Secure messaging

Does it matter if a physician wants to use a personal phone or tablet to send messages to colleagues if it makes her job easier? Yes! Federal laws require that identifiable patient information be kept secure, and neither standard messaging or emailing are considered secure methods of communication. Plus, mobile devices become significantly more useful if they are integrated with the facility’s employee directory and on-call schedules 

So, whats the best way to rein in the herd of mobile devices at your facility and bring order to the field? There is, of course, no single correct answer, but with the experiences of many hospitals as our guidewe’re offering a roadmap to defining and deploying secure messaging in healthcare, from setting up the plan through end-user adoption. In the end, you’ll find the right secure messaging solution will allow your clinicians to spend more time with patients, improve clinical workflows, alleviate frustration from searching for the right providers, and enable seamless communication across your health system.

Data protection

Strategies for keeping data as secure as possible are likely a top priority for healthcare professionals. Healthcare data breaches have been steadily increasing in frequency and severity since 2010, according to HealthITSecurity. A 2019 report by Black Book Market Research showed 93% of healthcare organizations had a data breach in the previous three years—57% reported more than five happened in that time period. 

Powerful Directory White CircleSo how can sensitive patient data be protected in healthcare? A key aspect of data security is encryption. Used in concert with administrative policies that address authentication, data retention, and HIPAA business associate agreements, encryption can be a powerful tool for protecting data. But what exactly is encryption, and how can it be implemented at your organization? 

What's encryption?

According to the National Institute of Standards and Technology, encryption is the “conversion of plaintext to ciphertext through the use of a cryptographic algorithm.” The process involves “combining the contents of a message ('plaintext') with a secret password (the encryption 'key') in such a way that scrambles the content into a totally new form ('ciphertext') that is unintelligible to unauthorized users.” 

HIPAA compliance

Security - Transparent

A challenge for healthcare organizations is that although many of the popular messaging apps and services that consumers regularly use offer encryption, they do not meet the interoperability and flexibility needs—or the strict data and information protection standards—of the healthcare environment. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that put in place rules about “who can look at, receive, and use patients’ health information as well as measures that protect the confidentiality, integrity, and security of the information.” 

Consistently complying with these regulations can be an ongoing struggle (see five common HIPAA violations in mobile communications here). Some organizations don’t have a standard policy and administrative guidelines to govern messaging services or approved devices, and many clinicians aren’t aware that their consumer messaging services don’t offer appropriate safeguards. To make things even more complicated, workflows are increasingly based on communication among mobile care teams exchanging protected health information (PHI) such as prescriptions, images, test results, and more. The average consumer app isn’t designed to interoperate with clinical directories and databases and still maintain the appropriate level of information security. Included is the HIPAA Security Rule, which sets national standards “for the security of electronic health information.” A major goal of this rule is to “protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.” 

Is your app HIPAA compliant? Read more on our blog.

Your options

Devices with Pager - Grey full circleCommunication solutions designed for the healthcare environment can bridge the security and integration gaps: They can integrate with other solutions and third-party applications, permeating and enhancing clinical workflows. Intended for use in a clinical environment, they are designed to meet the technical and administrative standards required to comply with HIPAA. These systems are created to integrate seamlessly with current operations on any type of device or combination of devices.

  1. Secure messaging apps on smartphones and tablets

Smartphone apps specifically designed for the healthcare environment should allow users to communicate securely with anyone in your organization’s directory using any type of mobile device —and only a few can truly accomplish this. These secure text messaging apps deliver fast, accurate, HIPAA-compliant communications inside and beyond hospital walls.

Secure messaging allows physicians and nurses to use their personal mobile devices to communicate and collaborate in real time with key care team members over a secure network. This enhances clinical workflows and maintains patient privacy while improving your organization’s overall care and safety. The best apps provide solutions that are intuitive, enabling users to link to a powerful communication platform. 

You should make sure you can access your hospital’s full directory of accurate contact information; send secure text messages, images, and videos to smartphones and other devices; and ensure critical communications are logged and time stamped—all with security, traceability, and reliability in mind. Having a mobile application programming interface (API) can also establish interoperability with third-party applications, enabling secure patient discussions via an electronic health record (EHR) app, communication with proprietary hospital apps, and access to content on a cloud drive.

  1. Secure messaging on Wi-Fi phones

Many hospitals rely on Wi-Fi phones for nursing teams and for use with other roles that might not require the full functionality of a smartphone or tablet. There are secure messaging apps designed to be deployed on Wi-Fi phones as well as smartphones, enabling seamless—and encrypted—communication among all devices. Because of their integration with a hospital’s phone network, Wi-Fi phones can serve as clinical workflow tools, allowing, for example, a mobile nurse to communicate with a patient in their room.

  1. Encrypted pagers

Many leading hospitals today seek to integrate pagers along with smartphones into their workflows and secure communications for maximum benefit and coverage. A lot of hospital IT teams don’t realize that some pagers now offer an important advantage previously only available on smartphones equipped with a secure messaging app: encrypted communications. Encrypted pagers like the T5 and T52 from Spok® can provide a secure communication option that is also highly reliable even when cellular and Wi-Fi coverage is spotty. This means PHI can be shared among staff on pagers and smartphones seamlessly to meet industry guidelines for sharing sensitive information. There are pagers available that support message encryption using the industry standard AES‐128* encryption algorithm. The devices are programmed with a unique key, and messages are encrypted as they enter the network and travel over the air to the device, where they are decrypted for display to the user.

*Advanced Encryption Standard (AES) algorithm, 128-bit key


Beyond secure messaging

Reasons to expect more


Secure messaging is a great initial step for hospitals to explore secure, HIPAA-compliant communications. But in order to truly make it easier for clinicians to collaborate to provide better patient care, hospitals need a comprehensive solution that simplifies workflows and goes far beyond texts. 

Within a hospital, staff need information from dozens of programs and systems. Think about access to electronic health records (EHRs), critical lab/radiology results, numerous patient-specific monitors, nurse call, the employee directory, building security and monitoring, and the bed management system, just to name a few. These systems and more can send information to a multitude of different devices that include smartphones, desk phones, pagers, email systems, LED boards, tablets, and Wi-Fi phones. 

While secure messaging can be used in some of these applications, the communication needs of a hospital have evolved well beyond simple text messaging. Hospitals are recognizing the need for communication tools designed specifically for healthcare’s complex work environment that can integrate information from a wide variety of inputs and disseminate it to any number of output systems and devices. In short, secure messaging plays a vital role in hospital communications, but clinical professionals need more. They require a modern communication system that requires less time to find care team membersthereby allowing more time with patients. Messaging is only one spoke within a mature, integrated communications hub. 

Why should you expect more?

To be most effective, secure messaging should be viewed as just one component of a larger, fully integrated system. A comprehensive communication platform within a hospital should support a lot more than simply encrypting text messages. Here are eight workflows where secure messaging alone is not enough: 

    1. Finding and communicating with the right on-call provider 
    2. Managing patients and alarms
    3. Simplifying workflows such as patient treatments from request through delivery
    4. Expediting and auditing code calls
    5. Speeding critical test results reporting
    6. Promoting patient well-being
    7. Improving handoffs and patient flow 
    8. Securing protected health information (PHI) and other sensitive data
  1. Finding and communicating with the right on-call provider 
Finding the right physician, nurse, or other care provider when their input is required can be tricky because there are shift schedules, on-call schedules, and questions about whether the recipient prefers to be reached on an office phone, smartphone, or pager. And if the provider is unavailable, who is next in line to assist? 

The answer is an integrated communication solution that brings together the staff directory, web-based on-call schedules, the secure 
messaging app, intelligent escalation rules, and provider-specific information such as availability and device preference. The benefits of faster and more efficient communications will make care coordination easier for providers and safer for patients. 

  1. Managing patients and alarms 

Giving patients the ability to communicate with their nurse soon after pressing the nurse call button offers a less stressful environment for the patient. Nurses should also be able to respond quickly to patients who are unable to call for help or are unaware they need it. And nurses sometimes perform duties an aide or patient care assistant could do, which can detract from patient care because it pulls nurses from helping other patients who need their skills. None of these scenarios can be addressed by messaging alone. 

Looking at the nurse-call example, the alert could arrive as a text on a smartphone–but not all secure messaging apps support this integration capability, and many nurses carry mobile devices other than a smartphone. To be flexible and adaptable to multiple workflow scenarios, texting is not enough. A robust communication system can deliver nurse call alerts directly to the appropriate nurse on multiple mobile devices. Nurses might have a Wi-Fi phone, a pager, a tablet, or a voice badge. Whichever device they use, receiving and being able to respond quickly to calls can improve care and patient satisfaction scores. Such a system can also route requests for water, general information, or bathroom assistance to another designated care team member to prevent interrupting nurses unless they are required. 

Similar to supporting nurse call events, being able to alert a provider when patients need assistance but cannot call for help is an important capability that secure messaging apps alone may not provide. A good communication platform can enhance patient monitoring by sending system-generated alarm notifications directly to the appropriate nurse, regardless of their mobile device type, to ensure critical patient conditions are addressed quickly.  

Alarm-GraphicECRI, a leading patient safety organization, has listed alarms as the top health technology hazard in healthcare every year since its creation 13 years ago and held the No. 1 spot from 2012-2015. Using a clinical alerting solution to integrate a variety of patient care and monitoring systems with staff’s Wi-Fi phones, smartphones, pagers, and/or voice badges speeds notification and response times. It can also promote better, safer patient care. Intelligent software can help accelerate the response time by incorporating the facility’s preset priority levels and using built-in logic to deliver highest level of alerts first. Quality of care is increased by alerting nurses and other care team members as quickly as possible of a patient emergency. 

  1. Simplifying workflows such as patient treatments from request through delivery 

 A lot of physicians and nurses’ valuable time can be wasted playing phone tag or waiting for orders to come through the EHR. Enhanced communications, including secure messages, can simplify this process. 

For example, a nurse requests a nebulizer for patient treatment. Once the physician receives the communication, whether it’s via phone call, email, text, or another method, he or she enters orders remotely via the computerized physician order entry (CPOE) system. A message is sent to the nurse from the EHR when the order is available. By not having to keep checking the EHR for the order, the nurse is able ensure the patient receives treatment faster. 

However, secure messaging alone for this kind of point-to-point communication between providers can fail to do several important things. First, many messaging apps don’t integrate with the hospital’s employee directory and on-call schedules for easy reference. Second, many secure messaging apps can’t support EHR integration to allow fast text notifications. And lastly, most secure messaging apps by themselves do not offer the integration to provide full support for this workflow that a comprehensive communication infrastructure can. 

  1. Expediting and auditing code calls 

Minutes, and even seconds, can mean the difference between life and death, so processing codes as quickly as possible is imperative. Code calls are more complicated than just overhead announcements and can require notifying several people and roles at once. In situations like a Code STEMI, the individuals required to respond may not be at the hospital—and they must be alerted on whatever mobile device they carry. An efficient code call response requires that the right people are notified no matter their location or device, and that the situation is monitored, and notifications can be escalated. The integrations required for this complex workflow are not supported by most secure messaging applications. 

Audit trails are also essential in hospitals when it comes to communications. They can help a hospital retrace steps to evaluate efficiency, demonstrate compliance with guidelines from The Joint Commission, offer insight into how to improve workflows, and help reduce litigation expenses. This is particularly true during time-critical situations when knowing the time a message was sent, who received it, when they received it, and the response or escalation action can become crucial. 

The integrated suite remains key whether you’re messaging to smartphones and pagers, sending emergency notifications, or retracing who was on call. A robust communication platform provides better auditing across the organization’s workflows than secure messaging can offer alone. 

  1. Speeding critical test results reporting 

At many hospitals, the reporting process for both radiology and lab test results is a manual one involving phone tag, paper documentation, and EHR documentation. This manual process can create a lot of wasted time, especially for emergency department care teams who may have to continually check the EHR for patient test results. 


A secure message can alert the ordering provider that a result is ready and save some of this wasted time, but it misses the opportunity to do a lot more. In a hospital with an integrated communication platform that includes critical test results management in addition to secure messaging, the reporting process can deliver results directly from the laboratory information system (LIS) and the picture archiving and communication system (PACS) to an ordering provider’s mobile device. Radiologists and pathologists can report their findings and send critical results quickly using just a few button clicks on the computer. The system then launches a message and can deliver that message to a smartphone via secure text–it also has the flexibility to send to a pager or email address. The alert coming from the LIS or PACS can include detailed, actionable information if sending to an encrypted device (including encrypted pagers) and follow escalation rules for unacknowledged alerts. If the ordering provider is unavailable, the alert can be escalated to another designated clinician after a set amount of time to help ensure the appropriate person addresses a critical situation quickly. And the entire process includes a clear audit trail. 

By integrating these systems with the EHR and automatically populating a patient record with test results, administrative time spent tracking dictations, maintaining a document log, copying and pasting information, and making phone calls can be significantly reduced. In addition to helping providers save time, patients and families will appreciate faster care. In critical situations, of course, faster care can mean better outcomes. But if results are normal and a patient can be discharged, reducing wait time and going home sooner can mean happier, more satisfied patients. 



  1. Promoting patient well-being

Overhead paging announcements, nurse or voice badges, and hallway conversations are likely to disturb patient sleepReducing these sources of noise and taking greater care with patient alarm notifications can make significant improvements in the perceived quietness of the environment, promoting a more restful environment for patients and creating an overall better care experience. 

Secure messaging among staff members is a discreet form of communication because sensitive information is not being spoken and potentially overheard. This reduction in hallway conversations means less disturbance for patients in addition to better protection of the protected health information details of their cases. 

Combining secure messaging with mobile device notifications can provide a quieter environment on multiple fronts. First, by routing patient alarm notifications directly to the appropriate staff, they can respond faster and quiet the machine generating the alarm sooner. Also, by integrating monitoring equipment alarms with staff assignment systems, nurse call and patient monitoring notifications can go straight to the appropriate patient care provider’s mobile device, reducing overhead paging because staff do not need to be tracked down. 

  1. Improving handoffs and patient flow 

Communication gaps contribute to 80% of medical errorsThere are many standard communication processes in your hospital that involve handoffs and specific actions. For example, a patient is discharged, and the room needs to be turned over in preparation for the next patient. A physician places STAT orders and needs the pathology results as soon as possible. A patient is waiting for transport to radiology for a scan. The Joint Commission estimates communication gaps, often with a handoff, contribute to 80% of medical errors. 

These and other workflows happen continually. Your goal is to make the handoff points seamless using the right technology and mobile capabilities that extend beyond secure texts. These types of information transfers often involve HL7 data (a standardized data format used to easily share information among different healthcare systems). Using HL7 feeds to direct data being generated by clinical and information systems can make processes smoother by delivering valuable information to the right people quickly. In particular, these feeds can be generated, sent, and recorded by clinical applications for EHRs, patient movement, health information systems, and critical test results. 

For example, coordinating the discharge process and readying beds for use can be sped up and simplified with automated messaging to alert nursing, transport, and housekeeping—and other necessary departments, such as infection control and the pharmacy. 

Secure messaging may be an important component of this process, but it is merely a small piece of the larger workflow automation. With a strong communication infrastructure in place, you can capture this information and deliver new levels of efficiency in your hospital. 

  1. Securing protected health information (PHI) and other sensitive data

The amount of sensitive information floating around hospitals is staggering. Social Security numbers, insurance details, and of course, highly personal records about patient conditions are some of the many examples. All of this is considered protected health information that hospitals are responsible for watching over and protecting from unauthorized access at all times.  

Simple SMS texting that comes standard on smartphones is not a secure form of communication when it comes to PHI, yet this method is often used in hospitals despite warnings against it. To mitigate the risks related to relying on SMS, hospitals can provide an alternative in the form of a messaging app that maintains the security of information sent and received. However, the value of a stand-alone secure messaging app is usually limited by the contacts in any individual’s contact list. 

Supporting staff in their clinical workflows means allowing integrated access to the full staff directory, on-call schedules, and device preferences to reach the right people by name or role (e.g., the on-call cardiologist). Beyond these integrations and message encryption, also look for an application that offers application lock, automated message removal, and a password-protected inbox. Administrators should also be able to complete a remote device wipe to remove messages from a smartphone that has been lost or stolen. 

While secure messaging plays a role in a hospital’s overall communication infrastructure, it is merely one piece of a much larger picture. Giving physicians, nurses, support staff, and others the proper communication tools helps them put more focus where it belongs—helping patients get better. 

Rolling it out


Pre-deployment checklist 

For all projects, success begins with careful planning. When rolling out a secure messaging solution, pre-deployment activities revolve around researching and defining details such as who the users are, which applications they’ll access, and what devices they’ll use. 

  1. Define your users 

The first question to ask is who needs to use what device. Think about departments throughout your hospital, from patient floors to the lab to transport. Who has pagers, Wi-Fi phones, voice badges or other mobile communication devices today? Does their usage require inclusion in a mobility strategy to promote efficient workflows and secure patient information? Would other devices be more appropriate for specific workflows? 

  1. Determine what applications/systems your users will need to access 

After determining who your users are you can identify which systems and applications they will need to access. Examples include drug references, directory lookup, on-call information, the electronic health record (EHR), and alerts from clinical systems.  

Note that determining what users need to access is an important step in determining which communication networks (e.g., Wi-Fi) they should use. 

  1. Identify exactly which smartphones and tablets are in use at your organization 

Use a survey to determine what platform, model, carrier, and version of smartphones/tablets employees have. Understanding this information up front will help you plan your operational processes and what level of support you can/are willing to offer. 

  1. Establish who will pay for devices and cellular/data plans 

Determine what your organizational policies are as far as who pays for what. Do you allow only hospital-issued devices? Are you a bring-your-own-device (BYOD) facility? Are both methods used for different departments or positions? 

Answers to these questions help you then determine who will pay for the hardware, cellular, and data plans, whether that means individuals, departments, or other groups. This will also affect how much control you have over how devices are being used. 

  1. Maximize your coverage 

Determine what coverage limitations exist in your facility by testing all cellular carriers and each Wi-Fi network you have, and possibly look for other coverage options. Also, enabling devices to use both the cellular and Wi-Fi networks in your building will expand coverage.  

Consider Wi-Fi network login requirements. Can these be programmed to occur automatically so users do not have to log in every day? 

  1. Consider your disaster response procedure 

Beyond the day-to-day workflows and processes, how do mobile devices fit into your disaster response procedures? Which staff members carry pagers in the event cellular/data networks become jammed during a wide-scale disaster? Are cloud-based redundancy options required in the event of a data center outage? 

  1. Roll out the product in your IT/Telecom Department 

Do a small, five to 10 user roll out in IT/Telecom to test the solution and policies. This also helps ensure you know how the product works and can support it. 

  1. Join a user group 

Ask your secure messaging vendor about joining their user group. Attend regular meetings to learn how others are managing their deployments and what lessons they’ve learned in the process. 

Initial trial

After establishing your goals and criteria for a mobility strategy (the who and what), it is time to explore the how with small trials outside of your IT group. This is also the perfect opportunity to discover unforeseen hurdles, flesh out more plan details, and learn tricks to rolling out the solution successfully to larger groups. Your goal is to build excitement among the user community for this new technology. Getting buy-in from the right people is key. 

  1. Selection of trial users 

Select a cross-section of employees using different devices who work in different areas of the hospital. Be sure to include clinical users in the initial deployment and use existing messaging processes/devices side by side with the new solution. This can help build confidence and markets the availability of the solution within clinical departments. Finding a clinical leader to champion your efforts will be extremely beneficial to overcoming obstacles. 

  1. End user training 

Determine the best way to train new users in your organization. Oftentimes a combination of approaches will ensure users understand the product and your operational procedures and expectations. Consider the following: 

  • One-on-one training in the office 
  • Webinars — both live and on-demand options 
  • Establishing a ‘super user’ within your team who is the go-to resource for pop-up training needs 
  1. Build operational processes 

Determine how users will sign up for your new secure messaging solution, including who they will contact in your organization. Will they send an e-mail to IT/Telecom, submit a web ticket, or visit the IT office in person?   

Define your policy for lost devices. Consider details such as what someone should do if a device is lost or forgotten at home. Does your facility provide spares? Can you forward messages to a pager/other device to ensure shift coverage? Is the employee financially responsible for anything if the device is owned by the hospital? 

Establish the procedures for communication devices in the operating room (OR). Will messages be forwarded to other users for a specified period of time? Will a designated staff member be given access to devices during surgery? Are messages to be forwarded to an operating room display or other device within the OR?  

Collaborate with clinical staff to gain buy-in on how the application fits into their communication processes. How will your new solution change interaction with operators? Will call-backs no longer be required? When and for what reasons should users reply to messages? How much time will new processes save caregivers and other staff? 

  1. Train message senders on availability of delivery receipt information 

Provide training on the meaning of message response status and determine your protocols for declined or undelivered messages, including escalation rules. 

  1. Develop battery life best practices 

Educate users on the need to charge smartphones every day and deploy charging cables in common areas for back-up. For emergencies, keep a stock of external chargers and battery packs. Develop a plan for handling devices that lose their battery life. 

Final phase

At this point in your deployment, most of the details have been filled in and you will have a solid mobility strategy document for your facility. Initial trials should have identified most technological and procedural issues and given you the opportunity to start developing internal champions to assist with the final phase — rolling out the application across your organization. 

  1. Market the application’s availability 

Let departments know that the capability now exists for messaging to users carrying smartphones and tablets. Catch attention with email, posters, newsletters, and kickoff events to generate excitement and let users know how to sign up/get the application. Positive word-of-mouth is your best marketing tool. 

  1. Expect questions 

You will receive many questions during the first 48 hours after product rollout. Expect very basic questions. Some users may not know what the App Store or Google Play are or how to silence their phone. Don’t worry, the questions will quickly subside once the basics are out of the way. 

  1. Communicate value 

Ensure that you communicate the value of “what’s in it for me.” This is a great way to employ the champions you identified during initial trials. Get them to tell the story for you and share what they’ve learned and experienced. Messages from other clinicians will be the most powerful at eliciting change within the organization. Highlighted benefits might include less time spent calling back to confirm receipt of a message, the ability to message anyone in the organization from the mobile device, and message security and traceability. 

  1. Monitor usage 

Look at the adoption rate and usage of the new secure messaging solution. Are there certain areas where more communication would be beneficial to boost compliance? Are there workflows that could be further modified to promote adoption of the application? 


A mobility strategy is a complex series of considerations, and it will likely continue to evolve. Harnessing the diversity of mobile devices used in the delivery of patient care truly is possible, especially with the right plan and enterprise solution. 

The healthcare environment is complex and constantly changing, but technology exists that can assist with security and communication challenges. Specially designed apps, especially those built specifically for healthcare, offer secure interoperability with virtually all communication output devices. Whether your organization uses in-building wireless phones, LED signs, voice communication badges, pagers, smartphones, or even all of them in the same facility, there are ways to send staff alarms and updates on the appropriate devices at all times. 

Effective communication is a central part of care delivery—communication among providers, between technology systems and caregivers, and among providers and other staffA unified, integrated communications infrastructure makes many of those communications trackable, more efficient, more convenient and more secure, leading to better outcomes and a better care experience overall. And when seconds count during a code or the reporting of critical test results, vital information needs to reach the right people quickly. 

Encryption, accompanied by the right administrative policies and standards, can and should be employed by healthcare organizations as they work to safeguard their patients’ sensitive data. Implementing security standards around communication doesn’t need to interfere with the important work of medical professionals. It can be a seamless enhancement to better patient care.