Need secure email that works like Tigertext does for text messaging

[Pentium691]

I am posting this here and hoping someone might have some experience in this and be able to help me out with this one.

I am doing some database work for the admin department of a small hospital and I noticed that they have a lot of doctors texting patient info to other doctors and admin.

The problem is that I found out that the HIPAA laws opens the hospital and doctors up to lawsuits if their phone is lost or stolen since they keep the text messages and patient info on the phone.

I mentioned this to the department head, and he asked me to look into a secure texting solution where encrypted (HIPAA compliant ) txt messages can be sent to cell phones from a computer or other phone.

So far the only solution I have found is:

http://www.tigertext.com

Looks like a closed system, with messages that delete themselves so losing a phone doesn’t open up HIPAA related law suits. They are HIPAA compliant.

At 10$ a month per seat is seems very cost effective and easy to implement.

Since it looks like HIPAA is similar to Sarbanes Oxley, I am hoping some IT people are on this forum and can help me out.

What I would like to know is, does anyone have any experience with Tigertext, and does anyone know any other HIPAA compliant systems out there?

What about secure Email?

[James]

For secure email, the best solution I've found is Thunderbird + enigmail (gpg frontend) for key based encryption. By best I mean simplest and easiest to use, not necessarily the most robust or scalable.

[ImaNihilist]

Google Apps offers full encryption and HIPPA compliant email for $35/user/year.

You might find this useful: http://www.google.com/a/help/intl/en...encryption.pdf

[kujoe2002]

I have to deal with HIPAA compliance all the time and emailing becoming more common has raised some ethical issues. I run my own roundcube email with serpent-twofish AES.

I know that google mail provides HIPAA compliant email as some of my colleagues use it. As for texting, that's a new area which will create even more grey areas for HIPAA to look at.

Since the two main ways emails are accessed (client computer and server) are somewhat harder to physically lose, I can see not much of an issue. But losing a cell phone is very easy as is swapping out. The encryption being based on the company hosting the texting service, I would wan tot know what type of encryption they use on their servers. Also I would mandate that all providers have their devices automatically lock after "x" amount of time and to create a secure password to unlock and access the phone. This is the first I've come across where providers are TEXTING each other HIPAA information. Usually I've heard the providers being HIPAA compliant about SENDING the data (leaving out any identifying info).

The easiest legal issues that come about from texting are:

who has access to the phone at the home? Technically HIPAA sensitive materials are to be kept under lock and key and restricted to authorized personnel only. If these are phones that are not locked upon not being usd, then they really should not be leaving the hospital. They should NOT be going home with the providers.... That's a basic HIPAA issue...

people being able to see what is being typed. Logically no health care provider should be talking about another patient with identifying information anywhere except in the confines of a secure environment WHERE THE DATA DISCUSSED IS RELEVANT TO THAT PATIENTS CARE. It amazes me that hospitals have "don't talk about your patient in the elevator" signs.

[dsbrooks]

There are a number of companies providing secure alternatives to traditional SMS-based texting within healthcare. Companies in this space include: qliqSoft, TigerText, DocBookMD, Mobile Storm, Imprivata, docBeat, Doc Halo, DoctorCom, OnPage, Medigram, and SquareLoop.

While all of these companies should have credible answers to how they support HIPAA/HITECH compliance, there are a number of distinctions among the different offerings. For instance, qliqSoft employs a distributed storage model where all message traffic is stored on customer assets, smartphones, desktop computers, as well as an archival server that runs on customer's premises, and NOT in a centralized, cloud-base server. Most, if not all, other vendors operate client/server solutions where all messages are backed up on the vendor's cloud-based server. This begs numerous questions as to how that information is protected and maintained.

Increasingly, I think conversation is going to progress beyond the security questions and on to more important (believe it or not) matters - such as, are people going to use the application?

Solutions that are limited to smartphones, or physicians-only, or even a single organization, restrict meaningful conversation and ultimately the value to end-users. Definitely review the security features, including system architecture, but also make sure your end-users are going to embrace it - otherwise it's back to SMS for your PHI.

[James]

I just wish that the gmail web interface had a gpg/pgp plugin. That would pretty much mean I could stop dealing with un-encrypted email.

[ImaNihilist]

I just wish that the gmail web interface had a gpg/pgp plugin. That would pretty much mean I could stop dealing with un-encrypted email.

Are there no plugins/extensions/labs features?

[James]

Are there no plugins/extensions/labs features?

firegpg was a tie in to gpg for firefox that is dead, and I also found (after that post) a new one for chrome that does the same thing. Seems to be what I'm asking for, so I think I'll play around a bit with it.

Firegpg

thinkst chrome extenstion for gmail