Originally published on May 25th, 2016.
Why using WhatsApp to send Protected Health Information (PHI) may not be a good idea.
In 2015, the number of physicians using mobile devices and mobile applications to handle HIPAA-protected patient health care information skyrocketed. According to a report from mobile security company Skycure, 99% of physicians now own mobile devices. In 2015, 46% of those physicians used picture messaging to share patient data on their mobile devices. 33% reported using WhatsApp for this kind of sharing, and more than 65% used SMS or texting.
I want to call out how incredible it is that so many physicians are innately attracted to mobile technology as a tool for handling patient care. 65% is a huge number - it shows flexibility, increased mobile health opportunities, and an increased interest around technology adoption from care providers. Plus, mobile health has the potential to increase access to health care coverage for millions of people all over the world. Overall, these numbers are a huge win.
Adoption is high, but how are the security measures?
What’s not so much of a win - what needs more work, rather - is the security around the use of mobile technology to share patient data. In their study, Skycure estimated that more than 43% of the devices used by physicians were at a moderate to high risk for exposure to a security breach.
In 2015, the U.S. Department for Health and Human services tracked more than 260 healthcare security breaches that affected 500+ individuals. And on that list, 9% of the hacks occurred on mobile devices. You may have heard of some of these bigger breaches, including the BlueCross BlueShield hack, which exposed data from more than 10 million members after the company’s IT systems were hacked. Anthem and Premera Blue Cross were also attacked last year in high profile cases, exposing thousands of pieces of data from thousands of patients. This has happened across other industries, too, but it often appears that healthcare is exceptionally at risk. As a majority of physicians use their own personal devices as a way to streamline their workflow, there are added security issues to consider. Unlike devices provided by a hospital or health system, which would be subjected to rigorous security procedures, physicians who use personal mobile devices to share patient data, are opening themselves up to additional risk due to fewer security measures.
Is end-to-end encryption the answer?
That brings us back to what happens when physicians share PHI using their phones. Earlier this year, on April 5, 2016, WhatsApp responded to security and privacy concerns by adding encryption to their application. 33% of physicians in Skycure’s report mentioned using WhatsApp for messaging, likely due to the fact that the application is free, allows for image sharing, and can be used on wifi internationally. Generally, when an image gets sent from one device to another using WhatsApp, that image is automatically stored in a phone’s memory bank. And previous to this update, that health information was not securely protected in any way by WhatsApp, opening up the possibility of hacking and other potential security dangers.
WhatsApp’s response - an encryption setting - is a semi-win. In a nutshell, the message is encrypted before it leaves a physician’s phone and goes into the wifi or cellular data network. It will stay encrypted during its journey through cyberspace, and will then arrive at a participant’s phone in an encrypted state, in WhatsApp. Basically, WhatsApp has set up an encryption “tunnel”: when patient health information is in that “tunnel,” it’s secure and no one without permission can access it.
However, this encryption is mostly fixing a different problem than the one that needs to be fixed. This service does help skirt the problem of WhatsApp owning specific chunks data (unlike Apple, the government could never request to access WhatsApp’s individual data - it’s encrypted, and doesn’t belong to them). But despite allowing for an encryption “tunnel,” the data still isn’t encrypted when it leaves or arrives at either mobile device. Within healthcare, this fix doesn’t yet solve most of the problem: once the message or image is downloaded on a phone, it’s still vulnerable for attack.
HIPAA compliant messaging requires more security measures than this, as you may know: the data must be encrypted while it’s in transit AND while it’s stored. The information should be password protected, with strict controls about who uses which pieces of information and why. And HIPAA also has rules around emails and texts, around when you’re supposed to delete the message and how.
WhatsApp is still useable for transmitting PHI, despite all this - but using it will require another layer of password protection and security, likely in the form of another app because those pieces don’t yet exist within the application itself. Unfortunately, the best option now is for physicians to simply download and use other HIPAA compliant messaging apps, like Lua, which are improving but still feel less intuitive for mobile users.
Need for more HIPAA-compliant applications
The fact that physicians are fast adopting new technologies to handle patient care and PHI demonstrates an incredible opportunity for developers. Physicians have shown high levels of adoption, and there has been giant market growth already. WhatsApp is great, but perhaps it needs to be paired with pre-existing HIPAA-compliant apps. Or, perhaps there’s a need for new applications; physicians are using what’s available right now, but I think we need to start building more, and better, HIPAA-compliant mobile messaging options.
If you need help making sure your applications are HIPAA-compliant, reach out!
UPDATE – April 3rd, 2017:
It’s been almost a year since WhatsApp added end-to-end encryption, and it seems even that has its vulnerabilities when used in a browser setting, so what does that mean for healthcare? The conflict for many healthcare organizations will come down to their device policy - end-to-end encryption is the most secure when used on a mobile device, but not all organizations supply their physicians with devices. One only needs to look at the past U.S. election season to see the issues and scrutiny that arise when people bring their own device, but do we really expect physicians to keep track of multiple devices, what does that do their daily workflow? Does that distract them from the true task at hand, taking care of patients? How can we integrate some of these more secure messaging systems into the healthcare setting in a way that doesn’t disrupt the physician too greatly? If a physician does decide to use WhatsApp, what is the policy and how does the provider ensure security and compliance?
All these issues, and more, need to be resolved in order to improve physician-patient communication in a seamless and integrated way. With many people now using mobile devices to communicate with loved ones, their bank, retail stores, and countless other institutions and acquaintances, it seems only fitting that they should be able to include their doctor as well.