. I guess they have family email them at work and don't keep personal accounts?
This use of texting-like from Send would allow you to integrate texting into the system. But would only be useful as "appearing as text" to people inside.
-
@Dashrender said:
That's why you replace it with an IM client that encrypts real time - something like Threema (which is free).
Right, so the solution to texting is to not use texting, which is what I've always said I never suggesting the IMing was bad.
-
That's what makes Send so interesting. It is an IM system that is powered by Exchange email. So you get the power of IM and the unified management of a single messaging platform.
-
@scottalanmiller said:
@Dashrender said:
The government doesn't place a burden on medical to secure voice conversations, so we don't care about those.
Are you sure? I thought that HIPAA made a point of all communications needing to be secure, I didn't know that they had a specific relaxation of the requirement for voice.
I know of no hospital or clinic, etc that uses any type of secure voice communication, nor do they use secure faxing. I'm not sure that secure voice would even be possible for the general public.
I can think of two quick examples. Patient talking to medical personal and provider to provider communications.
In the first option, patient talking to medical personal, the medical facility could require that a statement is made and accepted by the patient that this line is insecure and that they accept the risks of discussing medical issues over it and that it may be eavesdropped on, then assuming the patient accepts it, continue the conversation.
But the second option would never allow for this acceptance of risk. According to you, you're saying that provider to provider voice communications could only ever happen over a secure channel - and I know of no one who is doing that. and it's not been listed in the deficiencies of the HIPAA audits that were done two years ago (to the best of my knowledge).
The same goes for faxes. The auditors haven't ding'ed the audited for using non secure faxing - as faxing is considered a secure communcation (and we can argue that all we want).
-
@scottalanmiller said:
@Dashrender said:
That's why you replace it with an IM client that encrypts real time - something like Threema (which is free).
Right, so the solution to texting is to not use texting, which is what I've always said I never suggesting the IMing was bad.
@scottalanmiller said:
That's what makes Send so interesting. It is an IM system that is powered by Exchange email. So you get the power of IM and the unified management of a single messaging platform.
Exactly, on both points.
I didn't say you said texting was bad, I didn't even imply you said or even thought it. Though I will say that I think texting is bad and it's time to kill it!
Apple has already started down that road, but their solution is only good for other people on apple mobile devices (unless they have a desktop client too?). They could really cement themselves in more by opening the apple chat protocol they use to all platforms. And, it's all encrypted to boot!
-
@Dashrender said:
I know of no hospital or clinic, etc that uses any type of secure voice communication, nor do they use secure faxing. I'm not sure that secure voice would even be possible for the general public.
It's not, but my understanding of HIPAA is only that if it can't be secured that you can't use it, not that the lack of end user security allowed you to bypass the need for security. End user email can't be secured either in the same way. Same with texting. So any general law about security would curtail the use of all three the same.
-
@Dashrender said:
I know of no hospital or clinic, etc that uses any type of secure voice communication,
I've never dealt with one that was giving out patient data over the phone though, nor having worked in hospitals (big ones) for decades, have I ever dealt with one that actually took security or HIPAA seriously. That hospitals violate both the terms and the spirit of the regulation is what I would expect.
-
@Dashrender said:
In the first option, patient talking to medical personal, the medical facility could require that a statement is made and accepted by the patient that this line is insecure and that they accept the risks of discussing medical issues over it and that it may be eavesdropped on, then assuming the patient accepts it, continue the conversation.
That might work. I'm not sure if that qualifies or not. If that worked, why not do that for email?
-
@Dashrender said:
The same goes for faxes. The auditors haven't ding'ed the audited for using non secure faxing - as faxing is considered a secure communcation (and we can argue that all we want).
Auditors are just there to make money. They don't represent anything official. I've been a HIPAA auditor and I've brought it up. I worked in HIPAA consulting when HIPAA went into effect. Auditors can easily mention things that you won't get in trouble for or can miss things that you will. HIPAA can't be an exact science, it is best effort and common sense and "reasonable security."
I've seen hospitals pass inspections with patient data, on paper, blowing around in the parking lot.
-
@scottalanmiller said:
@Dashrender said:
In the first option, patient talking to medical personal, the medical facility could require that a statement is made and accepted by the patient that this line is insecure and that they accept the risks of discussing medical issues over it and that it may be eavesdropped on, then assuming the patient accepts it, continue the conversation.
That might work. I'm not sure if that qualifies or not. If that worked, why not do that for email?
Because of the management - you'd need an email server that allowed easy management of who could and couldn't be sent PHI, and you still could never use it for provider to provider communications as stated earlier.