Latest Technologies, Industry Trends & Best Practices

In the World of Mobile Messaging Applications, there are NO Privacy Guarantees

On Thursday 8 May 2014, the Federal Trade Commission (FTC) settled charges with mobile messaging application maker Snapchat. As the Wall Street Journal article reports, the gist of the alleged infractions (which were neither admitted nor denied by Snapchat) all relate to misleading consumers in one of three ways:

1. “By telling them (consumers) that messages would disappear.”
2. “Misrepresenting its (Snapchat’s) data collection practices.”
3. That Snapchat “didn’t adequately protect users’ personal data.”

I am not a lawyer, nor do I want to comment directly on the misfortunes of Snapchat who have now been ordered to implement a new comprehensive security program and agree to 20 years of monitoring by the FTC (an eternity in the technological world). I only bring this situation up as discussion points about, 1) what a technology company can and cannot guarantee users, and 2) what users of technology should look for in an application provider.

Working for technology companies for the last 25 years, I have seen many amazing changes occur in rapid fashion. We have gone from completely locked down proprietary systems where no Internet existed, to today’s cloud-based unified communications, where a 7-year-old can operate a smartphone to access an application that is maintained halfway around the world. As technology becomes more invasive in our lives, privacy issues are bound to increase exponentially. Perhaps part of the allure of today’s secure messaging trend is a direct backlash against broadcast technology, which has been so popular during the last few years. There seems to be a tug & pull between several technology trends: broadcast media vs. directed media; permanent vs. ephemeral content; data collection in order to serve up targeted online ads vs. temporary communication; contextual based communication vs. non-contextual communication; paid vs. free applications, and finally privacy vs. public disclosure. 

I cannot help but feel sorrow for a technology company that builds and launches (often for free) a great product that satisfies the needs of the vast majority of their users, but still gets slammed by the small minority, who complain to the Federal Government (in this case the FTC). Keep in mind, these users chose to use the product in the first place! The take away may be that technology companies need “full disclosure” of what their applications can and cannot do (explained in layman’s terms), and in addition they need to be up front with any information they gather on their users. The old adage that “nothing is free” may apply here. After all, how could Snapchat provide a product for free with no strings attached?  How could anyone for that matter? Perhaps users should look to technology companies that charge small fees for usage of their applications, but also fully disclose the application’s capabilities and limitations as well as if/how they handle customer information.

For instance, is making a claim that content will disappear guaranteed 100% of the time even a viable promise? Most people know that if you want to capture a screen on an Apple iPhone you push down on the “Hold Button” and while holding it down, you push down the “Home Button.” Most any message, or photo, sent to an iPhone user is susceptible to being copied and kept. Even if a technology company creates a product where the normal “screen capture” as described above does not work – what is to stop the recipient of a message whose content is meant by the sender to be private, from using a digital camera or secondary smartphone and taking a picture, or movie, of the screen and making it public? My point is there are myriad ways for the recipient of any form of media to copy and keep what is sent to them. There are even 3rd party programs specializing in thwarting “disappearing” messages and images.

Let’s assume in a professional business environment/setting the recipient and sender’s goals are aligned. In other words, the sender and receiver both want the text, photo, and/or video to disappear once they have reviewed it. If this is true, then most smartphone applications that promise privacy will be able to deliver. It is in the event that both senders’ and recipients’ goals are not aligned that we need to prepare for. What users need to know is that there is no 100% guarantee that text, images, and/or videos will disappear as intended by the sender, especially if the recipient’s goals are opposing or immoral. No technology vendor will be able to anticipate and prevent every unintended consequence of the use of their technology. Common sense by users should prevail.

In regards to what technology users should look for in an application provider, I would start with the belief that users of technology and those that create technology are partners. Partnerships will only be viable if there is a foundation of kindness, respect and honesty. So how does one determine if a technology company is a viable partner? Begin by excluding any companies that have proven they are not reliable partners. Review potential partners’ privacy policies and ensure that they adhere to it and that you agree with it. 

Another strength of the technology revolution is that users of technology have choices – they can vote with their feet, e.g., move to another application. In addition, and as mentioned above, nothing is free, so perhaps look for a technology provider/partner that charges as reasonable fee and clearly states in their privacy policy realistic expectations. For example, if you are looking for a secure messaging technology provider, ensure that their Privacy Policy states that all content on both servers and devices (smartphones) is encrypted to a certain level, encrypted during transmission through SSL, but that the vendor cannot guarantee content is not abused by recipients of that application. By being upfront and honest, the user knows the technology company’s privacy status and is well aware of what they are signing up for. 

Lastly, look for a technology provider who promises their sole source of funding is from the proceeds derived from sales by users of their technology and that they never share information with any 3rd parties at any time. They may charge users a small fee to use the application, but these days a small fee seems well worth the privacy it may buy. Just ask Snapchat.

Startel Secure Messaging: Achieving Privacy & HIPAA/HITECH Compliance

Text messaging (sending and receiving alphanumeric messages) is ubiquitous. Since 1982, mobile phones have had texting capability. Mobile phones utilize the mobile cell phone network and have access to the Public Switched Telephone Network (PSTN). Each message utilizing SMS (Short Message Service) is limited to 160 characters, and uses telephone protocols, such as GSM, CDMA, etc.

The advent of the smartphones in 1994 (basically any phone with an operating system that can manage an application) brought the opportunity for phones to access the Internet (opened for public use in the 1990’s), which was a completely different channel of communication from the mobile cell phone network controlled by an oligopoly of carriers. This is why when most smartphone users begin service they have both a voice plan (for mobile cell phone network access) and a data plan (for Internet access). Now with the convergence of smartphones and the Internet, text messages can be sent via the public Internet, and use Internet protocols, e.g., TCP/IP, thus bypassing the carrier cabal. 

Why am I bringing you down this road?
Because to understand today’s world of secure messaging it is important to know which highway text messages flow through and how those messages might be made HIPAA/HITECH compliant. Sending a text message via telephone protocols built by the carriers offers no guarantee that access of the messages will be protected from anyone with despicable intentions and means. In contrast, sending a text message via the Internet makes the use of “direct” encryption options possible. Using the Internet as the platform for sending and receiving text messages places control of whether to encrypt, or not encrypt, in the hands of the application developers and users. Using the mobile cell phone network to send and receive text messages, users are at the mercy of carriers with little incentive to encrypt messages, e.g., it adds cost and complexity to their model. In addition, carriers are designated “conduits” by HIPAA/HITECH and therefore do not share any potential liability in the case of breaches of ePHI (electronic protected health information). It should be noted that no carrier guarantees that SMS messages are encrypted during the time the message is running through their network. Since communication (including texts) most often traverse multiple carriers in the standard process of going from point A to point B, the issue of ensuring security is even less possible.

So what is the answer to protecting ePHI while texting?

What is the best way to guarantee that a text message containing ePHI is encrypted?
The solution lies in an application that utilizes both the Internet and encryption algorithm technology. 

A few years ago, while discussing the concerns of Startel customers and their clients, we anticipated the need for a solution that would help prevent breaches of protected health information (PHI), or more specifically ePHI, and other private information. Soon after that discussion Startel launched a “cloud-based, device access only” secure messaging solution that is fully integrated with Startel’s Contact Center solution, the Startel Contact Management Center (CMC). Startel Secure Messaging is an application that can be downloaded onto any smartphone utilizing the following smartphone operating systems, such as iOS®, BlackBerry® OS and Android® OS. Once downloaded, the user is required to have a registration ID, which they can purchase from one of Startel’s telephone answering service customers or contact centers. Once the registration ID is entered, the application becomes fully operable for use either between the host (TAS or Contact Center) and the smartphone user, or two smartphone users in a peer-to-peer situation.

The Startel Secure Messaging application employs password protection, registration Id’s and Secure Socket Layer (SSL) technology to ensure that secure messages get where they are suppose to go, and only to their intended recipients. At a minimum, 128-bit encryption is utilized throughout the transport layer. Only the Startel Secure Messaging application has the ability to unencrypt a message encrypted by Startel’s Secure Messaging application. If someone intercepted a Startel Secure Message during transport and they used the fastest super computer on the planet – it would take them using brute force over 1.3 quadrillion years to break the message (source: http://www.kotfu.net/2011/08/what-does-it-take-to-hack-aes). Needless to say, the security of the ePHI is assured using the Startel Secure Messaging application. 

Though the user of a smartphone would see no difference between a regular text message and a Startel Secure Message, the differences as noted above are tremendous. In today’s tech world, the power is to the people. No longer do a few carriers control whether the messages you and I send to one another can be read by a third-party. Currently, we are free to move about as we wish and encrypt at will.

A final note on HIPAA/HITECH compliance: Technology itself is not enough to be HIPAA/HITECH compliant. Technology can only assist in creating the environment where a user of ePHI can comply with HIPAA/HITECH. 

At a future date, I will provide details of an active Startel project whose result will be a cloud-based version of Startel Secure Messaging with Web Access, versus just device access only. Please stay tuned. 

HIPAA in the Contact Center: PHI and Encryption

To ensure that your organization and your clients are acting in accordance with the HIPAA Security Rule as it relates to ENCRYPTION of ePHI, I did some extensive research and found a resource written by the American Medical Association titled “HIPAA Security Rule: Frequently asked questions regarding encryption of personal health information.” The document addresses a number of questions among physicians and other health care professionals as well as other HIPAA-covered entities and business associates. Consider the below points as it relates to your usage of ePHI: 

To Begin with, What Information Should You Encrypt?

Any systems and individual files containing PHI/ePHI should be encrypted. Examples include electronic medical records, claims payment appeals, scanned images, emails containing ePHI, etc.

Emails containing ePHI. If you or your clients (physicians) correspond with health insurers or other health care professionals via email and those emails contain ePHI, then you could be accused of failing to protect ePHI for which you are responsible.

Encrypt all devices containing ePHI. Passwords are not enough, especially in the event that a hard drive was removed from a laptop containing ePHI. All devices that contain ePHI, including laptops, PCs, smartphones and tablets, need encryption technology, preferably “whole disk encryption” technology.

If ePHI is accessed via the Internet, encrypt those sessions. Since data that is published on the Internet is available to the public, you need to check with your Web service provider to ensure that any PHI that travels across the Internet is protected by secure sockets layer (SSL) or similar technology.

Encrypt any other remote access sessions. If you have a situation in which physicians/staff connect to the home office remotely to read email or access other resources containing ePHI, then this access may constitute a vulnerability to unauthorized snooping. It is important that these sessions be conducted using encrypted tunnels, or VPNS.

What Happens If a Security Breach Occurs at an Organization That Uses Encryption Technology?

If the ePHI is stored and transmitted in encrypted form, then you do not need to notify patients. This only applies to HIPAA-covered entities and business associates that use encryption technologies that render ePHI unusable, unreadable, or indecipherable to unauthorized individuals.

How do Startel’s Solutions Help Organizations Protect ePHI?

Businesses that handle sensitive information are not only morally obligated to protect sensitive, private and personal information of their clients; they are legally obligated to do so. Startel’s Encrypted Email Service enables compliance with HIPAA by utilizing Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption protocol. This protocol converts email messages from a readable plaintext format to a scrambled cipher text format. Only the recipient using the private key that matches the public key used to encrypt the email message can decipher the message. If someone intercepts the message without access to the private key the email message would appear only as garbled text.

The private and public keys are the means for both encoding and decoding email messages. Essentially the unique private/public key acts as a distinctive digital signature bound to a particular email address.

In addition, the Startel Encrypted Email Service is encoded utilizing the Advanced Encryption Standard (AES) 128 Bit block size. This level of cryptography ensures security is maintained for all encrypted messages. Any attempt to “break” an encrypted message secured at 128 Bit encoding would take billions of years to try every possible combination.

Users of Startel’s Encrypted Email Service have peace of mind knowing that their messages remain secure and private during transmission and storage.

In my third blog post of this topic, I will address how Startel’s Secure Messaging application handles ePHI and specifically, how it complies with HIPAA.

Source: http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf

Request More Information