[Transcript] Episode 511: How Secure is Secure Messaging?

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 511: How Secure is Secure Messaging?

 

Liath Dalton 

That is a great question, and one that is kind of front and center on a lot of people’s minds right now, given some current news events that are unfolding related to conversations that took place over Signal, which is a open source, end to end, encrypted messaging app designed for high privacy, but which was used for high level government communications about a forthcoming military operation.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And so now, as all of that is playing out in the the news, and public concern being raised, we know that, as the, you know, appropriateness of an end to end encrypted secure messaging app is being debated for purposes of those sensitive sorts of conversations, that an understandable follow up question is, well, is is it secure enough for the purposes of communicating with with clients or communicating PHI, right?

 

Evan Dumas 

Uh huh, yep.

 

Liath Dalton 

So we thought we’d unpack that a bit, and dispel some some myths, and also talk about what the actual, you know, threat scenario is, that is the context that mental health practitioners are operating within, versus what is applicable and therefore becomes reasonable and appropriate safeguards to put in place when we’re talking about handling sensitive government and military information.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So let’s start kind of at the beginning, which is, what does end to end encryption mean when we are talking about a secure messaging service?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

It means it is encrypted both at rest and at transit, while it’s being transmitted from sender to recipient. And that’s kind of the basis of it, that it’s both encrypted when it’s sitting on the device, unless you have the encryption key to unlock it and read the message contents, and the message contents, when being transmitted, when being sent digitally, are encrypted so that a man in the middle attack, someone couldn’t intercept it and then read the contents and be privy to them. So that’s the basis for end to end encryption.

 

Liath Dalton 

And we should note that not all end to end encryption, messaging services are created equal.

 

Evan Dumas 

No.

 

Liath Dalton 

As some will still be holding metadata, right? Evan, do you want to talk a little bit more about that, that side of things?

 

Evan Dumas 

Yeah,. Metadata is a lot of other information of say, hey, when did this call come through? What was the device it was on? Just, not even the contents of the message, but information around the message. Like, what was your location, at the time of this message. Other little bits that honestly is a big part of our lives, and we take it for granted, when our like photos are tagged with people, and time ,and location, like all of that is a type of metadata.

 

Liath Dalton 

Exactly. And so the metadata not being encrypted couldn’t obviously be a potential privacy and security issue. Depending on what those contents are. So when we’re talking about secure messaging services in the context of handling Protected Health Information and being within the scope of HIPAA, the main features to be looking for in a secure messaging app are, of course, first and foremost the HIPAA Business Associate Agreement with the service provider.

 

Liath Dalton 

You might be wondering why that’s necessary, if the contents of the messages that they are handling is encrypted and they don’t have the encryption key. Well, one of the requirements and pieces that the HIPAA regulators have made really clear when it comes to any third party handling Protected Health Information on your behalf is whether or not it is a zero knowledge situation, meaning they can’t access the contents, that business associate relationship still exists.

 

Liath Dalton 

And so a business associate agreement is required to have in place, and that really does make sense, because even if they are not able to access the contents of what they are handling for you, they are handling it in such a way that you are entrusting other aspects of HIPAA responsibilities to them for safeguarding the confidentiality, availability and integrity of that information, so we still need the protections of a Business Associate Agreement in place.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Then, of course, the other pieces that we want to look at are that it is from a reputable and trustworthy company that there have not been issues with their trustability, or security culture that are well known, or that have caused breaches that have led to, you know, violations or actions that have not been corrected, that sort of thing. The basic due diligence that we’re always looking for when evaluating business associates.

 

Liath Dalton 

And then from there, of course, the higher degree of what data is encrypted, the more confidential the information that’s being handled is. So instances where no metadata is being logged either, it’s going to be more private, but that doesn’t mean that it is more or less HIPAA appropriate.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Right? Provided that you have that Business Associate Agreement, the lack of tracking metadata doesn’t make it more or less HIPAA compliant, it just changes, kind of, what they’re handling for you and what information could potentially be subject to disclosure in the event of a subpoena, for example. If, and the very popular messaging service, which is not specifically for healthcare, we should note, that’s front and center in the news story, Signal is one that does not track metadata, we’ll note.

 

Evan Dumas 

Mhm, yep.

 

Liath Dalton 

And that’s been tested when subpoenas have been issued for it, so we know that’s there. So why then all of, if these services can be so secure, what is the big concern related to the present situation unfolding out in the news and with regards to national security?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

A really different risk picture.

 

Evan Dumas 

Yeah. And different compliance requirements. Like people in the cabinet, the presidential cabinet, usually and definitely fall to a different level of requirements than us mental health practitioners. It’s just a different set of rules they got to follow.

 

Liath Dalton 

Exactly, and because it’s a very different sort of threat scenario. And so when we’re talking about government officials, high level government officials having sensitive conversations, there are a lot of very well resourced entities within the world that want to know what that information is. And have technical tools available at their disposal that are not consumer level, or even your average hackers, within within their reach or availability, right?

 

Liath Dalton 

And so those threats are that the device can be compromised without knowledge of compromisation and circumvent the regular security measures that we put in place to harden our devices, to prevent them from being compromised, or to notify us if they have been compromised.

 

Liath Dalton 

And that kind of software is super sophisticated and high level, and for the primary example of that is something known as Pegasus, which was developed by NSO, which is a Israeli technology and security firm. And their point at this time is still that that software is only available, made to, only made available to vetted state agencies of certain states that have been deemed to be, you know, friendly enough to be entrusted with that technology.

 

Liath Dalton 

Whether or not it has really been contained to that level, is a whole other conversation. But it is very sophisticated, very limited and extremely expensive. So the odds of that being deployed against an average citizen or your average mental health practitioner is virtually non existent, right? And so that means we’re working within a different threat landscape,. And that the basic device security measures that need to be put in place on devices in order to harden them and make them safe and appropriate to be using these secure messaging services from, should protect from all of the reasonably anticipated threats they do to these devices.

 

Evan Dumas 

Yeah, exactly.

 

Liath Dalton 

So, and that kind of is the last piece that’s really important to emphasize in this discussion of how secure are secure messaging apps. If you are using an app or service, of course, how secure the service is itself is one factor of the equation. The other factor is going to be what technical safeguards you have in place on your tool for accessing that service. That’s where device security comes in.

 

Liath Dalton 

And then what are your behaviors around using it and using it appropriately? And that’s where our policies and procedures come in, and where making sure that we are not connecting to untrusted networks with that device, or having lax passwords, reusing passwords, or the pin that we use to access that secure messaging system, that’s where it comes in.

 

Liath Dalton 

But all that to say they are highly, highly secure, and if you are using the right tool for the job, it opens up a lot of very useful, both operationally and like functionally and even clinically, communication ability for things that absolutely should be contained within secure messaging services. That we should not be relying on HIPAA’s option for alternative communication by client request for any sensitive PHI discussions, anything other than logistics. And even would really argue that for logistics conversations as well, that when secure messaging platforms that are HIPAA consistent are so readily available, and we need to have them in our toolbox anyway, because you can’t. Actually, let me, let me just put this premise to you, Evan.

 

Liath Dalton 

If you get asked to sign a request for non-secure communication or alternative communication by a healthcare provider in order to communicate with them, but they don’t offer a secure communication method to you. Do you feel like you actually had autonomy and choice and like that request was, was meaningful?

 

Evan Dumas 

Well, it’s like, if I opt out, saying, Hey, I do want secure communication, they’ll be like, uh, no. It’s a request, and I can say no, and then if they have nothing to offer me, then we’re kind of SOL.

 

Liath Dalton 

Exactly. So this just highlights something that we’ve been talking about for a long time, which is that these are really essential tools to have within any practice context now. The fantastic news is that they are readily available and really economical.

 

Liath Dalton 

And I wanted to have this, this conversation about how secure they really are, because I don’t want the very real and legitimate concerns around these sorts of services not being appropriate for high level national security discussions to filter over into a feeling that these aren’t actually able to provide the level of security, the level of confidentiality and privacy that is necessary for for healthcare providers.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Now I will give the one caveat, which is, if you happen to be a healthcare provider to a high level national security or government figure,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

then, then that needs to be included in your your risk calculus and risk analysis. And in in those situations, guidance would be that, because they are such, kind of, high value targets, as it were, and

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

you would be assumed, as their health care provider, to have less security in place for handling their information than they individually would be, that you and I laugh, because unfortunately is so clearly not not the case right now, but that means that you would be a kind of easy target in that sort of situation. So that’s where your your risk analysis factors would need to shift to take that into account.

 

Liath Dalton 

But I’m going to guess that that is a extremely small group of folks and may or may not be listeners to this podcast. But want to say for everybody else, take a deep breath, don’t worry, these are still highly secure and HIPAA appropriate platforms to be utilizing them and just doing a little bit of a callback to an episode we did earlier in this season, where, in light of a massive ongoing Chinese hack to all of the main carrier networks, in the US, are emphasizing how important it really is to be using these sorts of secure HIPAA appropriate platforms for client communications. And not to just be relying on the standard SMS text, which does just get transmitted like a postcard, and we know folks are then listening to or watching the contents of that.

 

Liath Dalton 

And so above and beyond using those network services without having a HIPAA Business Associate Agreement in place not being HIPAA acceptable, it also is a very real threat that is being realized.

 

Liath Dalton 

So use secure messaging services that are HIPAA appropriate and offer a BAA, use them on hardened devices, and use them with confidence, knowing that they’re a great tool that supports your your practice in multiple ways.

 

Evan Dumas 

Exactly.

 

Liath Dalton 

Thanks for listening, everybody. We’ll talk to you next week.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.