Encryption Isn’t Clinical

In healthcare, we need to ensure that patient data is protected and shared securely — not only out of concern for patient privacy but to comply with HIPAA. At Mobile Heartbeat, we are beholden to using the label “HIPAA-compliant secure text messaging,” but if you go to Google and do a search on “HIPAA-compliant messaging,” you’re going to come up with over 100 vendors that provide it. Many of these offerings are generic texting apps, so there’s a need for us to distinguish our clinical communications platform, which includes HIPAA-compliant secure messaging as just one of its key features.

I refer to the providers of these generic apps as “diaper vendors” — a term I took from Jack Trout’s book, Differentiate or Die. Trout quotes an attorney who claimed that between Procter and Gamble and Kimberly Clark, there were 1,000 patents for baby diapers. This claim begs the question, “What’s in a baby diaper?” because it’s really just a piece of cloth with adhesive strips that captures human waste. How do you patent that 1,000 times? Obviously, these things are not technological advances. They’re just excuses to market. They’re like blogs, now that I think about it.

The “diaper vendors” really just do text messaging, and they’re all focused on HIPAA compliance and security. So, if you’re in that Google search, looking for HIPAA-compliant messaging, you get what you’d find with rabbits on a hormone diet. There’s just vendor after vendor after vendor that says they do HIPAA-compliant text messaging.

Now, what’s interesting is they’re all also grouped under the whole subject of encryption. For the uninitiated who don’t know what encryption is, it comes from the word “cryptography,” which is the art of concealing something by turning it into code. You may remember the San Bernardino attack when the FBI was trying to hack into that iPhone 5C and it took them months before they finally did it. By the way, Apple strengthened it after that so it wasn’t as easily hacked. That was all about encryption and privacy.

So, here we are beholden to the “HIPAA-compliant messaging” term and this industry that’s got its own security classification. Is it encrypted? Is it secure? Of course, it’s secure. That’s like a lay-up. That’s barely anything special. Almost everybody’s platform is secure just by running on an iPhone because there’s encryption inherent to the device. Then there’s networking encryption, which is like when you go to look at your bank account online and you see in your browser that the website URL starts with HTTPS. That S stands for secure. You may not know where the hard drives are that your finance data is stored on, but one thing you do know is that you’re in a secure tunnel whenever you go on the site. You’re in this tunnel of encrypted data.

I liken encryption to looking at traffic going down a highway where there’s a road on one side and a tunnel on the other. The cars that are moving on the side where there’s no tunnel are like unencrypted data traffic. You see the cars the whole time they’re traveling down the strip of road. The cars going into the tunnel become concealed, you can’t see them, which is what happens with encryption — data becomes concealed and you need to have a key in order to decrypt or unlock it and see it.

When you think about encryption, it has nothing to do with being clinical. No patient gets healthier, and there’s no efficiency created because of encryption. Encryption only addresses one thing: it addresses a legal risk, not a clinical demand. I think there’s only one person whose health improves through encryption and that’s the chief security officer. It’s possible that person is staying up at night with high blood pressure because PHI is being transmitted via unencrypted channels.

The point I’m trying to make is that all of us are talking about security and encryption like it’s a differentiator, but we’re talking about it because we have to. We all have it. In the end, it’s really a non-issue. There’s no pioneering advance.

What hospitals really need to focus on from a clinical communication and collaboration perspective is workflow, and that’s where Mobile Heartbeat comes in. We don’t obsess about encryption; we just have to talk about it because it’s required in the category. What we’re obsessed about is providing care team visibility and unified communication (text, voice, video, paging, etc.) that improves workflow.