Building a strong, secure communication system for healthcare organizations

How to design a compliant unified communication tool for the healthcare industry

Download white paper

Designing the ideal communication system

Unified communication tools need to connect all personnel across locations, divisions, departments, and functions. A unified system should:

  • Be flexible and extensible—enabling adaption to future needs.  

  • Support multiple communication methods (voice, text, data, video).  

  • Integrate with existing systems.  

  • Put the user experience at the forefront rivaling widely-used mobile communication platforms (WhatsApp and Facebook Messenger).   

  • Cater to user requirements by including unique, job-enhancing features based on real scenarios.   

  • Increase operational efficiency while being secure and HIPAA compliant.  

Defining the MVP

Having a good understanding of the problems, the complexity of security and HIPAA requirements to address for our client, we set our implementation plan in motion. We went back to the interviewees and groups we engaged with to diagnose the problem to validate the MVP. We shared wireframes and prototypes early and often with this group, allowing them to guide the solution and feel involved in the process.

The result

We built a HIPAA-compliant basic messenger app (including encryption).  We developed and released the MVP in just 6 weeks.  

We didn’t want (doctors) to have to worry about navigating many channels. Instead, we wanted to offer one channel and provide many opportunities within that channel.

- Senior VP of Information Technology 

Cross-platform, cloud-native  

  • This secure, HIPAA-compliant tool includes TouchID for employees and providers. 

  • The cross-platform mobile strategy allows for fast go-to-market and code reusability, lower cost of maintenance.  

  • Cloud-based architecture and micro-services provide room to scale and adapt to load requirements. 

Roles and contacts

This MVP is user-friendly, efficient mobile text messaging platform. This platform enables secure transmission of group messages based on roles so that schedulers and recruiters can contact specific groups of physicians at once. 

Messages are encrypted in transit so that employees and doctor partners could communicate about patients and be HIPAA compliant. 

The product features a contact directory structure—eliminating the need to look up and maintain contact information. 

Users can send direct, group, and broadcast messages in the system. Immediate access to the directory and groups helps send messages more efficiently. 

Push notifications  

Activity alerts help providers and staff stay informed and increased the speed of responses, ultimately, helping encourage user adoption.

 Considering security

HIPAA has a long, long list of security requirements. At a high-level, regulations are broken out into 3 safeguard areas:     

  • Administrative: Evaluate risk and vulnerabilities for Protected Health Information (PHI). 

  • Physical: Prevent unauthorized access.  

  • Technical: Ensure data security. 

Reminder: The stakes of non-compliance are high since penalties can be significant. 

When creating a healthcare communication product, security is critical.

User authentication  

In the simplest of terms, authentication is providing proof (password, face/voice ID) that you are whom you say you are.  For HIPAA compliance, passwords must be regularly changed and have some level complexity (e.g., ElephanTcake$1!). 

Reduce user frustration by integrating with their existing enterprise accounts using single sign-on (SSO). SSO allows for greater control over communications and in some cases (such as OKTA) provide the built-in ability to: 

  • Manage user access

  • Manage user roles  

  • Isolate authentication issues  

  • Handle password resets

Add-in a requirement for users to re-authenticate for idle sessions. Failure to re-authenticate using a method above would cause the app to log out, erasing all existing data in memory. Depending on the platform you are developing for, you may want to add in some extra precautions such as: 

  • Phone lock 

  • Computer lock 

  • App lock with fingerprint/passcode 

  • Auto-logout of sessions

Data encryption 

In the unfortunate case where access to infrastructure or user data is compromised, encryption makes it difficult for the infiltrator to get to the data. All electronic PHI must be encrypted to follow NIST standards once it travels beyond firewalls. Include SSL to encrypt server and user communications. Secure all HTTP or WS requests with TLS/SSL which is now the de facto standard. 

Be mindful of the following:  

  • Server-side encryption 

  • Encryption in transit 

  • Encryption at rest

Store as little data as possible on devices and the web—making minimal queries to the API service and keeping data in active memory. Unfortunately, this strategy is not ideal when apps must support off-line capabilities. Alternatively, consider encrypting the data on rest and decrypting when putting it into active memory. Admittedly, this is a bit challenging, since secure keys for decryption must be stored which is more difficult on browsers.   

Permanent data deletion 

HIPAA guidelines state that you must delete any data not relevant to your business. If a patient or client leaves an organization, the company is obligated to delete their data forever. In other words, when they go, so does their data.    

Restrict access 

The title is a bit of a spoiler here. Restrict access for information so that only admins can access it. Users can only access their data. 

PHI disclaimers and acceptance 

Even with security, encryption, and authentication covered, one of the best ways to ensure users with access to PHI is to warn them. Add disclaimers and pop-up reminders in the app which warn against re-distribution of PHI to unintended parties and ensure end-users accept them. 

Building in data analytics

Data analytics are an essential part of any software application. They enable the team with information to measure successes and failures which drive intelligent decision-making. We used a data-informed product prioritization strategy designating clear metrics tracking back to the service blueprint to measure success (and inform future workflows).   

Metrics for success 

To track adoption for our healthcare client, we measured a few factors such as: 

  • App downloads 

  • User logins by type 

  • Messages exchanged 

  • Daily, weekly, and monthly active users 

  • General feature usage and non-usage 

Factor in the business goals for the product (such as increasing operational efficiency and profit by a certain amount or percentage) and what application success would look like (increasing adoption and feature usage). 

Create a tracking plan of events, triggers, and attributes that tie back to these goals. Consider using third-party analytics tools to monitor trends and events such as Google Analytics, Mixpanel, or Adobe Analytics. Make sure no PHI is sent with events and attributes to these systems. 

Build a feedback-gathering mechanism into the communication tool for quantitative data that cannot be measured through analytics. Alternatively, using methods such as surveys, focus groups, and interviews also give insight into the performance and user experience. Be sure to respond to the data you glean when designing system improvements. 

Consider setting up your Amazon Web Services (AWS) infrastructure to enable HIPAA security for your database and file storage. Most AWS storage services (EC2, S3, RDS, EB) are HIPAA certified.

Continuously delivering = Continuous success

As you collect user feedback, you may need to pivot or push updates quickly to meet the demands of users. To do this, you should have a CI/CD pipeline in place (which includes automated testing and deployments to production). The specific technology used may vary, but the objectives of a proper CI/CD pipeline are always the same.  

  • Increase efficiency. Reduce the time required to establish development environments. 

  • Reduce cost. Eliminate the cost of unused environments. 

  • Deploy code quicker. Get the code to the team fast. Do not bottleneck any stage of development. 

  • Embrace iteration and information sharing. Showing accomplishments early and often allows the team and users to provide feedback and adjust the product during development. 

We leveraged a CI/CD pipeline and automated deployment of the app directly to iOS and Android app stores allowing us to pilot the release of the MVP. This was the first release of many (20+ versions).  

We were able to facilitate the core features really quickly. When we deployed our first app within 6 weeks, we thought this is remarkable. That was really beneficial in kick-starting our MVP product. 

- Senior VP of Information Technology

Releasing & Piloting  

Releasing the MVP to market with pilot users allowed us to get over the complexities of deploying to app stores and production, gather early user feedback, and iterate.

Most enterprises often overlook the administrative and non-technical work that is required to release the product to production. Along the way, consider including the following to make your release less painful:  

  • End-User License Agreement (EULA) 

  • Privacy policy. Ensure legal review of EULA/privacy policy cover HIPAA guidelines as it relates to the distribution of PHI to intended parties through the communication tool. 

  • Support information. Provide HIPAA-related support and contact information for users to report issues. 

  • FAQ. Cover things like compliance and feature usability. 

  • App store content and screenshots.

Devise an adoption strategy  

Promote the communication tool to users. Be sure to note the value of the tool and show them how to use it. Then, track usage and gather feedback.  

If these pilot users are satisfied, they urge other employees to use the app, resulting in a network effect of adoption. Once comfortable with the pilot adoption and feedback, release the tool in full, offering continued outreach and education (possibly including incentives to generate excitement). As part of this education, be sure to emphasize how the new tool improves the lives of users.    

We’ve seen an 86% adoption rate which is phenomenal in the physician community. We continue to monitor and have metrics and analytics to ensure the feature’s we’re deploying are meaningful and being used and we’ve got adoption.

- Senior VP of Information Technology 

Feedback showed there was significant adoption for the basic communication tool. Users quickly wanted more workflow integrations to streamline their communications further. The increased demand from users validated findings from our discovery phase and supported our goals of increasing our operational efficiency and profits. 

Continue to:Integrate workflows