Microsoft Send
-
@scottalanmiller said:
How do they deal with phone call security and email security then? Wouldn't the same issues apply?
The government doesn't place a burden on medical to secure voice conversations, so we don't care about those.
As for email, they are not suppose to email PHI outside of the company. Inside is fine because all communication between the clients and the server are encrypted. For example - since the BOD didn't want to purchase a third party secure texting solution, they use email to communicate about patients when they are off site.
Emailing everyone else (especially family) generally doesn't include PHI, so those just come and go as desired. Unlike texting, the email does provide the needed security for the internal communications, and then tacks on the desired external communications when desired. -
@Dashrender said:
The government doesn't place a burden on medical to secure voice conversations, so we don't care about those.
Are you sure? I thought that HIPAA made a point of all communications needing to be secure, I didn't know that they had a specific relaxation of the requirement for voice.
-
@scottalanmiller said:
@Dashrender said:
As far as I can tell though, considering the secure requirement of Personal Health Information (PHI) and unlikeliness of getting everyone in the world to switch to a single secure texting platform, I don't see this happening. They will be forced to use two separate apps.
You could always secure text messages. That would be the most annoying thing ever Imagine a third part encryption scheme for SMS!!
Or course it would either be crazy insecure or would break the 144 character limitation.
That's why you replace it with an IM client that encrypts real time - something like Threema (which is free).
-
@Dashrender said:
As for email, they are not suppose to email PHI outside of the company. Inside is fine because all communication between the clients and the server are encrypted. For example - since the BOD didn't want to purchase a third party secure texting solution, they use email to communicate about patients when they are off site.
Emailing everyone else (especially family) generally doesn't include PHI, so those just come and go as desired. Unlike texting, the email does provide the needed security for the internal communications, and then tacks on the desired external communications when desired.What I meant was how do they handle their family email vs. their business one. I guess they have family email them at work and don't keep personal accounts?
This use of texting-like from Send would allow you to integrate texting into the system. But would only be useful as "appearing as text" to people inside.
-
@Dashrender said:
That's why you replace it with an IM client that encrypts real time - something like Threema (which is free).
Right, so the solution to texting is to not use texting, which is what I've always said I never suggesting the IMing was bad.
-
That's what makes Send so interesting. It is an IM system that is powered by Exchange email. So you get the power of IM and the unified management of a single messaging platform.
-
@scottalanmiller said:
@Dashrender said:
The government doesn't place a burden on medical to secure voice conversations, so we don't care about those.
Are you sure? I thought that HIPAA made a point of all communications needing to be secure, I didn't know that they had a specific relaxation of the requirement for voice.
I know of no hospital or clinic, etc that uses any type of secure voice communication, nor do they use secure faxing. I'm not sure that secure voice would even be possible for the general public.
I can think of two quick examples. Patient talking to medical personal and provider to provider communications.
In the first option, patient talking to medical personal, the medical facility could require that a statement is made and accepted by the patient that this line is insecure and that they accept the risks of discussing medical issues over it and that it may be eavesdropped on, then assuming the patient accepts it, continue the conversation.
But the second option would never allow for this acceptance of risk. According to you, you're saying that provider to provider voice communications could only ever happen over a secure channel - and I know of no one who is doing that. and it's not been listed in the deficiencies of the HIPAA audits that were done two years ago (to the best of my knowledge).
The same goes for faxes. The auditors haven't ding'ed the audited for using non secure faxing - as faxing is considered a secure communcation (and we can argue that all we want).
-
@scottalanmiller said:
@Dashrender said:
That's why you replace it with an IM client that encrypts real time - something like Threema (which is free).
Right, so the solution to texting is to not use texting, which is what I've always said I never suggesting the IMing was bad.
@scottalanmiller said:
That's what makes Send so interesting. It is an IM system that is powered by Exchange email. So you get the power of IM and the unified management of a single messaging platform.
Exactly, on both points.
I didn't say you said texting was bad, I didn't even imply you said or even thought it. Though I will say that I think texting is bad and it's time to kill it!
Apple has already started down that road, but their solution is only good for other people on apple mobile devices (unless they have a desktop client too?). They could really cement themselves in more by opening the apple chat protocol they use to all platforms. And, it's all encrypted to boot!
-
@Dashrender said:
I know of no hospital or clinic, etc that uses any type of secure voice communication, nor do they use secure faxing. I'm not sure that secure voice would even be possible for the general public.
It's not, but my understanding of HIPAA is only that if it can't be secured that you can't use it, not that the lack of end user security allowed you to bypass the need for security. End user email can't be secured either in the same way. Same with texting. So any general law about security would curtail the use of all three the same.
-
@Dashrender said:
I know of no hospital or clinic, etc that uses any type of secure voice communication,
I've never dealt with one that was giving out patient data over the phone though, nor having worked in hospitals (big ones) for decades, have I ever dealt with one that actually took security or HIPAA seriously. That hospitals violate both the terms and the spirit of the regulation is what I would expect.
-
@Dashrender said:
In the first option, patient talking to medical personal, the medical facility could require that a statement is made and accepted by the patient that this line is insecure and that they accept the risks of discussing medical issues over it and that it may be eavesdropped on, then assuming the patient accepts it, continue the conversation.
That might work. I'm not sure if that qualifies or not. If that worked, why not do that for email?
-
@Dashrender said:
The same goes for faxes. The auditors haven't ding'ed the audited for using non secure faxing - as faxing is considered a secure communcation (and we can argue that all we want).
Auditors are just there to make money. They don't represent anything official. I've been a HIPAA auditor and I've brought it up. I worked in HIPAA consulting when HIPAA went into effect. Auditors can easily mention things that you won't get in trouble for or can miss things that you will. HIPAA can't be an exact science, it is best effort and common sense and "reasonable security."
I've seen hospitals pass inspections with patient data, on paper, blowing around in the parking lot.
-
@scottalanmiller said:
@Dashrender said:
In the first option, patient talking to medical personal, the medical facility could require that a statement is made and accepted by the patient that this line is insecure and that they accept the risks of discussing medical issues over it and that it may be eavesdropped on, then assuming the patient accepts it, continue the conversation.
That might work. I'm not sure if that qualifies or not. If that worked, why not do that for email?
Because of the management - you'd need an email server that allowed easy management of who could and couldn't be sent PHI, and you still could never use it for provider to provider communications as stated earlier.
-
@scottalanmiller said:
I've seen hospitals pass inspections with patient data, on paper, blowing around in the parking lot.
yes, but how did that data get there? most likely a patient dropped it, it wasn't left there by a hospital employee (though it's true that it could have been an employee).
-
@scottalanmiller said:
@Dashrender said:
I know of no hospital or clinic, etc that uses any type of secure voice communication, nor do they use secure faxing. I'm not sure that secure voice would even be possible for the general public.
It's not, but my understanding of HIPAA is only that if it can't be secured that you can't use it, not that the lack of end user security allowed you to bypass the need for security. End user email can't be secured either in the same way. Same with texting. So any general law about security would curtail the use of all three the same.
End user email can be sorta secured though the use of a portal. This is how all email end user email is done today. We post something into our EHR webportal, the patient receives an email that there is something for them to view on the portal - assuming they care, they go there, log in and look at it.
-
@scottalanmiller said:
@Dashrender said:
I know of no hospital or clinic, etc that uses any type of secure voice communication,
I've never dealt with one that was giving out patient data over the phone though, nor having worked in hospitals (big ones) for decades, have I ever dealt with one that actually took security or HIPAA seriously. That hospitals violate both the terms and the spirit of the regulation is what I would expect.
Really? You've never heard a clinical person give test results over the phone? We give out negative (i.e. you are fine) type results almost every min of the day via the phone. Positive results, depending on the severity, we might call you in for that.
Drs will give all kinds of information about patient care both to patients and other doctors over the phone - again I hear this daily.
-
@Dashrender said:
Really? You've never heard a clinical person give test results over the phone? We give out negative (i.e. you are fine) type results almost every min of the day via the phone.
No, but I guess, where would I really? If I could hear them it would be an obvious HIPAA breach and we never get medical news.
-
@scottalanmiller said:
@Dashrender said:
Really? You've never heard a clinical person give test results over the phone? We give out negative (i.e. you are fine) type results almost every min of the day via the phone.
No, but I guess, where would I really? If I could hear them it would be an obvious HIPAA breach and we never get medical news.
If you're working at a hospital - how could you not? I've been in ORs and heard doctors talking to someone one the phone giving full names and diagnosis. Here our phone triage area has several desks/phones - people calling in looking for answer, anyone who walks by (granted it's in a non public area, so the public wouldn't be walking by, but contractors definitely could be) can hear what they are talking about a if the nurse confirms the name, etc the person walking by will know who they are talking to as well.
-
@Dashrender said:
If you're working at a hospital - how could you not?
Most of a hospital does not have doctors talking to patients in it. That's just the public facing part, for the most part. Hospitals are huge things.
-
@scottalanmiller said:
@Dashrender said:
If you're working at a hospital - how could you not?
Most of a hospital does not have doctors talking to patients in it. That's just the public facing part, for the most part. Hospitals are huge things.
Sure, but you said you were working for a hospital, so I would assume you to be in the bowels of the hospital where the Drs and medical staff are, unless you only spent most of your time in the DC, in which case I'll just back away..