The pMD Blog
POSTS BY TAG | Secure Messaging


Last week eight of my colleagues and I were in Anchorage, Alaska working with physicians, nurse practitioners, social workers, care coordinators, patients, and more. Although we were meeting about an array of different items, including building and enhancing care communities, charge capture, secure messaging, and clinical data exchanges, they all share the same common goal of working in collaboration to fill the gaps in patient care.

Patients that are “frequent flyers” of hospitals often suffer from chronic conditions, bounce between many specialists, and are at higher risk of costly readmissions. Due to the fragmented nature of their care it can be difficult for caregivers to receive the right information about the patient at the right time. Big EHRs are drowning in data and are not always reliable to get the providers the bottomline, clinically relevant information they need in a timely fashion.

Doctors and staff throughout Anchorage are coming together in a grassroots effort to make change happen and improve the care that their patients are receiving, regardless of which provider in the community is delivering it. Connecting everyone together around the patient decreases medical costs, decreases duplicate tests, cuts down on medical mistakes, and it saves the patients and doctors valuable time, ultimately leading to better overall care.

This model of coordinated care in Alaska however, is not unique to Alaskans. What the caregivers in that part of the country have been able to do is create a connected care community where they are coordinating the care around the patients, especially as the patients move between providers and facilities. We’ve heard from customers in other areas of the country about this same mission of connecting the different caregivers together around the patient instead of the patient around each of the caregivers. An important part of the solution is having a secure channel to share information quickly and seamlessly, and at the foundation is the concept of one patient no matter how many doctors they see. pMD continues to be an integral communication platform for care teams, allowing them to send quick, secure, valuable information, and brings together a community so they can start talking with one another.

As a sales manager at pMD, I spend a lot of time with medical practices and hospitals that are evaluating our charge capture and secure messaging software - learning about the ins and outs of their businesses and how we can support them. Over the past couple of years and through the introduction of our secure text messaging platform, we’ve increasingly been curious to hear what groups are doing for communication with their colleagues, as well as with outside physicians. After all, communication is critical to providing quality patient care.

I’ve heard many startling answers. These range from, “We send regular texts with PHI all the time, we’re not worried about HIPAA” to, “What exactly do I have to text for it to be a HIPAA violation? I really have no idea, but it sounds bad“, and “We use iMessage and try to leave out PHI, which I think is secure enough.”

How can health care providers be on such drastically different pages with government regulations, especially when violation fines can cost up to $50,000 per text message? What we’ve discovered is that there is a staunch disconnect between the government bodies who write the compliance laws, the organizations that are supposed to be disseminating this information, and the providers who are supposed to be following them. The industry is still learning every day what is and isn’t OK according to these new rules and standards, and that process will take time.

There needs to be clearer direction from government agencies about how best to comply with these new rules, so providers can get back to focusing on why they got into medicine in the first place: helping patients. Implementing a good secure messaging solution is an integral step to making sure that these new regulations don’t get in the way of patient care.
The best text message is the one that you don’t have to send.

Don’t get me wrong - I’m happy that we offer a feature-rich, user-friendly secure text messaging product. But I’m even happier that in many cases, we can use automation to remove the need for a person to manually send a text message at all. At the end of the day, security is great; compliance is great; knowing when a message was read is great; automated reminders are great; file and image sharing are great; group messaging is great; adding external contacts from the community is great; cross-platform (mobile + web) is great… but what’s REALLY great is saving someone time.

This idea is actually the origin story of our secure text messaging software. Years ago, I remember sitting with a charge capture customer who was explaining the process for following up with the doctors about charges that the doctors had submitted through the software. The customer would first add a note to the charge in pMD so they had a record of the follow up. Then they would send the doctor a text message asking their question. The text message itself seemed pretty harmless to them, so they weren’t in the market for secure text messaging software; but when we added the ability for pMD to send that message for them automatically, they became avid users.

Once we started down this road, we saw people manually sending each other routine, repetitive, and nonsecure text messages everywhere. Office receptionists were texting doctors about every new hospital consult. Answering services were texting doctors about nurse calls that occurred after hours. Specialists were texting each other to refer a patient, re-typing demographics that already existed elsewhere. Hospital doctors were texting PCPs (if they even had the person’s phone number) to let them know what had happened to one of their patients who got hospitalized. All of this messaging wasn’t just putting patient information at risk - it was actually costing someone time. Each individual message was fast and easy to send, but for these repetitive tasks, they added up quickly.

In a world where every major software company has its own messaging features, automation is the key to selecting the software that your people will embrace and that will keep giving back to you instead of simply checking a box on a HIPAA-compliance audit.

At pMD, we are constantly working to update and improve the secure text messaging functionality in our mobile and web applications. Our team continues to collect feedback from our users about how pMD Messaging works for them in their medical practices, which helps us prioritize new features and think about what makes a great messaging product. pMD’s HIPAA-compliant text messaging is unique in that we enable users to securely communicate about patient information, but in certain aspects, we take cues from other text messaging programs (of which there are a countless number!) that many people use for everyday communication.

With such a large offering of different messaging platforms available for smartphones, tablets, and the web, what components make a secure messaging product stand out from all the others and become indispensable to its users?

Cross-Platform Functionality Many of my colleagues and friends use iPhones, but I’m an Android user. Often times, medical practices have a “no cell phone” policy for their office-based employees, but those employees still need to communicate information to their physicians in the hospital in real-time. Having a messaging product that works seamlessly across different mobile operating systems as well as the web is essential for uninterrupted communication, especially for time-sensitive information.

Read Receipts Whether I’m waiting for a confirmation from home that the cat was fed his dinner, or a nurse is waiting for acknowledgment that a doctor received her notes about a new consult in the emergency room, knowing whether or not your message was read is an essential feature for any messaging application.

Emoticons? We’ve gotten a surprising amount of requests for Emoji support in our secure messaging software. I guess I understand the appeal of quickly replying with a thumbs-up icon instead of stopping to type out the words “got it,” but I’m not sure if I’d be able to decipher how a string of emoticons translated to patient care instructions.

Custom Ringtones My personal preference is to have my phone on mute whenever possible, but that’s not always an option for busy doctors! Being able to assign custom alert sounds to certain contacts or applications can be essential for a physician on weekend call waiting for messages from the hospital (or, for the rest of us, simply trying to ignore the latest wave of push notifications from Candy Crush). That’s why we’re very excited to be adding custom ringtones to the pMD application soon!

These are the current and future messaging features that have been on our mind lately at pMD. We are always keeping our ears open for customer feedback, and we’re looking forward to hearing about other features they’d like to see added to our software down the line!
Hospitals and health systems are making slow progress toward securing their networks and patient data, and this year’s HIMSS Cybersecurity Survey surfaced what many health care organizations are afraid of: cybersecurity threats are continuing to rise, with two thirds of organizations having experienced some sort of security incident but less than a tenth feel they have adequate technology to protect themselves against security threats.

Our software helps physicians communicate about patient care compliantly, so naturally we ask new customers what kinds of communication software they typically use. iMessage is the popular choice given its unparalleled ease of use and ubiquity. And while iMessage has some methods of encryption that make it tougher for attackers between you and Apple’s server to hack your data, it’s not a fool-proof or HIPAA-compliant way to share PHI. Physicians are too busy to use the clumsy, slow, feature-lacking secure messaging software that epitomizes most apps on the market, so most of them revert back to iMessage and claim that the government can fine them or put them in jail all they want. But we can’t afford to lose good doctors to the government, especially given the imminent doctor shortage!

If physicians are going to change their nonsecure texting behavior, they need to have a convenient and fast secure messaging app. Watching a wheel spin for 10 seconds to load a conversation each time would cause anyone to trash an app - and I’ve seen this firsthand on far too many messaging apps.

There are a variety of tools that go into protecting sensitive data against security threats, including antivirus, firewalls, data encryption, audit logs, and vulnerability management. With the increasing government changes, it’s more important than ever to empower health care organizations with the best security software.


Source

2014 was beset by cyberattacks and health care privacy breaches (let’s not forget Sony’s recent escapade), so it’s no surprise that cybersecurity regulations will be heightened in 2015. Earlier this month Jocelyn Samuels, Director of the Office for Civil Rights (OCR) at the Department of Health and Human Services, addressed the severity of the current health care IT security issues:

“We are certainly seeing a rise in the number of individuals affected by hacking [and information technology] incidents, as reported by entities under our breach notification requirements, especially those due to malware compromising the security of information technology resources,” wrote Samuels. Samuels asserted the agency’s proactive HIPAA enforcement priorities for 2015 and increased focus on ePHI security.

Working with medical practices and physicians on a daily basis with charge capture, it surprises me how nonchalant many providers are when it comes to HIPAA-compliance with patient data. Their goal is to care for their patients, and seemingly tedious regulations are often ignored. But a new phase of HIPAA audits is about to take place among medical organizations and will make the regulations that much harder to ignore.

Initial HIPAA-compliance audits occurred in 2011 and 2012 to determine if health care organizations were in compliance with security regulations around health care data. The roll out of phase 2 of the HIPAA audits was delayed in 2014, but the audits are expected to start in early 2015. HIPAA regulations apply to covered health care organizations as well as their business associates; those that hold or access sensitive patient data on a regular basis are eligible. Organizations found in violation of HIPAA regulations during the audits could face financial penalties.

If you haven’t done so already, and we sure hope you have, now is the time to implement a robust HIPAA-compliance policy. This includes adopting HIPAA-compliant software such as secure messaging and other data encryption techniques. It’s important to also test your systems for vulnerabilities that can leave sensitive patient information susceptible to breaches and malware. If you were to undergo a HIPAA audit today, would you pass?

Additional information for HIPAA audits, such as timing, scope, and guidelines, will be posted on the OCR website in the coming months.

We’re extremely excited about our upcoming release of attachment support for pMD, HIPAA compliant, secure text messaging. This feature will allow pMD users to send one another highly sensitive data, such as photos of patient charts, copies of lab results, pdf documents, and much more. As a member of the development team at pMD, the task of determining how to store all these files securely and efficiently presented a unique challenge.

pMD provides mobile software that improves patient care through charge capture, care coordination services, HIE implementation, and secure messaging. Due to the sensitive nature of the information providers exchange, it is essential that their data be stored within the secure confines of our data centers, not with a third-party service. So, we needed to find a top-notch storage system, capable of housing millions of files, that we could install on dedicated servers that we manage ourselves.

After several weeks of detailed research and testing, we established a clear winner. This system met and exceeded all of our requirements. It’s name is Swift, and it’s part of the OpenStack suite of cloud software. OpenStack products are specifically built for companies like pMD who want to deploy powerful, yet easy to use tools in their private clouds.

In our search for the right storage solution, we formulated a list of five major requirements that any contender must meet. Here is how Swift addresses each of these items:

Highly available / replicated. First and foremost, we required a system that would be tolerant of hardware failures. Swift makes several copies of every file it stores so that if a hard drive, or a server, or even an entire data center has a problem, we are guaranteed to have other copies of the data still available. Once the specific failure is repaired, Swift is smart enough to catch the server(s) back up with whatever they missed while offline.

Distributed. We needed the system we picked to make every file available to every machine on our internal network. In other words, we couldn’t just plug an external hard drive into one of our web servers, like you might do at home if you needed extra room for your photos and videos. Swift runs on dedicated servers in our data center. It provides something that we call an Application Programming Interface (API) in the software world, which is a simple interface that our other systems can use to talk to Swift whenever they need to save or retrieve files.

Scalable. It was very important to us to find a solution that could grow with the demands of our customer base. Swift is incredibly flexible. Whenever we want to increase our storage capacity, we can just pop some new hard drives into our existing servers or add a brand new server, tell Swift about the new components, and Swift immediately starts utilizing the additional space they provide.

Secure. Our users are health care professionals and they rely on pMD to help them securely manage sensitive, patient data. Because of this, the system we chose to store their message attachments had to support HIPAA compliant, modern, best-in-class encryption. Swift offers several sophisticated levels of security that allow us to encrypt and protect all the files it houses.

Easy to operate. Finally, as developers responsible for maintaining pMD’s infrastructure, we wanted a well-built system that we could install and rely on. We didn’t want a solution that would require a large amount of daily maintenance. As you can see, Swift is a sophisticated system. However, it’s also incredibly self-sufficient. Once it’s installed, it requires very little input from us to keep it running like a well-oiled machine.

We’ve been running Swift on a number of shiny new servers in our data centers for about a month now as we prepare our attachments feature for release. It’s been incredibly fun to work with, and it has blown us away with its power and performance. We can’t wait to give attachments to our users so that they too can experience the power of Swift!

Physicians have been texting each other about patient care since the invention of the BlackBerry, if not before. Texting is the perfect medium for direct provider-to-provider communication, which is critical in the hospital environment where the sickest patients need round-the-clock care by a diverse team of specialists. Since the HIPAA Omnibus changes came into effect in late 2013, medical practices have scrambled to secure their texting so that they could continue to communicate it real time while complying with the law.

Replacing SMS text messages is not without its challenges. Traditional texting is very reliable. All you need to receive an SMS text message is the barest, most minimal cellular signal - "1x," let's say, or "EDGE."

Pagers, still a staple of the medical industry, are even more reliable. They use a different wavelength that can penetrate buildings and landscapes with ease. In an industry where getting a message means the difference between a patient getting care or not getting care, it's no wonder that the pager is beloved by so many physicians. The message always arrives.

Compared to these increasingly old-school methods, secure text messaging apps offer many benefits, such as a global address book for the practice and protection of any HIPAA-sensitive patient information. But to gain all-important physician adoption, the app needs to overcome the challenges of the hospital environment where it’s hard to find a strong and reliable data signal.

For example, a pediatric hospitalist walks into the Pediatric ICU to see some patients. This room is deep within a hospital sub-basement, and she doesn’t have any data service there - just the barest sliver of phone reception. A basic secure texting app uses its own push notifications to notify users that there’s new information, but she won’t receive that app notification until hours later when she’s done seeing patients. By that time it may be too late for her to act on it, and she may have made some medical decisions without having the most up-to-date information.

A more advanced secure text messaging app also offers fallback options if a device can't be reached in a timely fashion. Knowing that the hospitalist may not have data service if they haven’t read the message after a period of time, the advanced app can try other ways to notify her that she has a message waiting, such as sending a regular SMS text message - or even a voice call - reminder without any sensitive data. These often get through even when app push notifications don't. At this point, the hospitalist can return to a place where she has data coverage, or can find a computer on which to read the message.

The best secure text messaging apps embrace the unpredictability and constraints of the chaotic hospital environment. This is why pMD took into account the frustrating cell reception in health care facilities when we designed our HIPAA secure text messaging and mobile charge capture software. This is such a key usability factor that we engineered an entire system of notifications and reminders to make sure that providers would know they have a message waiting in pMD, even if they are outside of data service. An app is more than an app when it has a system backing it that makes sure the message gets delivered - it becomes a reliable tool to save lives. This provides the peace of mind that makes doctors happy.

Smartphone technology has evolved to include so many far-reaching capabilities that these compact devices are incredibly powerful. Just look at how smartphones have perforated and changed the health care industry, becoming a valuable aid for doctors. Unfortunately, the responsibility that is so important when using smartphones, particularly in health care, is not a universal practice.

Take, for example, a doctor in Seattle who is being accused of partaking in some unscrupulous and bizarre activity using his smartphone. This anesthesiologist is said to be responsible for sexting during surgeries and taking explicit selfies at the hospital - at one point sending 45 dirty messages during a single operation. His medical license has been suspended due to “lack of focus.” Apart from these sexual perversions being offensive and disturbing, there are some larger problems with his messages at play here. Why was this doctor not using a secure messaging system? What if he had sent one of his messages to the wrong number? A traumatic experience, indeed.

This goes to show how important it is to use a secure text messaging system. And not because you can then send selfies to your colleagues with abandon. A secure text messaging system allows you to have a reliable and accessible list of contacts in your network and send information safely and quickly. Our latest release coincidentally elaborates on secure text messaging for health care professionals that improves communication within the medical community.

View Press Release

Many health care organizations have already deployed secure email software but don't realize that their providers are still sending sensitive patient information to each other via SMS text messages. Text messaging is king, especially in the hospital setting where highly mobile physicians need fast answers about the sickest patients and aren't always in front of a computer.

But secure text messaging solutions aren't all the same. SMS text messaging is very easy to use and everyone already has it installed on their phone, so if you expect a secure replacement to get widespread adoption, the secure texting software actually has to be better than SMS in some way. In this series, I will share some areas of opportunity that we've discovered at pMD while helping our customers deploy our secure text messaging software. If you're in the market for something like this, I hope you find this series informative and that it inspires you to seek the best solution on the market for your needs!

This scenario may sound familiar: you send someone an SMS text message about something important and you're waiting to hear back. Some time later, you realize that you haven't heard back. Maybe the recipient didn't get your message. You decide to open up your text messaging app, but it doesn't say one way or the other. You start to wonder if you should send another text message, or maybe even call the other person. Then something distracts you and you lose the thread. It could be a while before you think to check again, and your phone won't bring the unread message to your attention. The recipient might not have received your message, or might not have noticed when it arrived; either way, the thread of communication stopped there.

Most secure text messaging software on the market actually makes this problem more severe. Unlike SMS text messages, you need a data signal (WiFi or cellular data) in order to get notified about a secure text message that was sent to you. Most hospitals are riddled with dead zones where you can't find out right away that a secure text message was sent to you because there isn't enough data signal for push notifications to reach you. This is dangerous in the hospital setting where providers are sending time-sensitive clinical information and they expect it to work like SMS.

To solve this problem, seek a solution that will automatically follow up on your behalf. Replaying the scenario described above, if the recipient hasn't received or hasn't read your message after a period of time, the software should automatically follow up with an SMS text message reminding them that they have a secure text message from you. Even if they don't have a data signal, they can get this text message reminder - you don't have to remember to text them to see if they got your first message because the system does it for you.

Ideally the software should follow up again, this time with an automated voice call, if the recipient still hasn't read your message in pMD after even more time has passed. Though more intrusive than an SMS, the voice call is appropriate for time-sensitive messages like a stat consult - in other words, situations where you yourself would call the recipient if you didn't get a quick reply... if you remembered to. Automation makes this consistent and saves you the trouble.

If the recipient got distracted or was unreachable and never read your message, at a certain point you want to know that. Most secure and non-secure messaging systems require you to actively keep checking the status of the message to see if it was read. You should look for a system that instead closes the loop by actively letting you know that the recipient hasn't read it yet after more time elapsed. This way you don't have to check the status of the message and you can't forget to check it.

Putting all these reminders together, you should seek a secure text messaging solution that acts like a concierge or assistant for your communication. It should follow up for you, using different types of reminders that don't rely on data and that become increasingly hard to ignore. Finally, if your message still wasn't read, the system should let you know so you can try to reach the person a different way, or find someone else to contact. That way if your message wasn't read, you'll be the first to know.

These follow up actions shouldn't be needed most of the time, but when they kick in, you’ll be relieved to know that your message isn't just sitting out there in limbo. Hospital-based physicians can find great peace of mind in knowing that their messages are not only secure, but also persistent.