Recently, I was asked my opinion on whether Pagers were compliant to HIPAA. I actually had never thought about it but this person told me that ePHI may occassionally be sent over the paging system. This got me to thinking about the issue.
Here is what I see as the issues.
1. ePHI transmitted across the internet must be encrypted.
a. This would not include unsecured email. This would make sending someone an SMS or Page at firstname.lastname@example.org not accepatable.
b. The Simple Network Paging Protocol has encryption and is advertised on some carrier’s websites as HIPAA Compliant.
c. But, this encryption is not end-to-end it is only on the internet.
2. ePHI transmitted via analog radio transmission is not addressed at all.
a. ePHI is not encrypted on the analog transmission
b. There is a CAP Code must be implemented for the transmission to succeed.
c. Paging Eavesdropping is a possibility and could poses a confidentiality issue.
3. Paging eavesdropping is not hard to do. See this example
So in my mind Pagers are not secure at all, but it is what it is and most likely won’t change.
Going forward, I would implement SNPP with Encryption as a band-aid. At least you will be covered over the internet.
You may also have the ability to remote wipe. So you may have some control in place.
Start thinking about moving to Secure SMS on Mobile Phones both Android and iPhones.
This would provide a secure environment with end to end encryption. The apps are available and messaging could be done from a remote server/Application. This is really a futures thing for some folks, but I can see it happening very quickly.