Report: Unsecured, noncompliant messaging could spell trouble for healthcare

The healthcare industry is not keeping pace with the explosive growth of messaging app use when it comes secure communications and adopting Health Insurance Portability and Accountability Act-compliant software, and the scenario should be keeping IT leaders awake at night, according to a new survey.

The survey, conducted by Infinite Convergence Solutions last month, reveals that 8 percent of healthcare institutions prohibit consumer messaging apps for employee communication; one in four institutions that do have an official mobile messaging platform are using an internal, company-authorized app. The remainder, according to the study, are recommending or using consumer-facing messaging apps and services that do not provide the enterprise-grade security needed to comply with regulations.

The results are questionable, however, as the 500 responses came from professionals representing several industries, including finance/banking, retail and legal industries. The survey was conducted online.

"CIOs and IT leaders in healthcare institutions need to make available an official enterprise-grade messaging platform to their employees which also allows them to implement administrative, physical and technical safeguards that HIPAA requires," Anurag Lal, CEO of Infinite Convergence, told FierceMobileHealthcare via email.

Forty-nine percent of respondents said that their employer has an official mobile messaging platform. Of that group, 16 percent cited the platform as GChat;11 percent said they are using WhatsApp.

Nearly all respondents, 91 percent, said they use mobile messaging a few times a week for work. The study also reveals that institutions are recommending employees use consumer mobile messaging apps, like iMessage or Skype, neither of which follow HIPAA guidelines for messaging security.

"There are plenty of mobile messaging apps in the market but very few that provide security and control that an enterprise needs to mandate compliance policies," Lal said. "On the other end, consumers need to be extremely aware and critical of the information they choose to share with healthcare providers over messaging apps."

The study comes just after two cybersecurity groups released a "how to" draft guide for organizations to keep private and sensitive information stored on employees' mobile devices secure. The guide, from the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence, includes ways to keep data secure "throughout the mobile device lifecycle," according to an executive summary.

Just slightly more than half of healthcare employees (59 percent) are using full-disk encryption or file-level encryption on mHealth computing devices used at work, according to a recent Forrester research report, which concluded that medical enterprises must adopt a data-centric approach to endpoint security on all employee devices.

For more information:
- check out the survey's findings (.pdf)
- read the announcement