For years, email has been the primary means of communicating between people, friends and family. Networked messaging had its roots circa 1970, and by today’s standards it was very expensive, slow and unreliable, but that didn’t matter — We could connect in a way that was never done before, and that excited the world, and opened the doors of opportunity that can never be shut.
Those were simpler, more innocent times, we trusted one another. Users of these solutions were first the military and academia, all of whom required training on proper use of computing devices, with networks and computers connected to expensive equipment protected by obscurity and physical means. The concept of malice was uncommon and those who could do harm were overwhelmingly in the minority. Therefore, encrypting email messages was not a priority or even a common concept. As time passed, computing devices became cheaper, and the bulk of Simple Mail Transport Protocol (SMTP) — the programmatic rules for transferring messages, continued to grow, and eventually consumed over 75% of the traffic on the internet… That is to say that 75% of all internet traffic is still largely vulnerable.
The infrastructure we depend on so much for day-to-day communications is often the achilles heel for privacy breaches, which can happen with our most sensitive data: our health records.
Unfortunately, the brilliant design features of the SMTP protocol, (it’s simplicity, it’s redundancy), are it’s worst failings from a HIPAA perspective. Network providers generally agree to communicate using published standards and physical devices, but that’s about it. It is truly a cooperative chaos, where there are no regulations guaranteeing little of anything, much less confidentiality. Indeed network providers are allowed to monitor any and all traffic which flow through their networks. So, if you send messages in plain text (as is the default case for email), then it is visible to anyone who desires to look at it.
The same security flaws of redundancy and simplicity are inherent in the service which helps you manage and organize your messages. In simple terms: Your email is stored indefinitely on multiple servers (somewhere, in a place you cannot control) in plain readable text and governed under the same statutes which allow them to be freely interrogated by the company which provides the service. For this reason alone, email should not be considered as a viable tool to use with ePHI.
It is clear the populous in general needs to acquire a maturity with the technology we depend upon. How much more so with healthcare information.
At Patient Protect, we’ve built a proprietary patient messaging system which bypasses the achilles heel of modern email systems and infrastructures. The HHS requires (by law) that health providers encrypt (or otherwise) secure patient communications beyond simple email clients. Don’t make the mistake of violating patient trust out of ignorance.
Download our free HIPAA compliance guide, and find out how Patient Protect can help secure patient records and help your office reach compliance!