Pagers Putting Hospitals (and Patients) at Risk

With the Kansas City Star article making waves across the nation, there is no excuse for thinking that pagers are still an acceptable option for sending patient health information (PHI). And no one can deny that healthcare workers routinely include PHI in their pages. According to 2017 study by the Journal of Hospital Medicine, nearly 79 percent of 620 hospital-based clinicians said they are provided pagers for communications, while 49 percent said they receive patient care–related communication through pagers.

As the IT worker in the Kansas City Star article demonstrated, anyone with $20 and TV antenna can now easily stumble over or intentionally access PHI. Awareness of the security risk posed by sending PHI via pager has increased nationwide.

What is being done about it?

Red flags should be flying. Not the kind with the white cross in the middle but the kind that indicate “Danger ahead. Stop, or proceed with extreme caution and at great risk!” Using pagers to send patient health information, as practiced today in most healthcare organizations, is unsecure, puts a system at risk for significant HIPAA violations and compliance fines and creates additional vulnerabilities for the patients themselves.

To further emphasize the importance and urgency of action, just last week an administrative law judge ruled that the MD Anderson Cancer Center in Houston must pay $4.3 million in fines over a stolen laptop and two lost USB drives; an amount that cannot be easily ignored.

So the question has shifted from “can we use pagers for sending patient health information?” to “how quickly can we move to an encrypted method of communication?”. Now, more than ever, speed of deployment is of great importance but training, reliability, accuracy, and patient safety cannot be short-changed. Traditionally, changing communication tools, workflows, processes and expectations in a hospital has been more like moving a barge than racing a speedboat. Speed was definitely not a top consideration option. Several high profile incidents have changed this. Speed is now required.

Finding a Balance

So how do you quickly provide a compliant system without jeopardizing patient care?

First, every system must immediately educate employees and providers on acceptable pager use and explicitly prohibit patient health information. Actions must be taken to monitor accountability to the policy. Informal polling often finds that there continues to be confusion over what information is considered PHI and if there are certain situations where it is still “OK” to use the pager for PHI.

Second, an encrypted method of communication must be made available to all providers. This method needs to be a simple solution for quick deployment, but also a robust system that can support increased usage and complex workflows in later implementation stages. The simplest solution will be a download and go mobile communication app, which encrypts in rest and in transit.

Finally, the chosen encrypted method of communication must be easily monitored and provide tools for accountability. Monitoring will need to include real time alerts, escalations and read times analysis in order to ensure the smooth and quick flow of patient care information.

There are many more questions to be asked and issues to be addressed in the months after initial implementation such as questions involving system integrations with call schedule and EHR systems, access points, and adoption by the referral community. These questions may need to work their way through hospitals at a more “normal” speed and will benefit from the deliberate and collaborative ways that change has been traditionally implemented in large systems. Finding that balance is key.

Let us know if you would like to learn more about secure communication alternatives that are designed for physician adoption, to support health system integration and to deliver immediate value.