Text messaging (sending and receiving alphanumeric messages) is ubiquitous. Since 1982, mobile phones have had texting capability. Mobile phones utilize the mobile cell phone network and have access to the Public Switched Telephone Network (PSTN). Each message utilizing SMS (Short Message Service) is limited to 160 characters, and uses telephone protocols, such as GSM, CDMA, etc.
The advent of the smartphones in 1994 (basically any phone with an operating system that can manage an application) brought the opportunity for phones to access the Internet (opened for public use in the 1990’s), which was a completely different channel of communication from the mobile cell phone network controlled by an oligopoly of carriers. This is why when most smartphone users begin service they have both a voice plan (for mobile cell phone network access) and a data plan (for Internet access). Now with the convergence of smartphones and the Internet, text messages can be sent via the public Internet, and use Internet protocols, e.g., TCP/IP, thus bypassing the carrier cabal.
Why am I bringing you down this road?
Because to understand today’s world of secure messaging it is important to know which highway text messages flow through and how those messages might be made HIPAA/HITECH compliant. Sending a text message via telephone protocols built by the carriers offers no guarantee that access of the messages will be protected from anyone with despicable intentions and means. In contrast, sending a text message via the Internet makes the use of “direct” encryption options possible. Using the Internet as the platform for sending and receiving text messages places control of whether to encrypt, or not encrypt, in the hands of the application developers and users. Using the mobile cell phone network to send and receive text messages, users are at the mercy of carriers with little incentive to encrypt messages, e.g., it adds cost and complexity to their model. In addition, carriers are designated “conduits” by HIPAA/HITECH and therefore do not share any potential liability in the case of breaches of ePHI (electronic protected health information). It should be noted that no carrier guarantees that SMS messages are encrypted during the time the message is running through their network. Since communication (including texts) most often traverse multiple carriers in the standard process of going from point A to point B, the issue of ensuring security is even less possible.
So what is the answer to protecting ePHI while texting?
What is the best way to guarantee that a text message containing ePHI is encrypted?
The solution lies in an application that utilizes both the Internet and encryption algorithm technology.
A few years ago, while discussing the concerns of Startel customers and their clients, we anticipated the need for a solution that would help prevent breaches of protected health information (PHI), or more specifically ePHI, and other private information. Soon after that discussion Startel launched a “cloud-based, device access only” secure messaging solution that is fully integrated with Startel’s Contact Center solution, the Startel Contact Management Center (CMC). Startel Secure Messaging is an application that can be downloaded onto any smartphone utilizing the following smartphone operating systems, such as iOS®, BlackBerry® OS and Android® OS. Once downloaded, the user is required to have a registration ID, which they can purchase from one of Startel’s telephone answering service customers or contact centers. Once the registration ID is entered, the application becomes fully operable for use either between the host (TAS or Contact Center) and the smartphone user, or two smartphone users in a peer-to-peer situation.
The Startel Secure Messaging application employs password protection, registration Id’s and Secure Socket Layer (SSL) technology to ensure that secure messages get where they are suppose to go, and only to their intended recipients. At a minimum, 128-bit encryption is utilized throughout the transport layer. Only the Startel Secure Messaging application has the ability to unencrypt a message encrypted by Startel’s Secure Messaging application. If someone intercepted a Startel Secure Message during transport and they used the fastest super computer on the planet – it would take them using brute force over 1.3 quadrillion years to break the message (source: http://www.kotfu.net/2011/08/what-does-it-take-to-hack-aes). Needless to say, the security of the ePHI is assured using the Startel Secure Messaging application.
Though the user of a smartphone would see no difference between a regular text message and a Startel Secure Message, the differences as noted above are tremendous. In today’s tech world, the power is to the people. No longer do a few carriers control whether the messages you and I send to one another can be read by a third-party. Currently, we are free to move about as we wish and encrypt at will.
A final note on HIPAA/HITECH compliance: Technology itself is not enough to be HIPAA/HITECH compliant. Technology can only assist in creating the environment where a user of ePHI can comply with HIPAA/HITECH.
At a future date, I will provide details of an active Startel project whose result will be a cloud-based version of Startel Secure Messaging with Web Access, versus just device access only. Please stay tuned.