In 2011, The Joint Commission banned the use of short messaging service (SMS) text messages between physicians, licensed independent practitioners, and other healthcare providers. As announced by The Joint Commission in May 2016, it “has revised its position on the transmission of orders for care, treatment, and services via text messaging for all accreditation programs.”
With this recent reversal, organizations need to review their risk before implementing a Mobile Device Management (MDM) solution that enables texting capabilities. Below are The Joint Commission’s key considerations in overturning its decision, and what your organization must put into practice in order to take advantage of this new benefit.
1. Secure Sign-on (SSO)
In order to provide authorized access to an MDM device, SSO can be implemented and tied to an organization’s identity management procedures. User accounts can be set up with password policies in place that dictate the security implementations, such as ID/password, keyfob/token login, or biometric scanning.
2. Encrypted messaging
One of the most secure implementations of encrypted messaging today is the use of an encryption algorithm to protect the contents of a text message. When enabled, encrypted communications and sessions recorded in the past cannot be retrieved and/or decrypted should long-term secret keys or passwords be compromised in the future.
3. Delivery and Read receipts with Date/Time stamp
Because ensuring medical accuracy within an EHR is paramount to healthcare professionals, the Joint Commission requires Deliver and Read receipts that are correctly timestamped. These provide audit log trails for investigators during incident response and compliancy auditing.
4. Customized retention time frames
Anyone that has used the popular social media platform Snapchat should be familiar with the concept of self-destructing messages. Features such as this are what is meant by customized retention time frames. For example, a secure message could be sent and activated by clicking a small icon on the user’s inbox screen, which is opened on the receiver’s phone with a countdown timer of up to six seconds, after which each message is deleted.
5. Specified contact list
Many MDM solutions are managed from a server that supplies the application policies to devices. One example of a custom implementation can include a restriction to a specified list of receivers. Some secure messaging platforms also include authentication features that help users confirm that a message comes from a genuine contact by providing a ‘verify identity’ code which the other contact can scan.
6. Attestation document detailing platform capabilities
Device compatibility needs to be at the forefront when selecting which secure messaging platform to implement into your existing network. Not all MDM solutions function the same, and in order to get the greatest return for investment, you must ensure that the selected platform meets the minimum security requirements.
7. Acceptable Use Policies (AUP)
An AUP is a high level governing document that should be built into the foundation of an organization’s security governance program. It should include detailed explanations of the official standard of conduct and proper usage of network devices. This tells the user what they can and can’t do with the devices, and outlines the sanctions of violating the policy.
8. Policy and procedural training
A Sanction Policy, a hand receipt of ownership, and device training should be considered. Although the user is responsible for the day-to-day ownership of the device, the liability ultimately lies with the organization to ensure that the devices are being used properly. A Sanction Policy outlines the procedures of failure to adhere to the AUP. A sub-hand receipt will provide a paper trail for supply chain management purposes and instill a sense of responsibility into the user.
Monitoring can provide intelligence oversight to user operations to ensure the adherence to MDM policies. IT administrators can query device logs and set up alerts to warn against the potential of network breaches. Because physical security is the trickiest part of a secure texting solution, many monitoring solutions offer the ability to remotely access, track, or wipe devices.
Implementing these measures and ensuring your organization follow them will bring immediate benefits, including your caregivers having more time for patients and improving quality of care. VCPI offers secure text messaging that complies with these guidelines. Contact us for more information.