Frequently Asked Question: FAQ:

Is sending patient data via text message (SMS) safe?

Other FAQs

Simply put, text messaging is not secure. There are three significant issues:

  1. There is an open and unfixable vulnerability in the worldwide mobile phone network infrastructure (SS7) that makes intercepting text messages quite easy;
  2. Messages that include patient data are being stored indefinably on the sender and recipient's device; and
  3. iOS sends messages to other iOS devices via iMessage (Apple's messaging platform), meaning patient data is stored in a non-HIPAA-Compliant environment.

Here is a sobering report by 60 Minutes (Australia) showing just how easy it is for those with nefarious intent to intercept text messages.

It should be noted here, that a potential solution is to encrypt data on the device before sending it (which is what PicSafe does) or use messaging services that use end-to-end encryption (many of which have issues).

As well as removing photos from your gallery, all patient data should be manually removed from the messaging app once sent and viewed by following these steps:

How to delete an SMS/MMS

iOS
  • Open the Messages app.
  • Navigate to the message you want to delete.
  • Tap and hold the message you wish to delete.
  • Tap the More… option.
  • Select the messages you wish to delete.
  • Tap the Delete All button (top left).
Android
  • Open the Messages app.
  • Top on the message you want to delete.
  • Tap delete symbol and select the messages inside of the conversation you need to erase.
  • Tap Delete.
  • Tap OK.
  • Install Secure Eraser from the Google Play Store.
  • Open the app and follow the instructions.

Unfortunately, on Android messages are not permanently deleted. When files are “deleted” on Android, really all that happens is the operating system labels the disk space that stores the file as free space. The data is still there, and off-the-shelf data recovery tools can easily recover it. What do we do about this? There are numerous free apps in the Google Play Store, Secure Eraser, that will allow you to delete these files properly. Tools like Secure Eraser write over the so-called free space with random data. You should probably install and use a tool like this to remove all “deleted" data.

As stated above, if you're using an iPhone, SMS messages are being bundled together with iMessage messages (Apple's messaging platform). By default, if you are sending a message from an iPhone to a recipient with an iPhone it is sent through iMessage. That means Apple servers store patient data. You should turn off iMessage if you wish to use SMS for sending patient data.

How to turn off iMessage and send through SMS only

iOS
  • Open the Settings app.
  • Scroll down and tap the Messages row.
  • Turn the iMessage switch off.

Of course, you can use a service like PicSafe where all data is encrypted and decrypted using a key acquired from a PicSafe Key Server.