Interview with Mason Rothert, CEO of Mediprocity our partner for SecureChat
Mason Rothert & Nicholas Magers conceived Mediprocity while working together in the healthcare field calling on physician offices and healthcare provider centers. At the time, Mason Rothert was working as V.P. of Sales and Technology for a management company overseeing long-term care facilities and a full range therapy company. Nicholas Magers was finishing up his MBA at USC and working for a pulmonary company as a sales director. They decided to combine forces in order to solve the fragmentation of communication amongst covered entities and business associates in healthcare. They would focus on the new technologies available as well as the growing need to encrypt patient health information in order to prevent data breaches.
Mediprocity begin in 2009 as a social network for healthcare. The Company culture has always been to be physician-centric and to help improve communications. As smartphone and text messaging popularity grew rapidly, it was clear in 2010 that Mediprocity needed to become a simple secure solution for HIPAA-compliant communication. They set out to combine the best elements of instant messaging, SMS text, and Email.
LuxSci has integrated the Mediprocity secure communications product into its offering and is continuing to work closely with them to integrate the SecureChat service more and more tightly with LuxSci’s SecureLine secure emailing offerings.
Mason has agreed to this interview so that we can answer many common SecureChat-related questions for you.
1. Why are standard text messaging and multimedia messaging services built into everyone’s phones and tables insecure and insufficient for HIPAA compliance?
There are many reasons why these are not sufficient for HIPAA compliance.
The basic stance on standard secure messaging is that it does not fall under the Omnibus safe harbor rule of encryption. You do not have to use secure text, but you had better build a strong policy to protect yourself in the event you lose or have your phone stolen. You had also build a strong policy to protect yourself in the event all of the other people you send SMS text that includes PHI never have a breach by losing their phones. That is pretty well impossible to do.
If you are going to build a defensible position for your organization and/or practice – simply use encryption. This debate should no longer be a debate in 2015, it should be much like healthcare’s approach of ‘standard of care’ medicine. If you send a text that has PHI, make sure it is encrypted. Period.
Then there are the HITECH issues around mobile such as: proper authentication and read receipt. Remote wipe or logout in event of lost/stolen device. Proper archive of messages with oversight.
Let’s discuss the archive and oversight. There are many providers out there that let you destroy a message or let it expire and delete. But that gives a false sense of security as those messages never really get destroyed. They live on the servers of the company in case they are ever issued a subpoena. From a user’s perspective they think they are destroying the message for eternity when that is not the case and that is simply not a fair way to sell a product to your customer. Or, they do completely wipe the message, because the company’s product is not built for HIPAA compliance, it is more a social tool. That can be a dangerous arena to play in as well if a Federal or State judge compels you to produce your messages. Finally, there is the visibility at the admin level of an organization. If you plan to allow your staff to use messaging from their mobile devices it should be used for PHI. If it doesn’t involve PHI then regular messaging serves the purpose. Being in a secure professional messaging system allows administrators to have access on users’ accounts to lock, deactivate, administer privileges and impersonate the user for audit purposes.
In light of the recent events with the Sony hack in December 2014, and the more recent Anthem breach of sensitive data not being encrypted at rest, it also is a good idea to encrypt important company documents and employee records. Sending these via an unsecure text message is simply a poor choice when there are low-cost options to protect. The old saying, “it is better to ask for forgiveness than permission” does not apply to the new fines and penalties with HIPAA. If you have a breach for unsecure PHI, especially around mobile devices, you had better believe they will want their “pound of flesh”.
It is not worth it – simply encrypt your communication.
2. How does SecureChat work?
Very simple – we made our product easy and intuitive. If you can attach an image to an email or send a text on your phone you can use SecureChat. You register for an account. You then can log in via any browser anytime anywhere. You may also install the app on your phone, search and connect with colleagues and begin sending messages. Easy.
3. How does SecureChat ensure transport security for messages?
End-to-End Encryption. All of the messages are encrypted at rest (using 256-bit AES Encryption) and in transit (using HIPAA-compliant SSL). Each user has their own unique encryption key. When you send a message on SecureChat, it is fully encrypted at rest and can only be decrypted by another user in the same conversation or by an authorized administrator.
4. What mechanisms does Mediprocity use to ensure that messages are secure “at rest”?
All messages are encrypted using AES 256-bit encryption with a unique password per chat conversation. The password to decrypt a conversation and the messages therein is itself encrypted so that only users in the conversation and authorized administrators can access it. As each of these users has his/her own asymmetric encryption key, the password is encrypted for each of these users using their keys. The users, when they enter the password to their encryption keys, can then decrypt the password to unlock communications to which they are a party.
None of these communications can be decrypted without the password to at least one of the user’s encryption keys — and these are never stored in plain text on the system in any way. Users are in control of the passwords to their own keys.
5. Does SecureChat provide for message archival? How long are archives kept for and how can they be accessed?
Yes we do. Messages cannot be deleted on our system. We allow you to go back using our filter tool and type a username and a date range and locate all of your messages which are easy to locate when you search by subject line. We also do off-site backups, so messages are kept for 6+ years as required for compliance. All of our backups are done with our hosting provider who uses a compliant backup and handling system.
6. HIPAA requires that access to message data be available to administrators in case of emergency. Can that be done via SecureChat?
Yes, each organization can have an administrator who can gain access to all conversations and messages sent and received by users in his/her organization. Thus, secure, emergency access is assured.
This access is possible, even though everything is encrypted at rest, because the administrator’s encryption key enables him to decrypt and access copies of user encryption keys. This capability permits both emergency access and the ability to reset user encryption keys, in case they are lost or forgotten, without data loss.
7. Does SecureChat provide audit trails of user access to ePHI?
SecureChat provides “Read Receipts”. E.g., while you are looking at a conversation, you can tell wha users have see messages and which have not. This provides a very fine grained audit trail of who has created or viewed wha messages (ePHI) and who has not.
8. What types of devices does SecureChat work on?
The web interface is responsive; that means as long as you have a browser on your device you can use SecureChat. It is mobile-enabled so that it looks and works well on any screen size. We also have native apps for iOS iPhone, iPod and iPad. We work on Android phones and tablets.
9. Can SecureChat be used as a secure, HIPAA-compliant replacement for Skype?
Yes. Plain and simple. Skype is an amazing tool for not only chat but for audio and video communications. SecureChat is built for easy and quick messaging in a compliant setting. We have different features than Skype and we did not set out to build SecureChat to resemble Skype. We built it to be a unique and cost-effective tool that allows our users to meet the HIPAA compliant and HITECH requirements around messaging.
We can integrate into existing technologies and because of our encryption – we do not monitor or mine the data and sell it to third parties.
10. In what ways is Mediprocity a better solution that competitive services such as TigerText, Imprivata, and qliqSoft?
All of the competition in this space offer a unique set of tools. We all started in the secure messaging space around the same time, and since that time Mediprocity has seen dozens of companies enter the market. Some claim to be the leaders simply because they were first to market in the sense of mass-marketing because they had deep pockets. Some were able to scale rapidly in the market because of their parent company’s products.
Mediprocity has been growing steadily and we believe secure messaging in healthcare is not a sprint but a marathon. Users have left competitors to use Mediprocity for a number of reasons. Mediprocity offers many of the same tools and are much more cost-effective for small to mid-size organizations than our competition.
One of the biggest advantages of Mediprocity/SecureChat is the clean and simple interface. The Apps and web interface do one thing and do it very well and very simply. Compared to the competition … there is really no comparison.
Another advantage is the security and integration with LuxSci — combining SecureChat, secure email, secure forms, and other services though one company has many advantages in terms of time, money, support, and compliance risk. Further, LuxSci is working with Mediprocity to integrate their secure email services more and more tightly with the mobile-centric SecureChat offering. Integrated, unified service will be a boon for everyone.
11. What are some of the great things on the roadmap for 2015?
We just launched Mediprocity 3.0, which means we are now prepared to rollout features we have been waiting to release for years. We can’t talk about all of the exciting things we have planned, but a few exciting features include our integrations with some leading software in the healthcare industry as well as exciting new useful features on both the web and apps that our user community has requested.
Additionally, we have big plans with respect to expanding our API to enable tight integration of SecureChat services with other applications. Think of some of the things that text messaging cane be used for … in many cases these can be done better if done securely.