Secure Texting: Communication’s Unicorn
Does secure texting exist, or is it as elusive as a clear photo of bigfoot? To answer that question, we have to take a look at the main SMS (short message service) protocols.
The majority of the world’s texting is done using either the Global System for Mobile Communications (GSM), High Speed Packet Access (HSPA) or Long Term Evolution (LTE) standards. Under these systems, text messages are transmitted from devices to a short message service center. This center stores the messages and attempts to send them on to the recipients. If it cannot reach them, the messages are queued to be tried again later.
The Issues with SMS
The main problems with SMS messaging are that it is both unreliable and insecure.
The Reliability of SMS
Unfortunately, SMS messages are inherently unreliable. The sender does not know whether their message has been delivered, nor whether it has arrived on time. On top of this, messages can be completely lost, while others may only be received long after the were needed.
SMS Security Problems
SMS messages have issues with confidentiality and authentication, as well as a number of widely known security vulnerabilities.
Messages sent with GSM are only optionally encrypted between the mobile station and the base transceiver station. If they are encrypted, they use the A5/1 cipher, which is known to be vulnerable. This makes it possible for anyone with enough motivation to read the messages.
If that isn’t bad enough, the authentication process is also flawed. Users are authenticated by the network, but the user does not authenticate the network in return. This makes the user vulnerable to man-in-the-middle attacks.
You may think that you are safer if you use LTE, but renegotiation attacks can be used to force your phone to use GSM instead.
On top of this, there are also the dangers of SMS spoofing, sim swapping, and a variety of other security vulnerabilities. Since we can’t trust the encryption or authentication processes in SMS, it’s best to assume that any SMS you send can be intercepted and accessed.
As you can see, secure SMS is like a unicorn. It doesn’t exist, and you should never use the medium to transmit any sensitive or valuable information. Because of this, SMS messages should either be avoided or strictly controlled, particularly in tightly regulated fields like healthcare. All it takes is one message that accidentally contains ePHI, and your organization could be feeling the heavy hand of HIPAA penalties.
But I hear the term secure texting all the time…
That’s true, lots of providers refer to their offerings as secure texting. But the majority of these services aren’t using SMS. If they are, then they certainly aren’t secure and you should steer clear of anything to do with the company.
How Can Messages Be Sent Securely?
Although the standards used for SMS are lost causes, that doesn’t mean that you can’t securely exchange short written messages.
The answer? LuxSci’s SecureText.
LuxSci’s solution doesn’t send sensitive information over the standard protocols used for SMS, so you don’t have to worry about any of the security issues that surround SMS messaging.
SecureText transmits its data with TLS protection, stores its information with 256-bit AES, and data is never kept on the recipient’s device. Recipients use password-based authentication to access the information and messages are securely stored in LuxSci’s databases. Every step is safe and completely HIPAA compliant.
The best part? No one has to download yet another app to send or receive secure messages.
How Does SecureText Work?
The sender uses LuxSci’s SecureLine encryption service:
- They write their message in either LuxSci’s WebMail or their preferred email program.
- In the address field, the sender enter a special email address that is based the recipient’s phone number. For example an address of firstname.lastname@example.org would send the message to a US recipient whose number is 211-436-7789. Once the sender is finished, they hit the send button.
- The recipient will receive a normal SMS that tells them a secure message is waiting for them. The message contains a link, which opens up their phone’s web browser:
- If they have recently viewed another SecureText message, the new message will immediately be displayed.
- If the recipient has used SecureText to view messages at an earlier date, they will need to enter their password before they can view the message.
- If this is the recipient’s first SecureText message, they will need to set up a password before they can view the message.
The protected and HIPAA-compliant design of LuxSci’s SecureText makes it useful for sending ePHI in a range of different situations. It’s a great option for messaging without email.
It can be used to send appointment reminders, for general communication with patients, and to send real-time alerts that include sensitive information. All with none of the risk that comes from SMS messaging.
- To Text or Not To Text: Texting under HIPAA
- SMS is Broken and Hackers can Read Text Messages. Never use Regular Texting for ePHI.
- Automating the Sending of Secure Messages
- Does HIPAA really permit reminding patients to pick up their prescriptions?
- Email, Calls, Messaging Apps & More: How Can You Secure It All?