Can I “Trust” Email and Instant Messaging for Healthcare Data?

By Scott StueweDirectTrust President and CEO
X: @DirectTrustorg
X: @StueweScott
LinkedIn: Scott Stuewe
This is Part 2 of a 6-part series.

As the COVID-19 pandemic advanced, our society grappled with the long-standing tension between the privacy and security of health data on the one hand, and the importance of having access to these data for the management of the health of the population on the other. At the same time, the need to quickly offer telemedicine approaches to patients who sheltered in place has spurred rapid growth in the use of various consumer-oriented communication vehicles such as email, texting, instant messaging and video chat. Is this advisable? Is it justified by the circumstances of a global pandemic?

Healthcare data is extremely sensitive data. The answer to the trust question above depends on whether the sender wants assurance the data isn’t intercepted and misappropriated by someone other than the intended recipient. Plain email provides no such assurance. Neither does plain texting or instant messaging. Some platforms for video chat have also been called into question as insecure of late despite claims of “HIPAA compliance”.

In response to this fact, the DirectTrust community seeks to extend our National Trust Framework and trust fabric, establishing trust-in-identity, and secure communication channels for any permitted purpose and by any standard or “modality” under which health data is exchanged.

As part of making such a fabric a reality, DirectTrust and the active members of its ANSI Accredited Standards arm, DirectTrust Standards, are working on an instant messaging specification that will allow for secure and trusted instant messaging across platforms. We are also looking to expand our accreditation programs to cover mechanisms for healthcare data exchange beyond Direct Secure Messaging. Why is this so important?

First, let’s reiterate that once health data has been transmitted outside of the bounds of healthcare privacy regulation (like HIPAA), it could be used in unexpected and frightening ways. If insurers once again were able to deny coverage based upon pre-existing conditions, health data could be used to justify such denials. Also, health data are a target of identity thieves as they frequently contain demographics and identifiers that are not usually publicly accessible making them useful for fraud of various types.

To safeguard health data, we need to use appropriately secure technical mechanisms for exchange and communication so such data can’t be hacked and misused.

Direct Secure Messaging is just such a secure mechanism. As we said in Series Part 1 of this series, Direct Secure Messaging is more secure than commercial encryption tools. Direct Secure Messaging makes the not email at all, but utilizes the same technical protocols that are typically complex, very simple to use for as email for secure healthcare data exchange. If you missed that story, go back and check it out. Let’s talk about to what extent identity is at work in regular old email and what it lacks in both trust in identity and security.

With email, frequently the only identity information known reliably is that the domain (for example gmail.com) really belongs to the company in question – Google.

When a message is sent, if the recipient’s identity isn’t known with certainty, the message is in no way secure.

Today, I can go out and create a new Gmail account, begin using it and recipients of emails from me will have no assurance whatsoever of my identity, only of Google’s. In the absence of a community operating under a trust framework, even legitimately “identity-proofed” addresses within a platform (like an Apple ID might be claimed to be) won’t be broadly trusted between different platforms. The only thing that can be assured is that the person who opened the account has control of it – this is usually established by the relying party sending an email with a code or a link and the user responding. We do this all the time in ecommerce and for multi-factor authentication schemes.

In the absence of a technical trust fabric, email is also not difficult to hack. Regular email is the equivalent of a walk down the street in a big city. You seem anonymous and safe, but if someone wants to, they can mess with you. “Phishing” and “man-in-the-middle” attacks are common with regular email. If messages can only be sent between two “trusted” accounts such attacks are less likely. Encrypted email is also an option from commercial vendors, but it lacks trust in identity. Even though the sender may be identity-proofed, in the absence of a trust community that both sender and recipient belong to, the identity of the receiver can’t be determined, and the receiver may not be able to respond to the message in a secure manner. It’s not as scary as plain old email, but still not secure.

What about instant messaging? In the UK it has been reported that physicians are utilizing instant message platforms like Facebook’s WhatsApp for communicating with patients and among themselves. This instant messaging platform with its automatic synchronization with other devices and the iCloud and its complete lack of trust-in-identity features has been identified by the UK government as a significant security and privacy risk. Similar issues have been raised for other such platforms many of which have gained lots of healthcare users in this COVID-19 crisis. There are indications that providers are using such platforms for a variety of purposes and are throwing caution relative to privacy and security to the wind in the process.

Platforms may make various security and conformance-to-regulation claims, but these are not validated by outside sources – only the privacy practices statements of the firms themselves. Even with strong encryption within a platform, the legal framework to share data for other secondary uses may be just a click away – embedded in a long end-user licensing agreement that explicitly allows this redistribution. Such communication within platforms also depends upon both the sender and receiver utilizing the same platform creating barriers to communication when multiple platforms exist.

It is for these reasons our community has embarked on both the creation of a new standard and the extension of our trust framework to establish policies for cross-platform secure instant messaging under the new standard. It is our hope to provide the same trust-in-identity assurance for instant messaging in healthcare that Direct Secure Messaging represents.

Imagine that you could communicate in an instant message tool and know for certain that the message recipient is who they claim to be and would not need to switch between different platforms every time you wanted to communicate with someone new? Wouldn’t that be safer? Wouldn’t that be cool?

Stay tuned, and better yet get involved – the DirectTrust Standards Consensus Body is meeting weekly on the standard and DirectTrust hosts a Workgroup twice a month on the policy extension. DirectTrust members can participate in both activities and non-members can also participate in the ANSI Standards activities.

This post is part of a series examining trust-in-identity. Tune in to our next post for an understanding of how important trust-in-identity is for life on the internet generally and the role of a trust framework.

This article was originally published on the DirectTrust blog and is republished here with permission.