SMS is not inherently HIPAA compliant due to three main issues: 1) SMS messages are not encrypted during transmission, allowing them to be intercepted. 2) SMS messages and their metadata are stored in multiple unencrypted locations by wireless carriers for a period of time, allowing potential access by unauthorized parties. 3) The physical security of mobile devices cannot be ensured, as lost or stolen devices may allow access to unencrypted health information stored locally.

1. WHY SMS IS NOT HIPAA COMPLIANT *
*or, more accurately, “Why SMS does not support HIPAA compliance
This diagram has been simplified to illustrate the movement of text message data through a typical GSM (Global System
TYPICAL DATA FLOW OF A TEXT MESSAGE OVER A GSM NETWORK for Mobile Communications) network. In particular, the message acknowledgement process as well as routing requests
through the Home Location Register (HLR) and the Visitor Location Register (VLR) have been omitted.
1 Sender submits text message, which contains the short
message (SM) text, destination address, and address of
the SMS Center (SMSC); handset sends the message
over the air (OTA).
4 The SMSC stores a copy of the message where it is retained for a
period of time known as the “validity period” The SMSC simultane-
.
ously attempts to deliver a copy of the message to the recipient. In
order to locate the recipient, the SMSC sends a routing request to the
6
Home Location Register (HLR). The HLR locates the recipient and sends The MSC routes the message
correct routing information back to the SMSC.
2
to the correct base station.
Signal received by tower and processed by
the base station and then sent to the
5
Mobile Switching Center (MSC).
The SMSC then forwards the message to
7
the recipient’s servicing MSC. The MSC will The message is processed by the
3 MSC routes the message to the
SMSC identified in the message.
request the recipient’s current location
from the Visitor Location Register.
base station and transmitted to
the recipient’s handset.
SMS
CENTER
MOBILE MOBILE
BASE SWITCHING SWITCHING BASE
STATION STATION
CENTER CENTER
SECURITY VULNERABILITIES
A PHYSICAL SECURITY C INTERCEPTION
The physical security of the phone or other mobile device itself represents the greatest As the SMS message is sent from the base station to the MSC and then on to the SMSC, it passes
G vulnerability for information being inappropriately accessed. In a default configuration, devices E over the carrier’s network unencrypted, making it susceptible to interception.
do not require a user to authenticate with security credentials to access device applications and
data. Additionally, information is stored in clear text, or unencrypted, in the native messaging
application where it can be readily accessed, manipulated and/or removed. Finally, if a device is D STORE & FORWARD
lost or stolen, there is no way to remotely lock or wipe data to prevent unauthorized access. When the SMS message arrives at the SMSC, a copy is stored in clear text on the carrier’s server
where it is held for the “validity period”, pending successful delivery of the message. While the
GSM implementation of SMS allows the sender’s SMSC to deliver the message directly to the
EAVESDROPPING recipient’s MSC, CDMA (which includes both Sprint and Verizon networks in the US) requires a copy
B of the message to be sent to the recipient’s SMSC where a copy of the message is also stored and
During OTA transmission, the signal - including voice and text data - is optionally encrypted
(meaning it is up to the specific carrier) using a weak and broken stream cipher (A5/1 or A5/2). forwarded. This means that for messages sent within CDMA or across networks (GSM <-> CDMA) at
F
Both A5/1 and the encryption algorithm used to secure GPRS (General Packet Radio Service) least two copies of the message are retained in clear text, accessible by carrier personnel with
have been broken within the last couple of years, demonstrating the susceptibility of these SMSC access. Finally, even more copies of the message may be stored if one or more SMS gateways
transmissions to eavesdropping. are used to facilitate message delivery across carriers using incompatible technologies.
© 2012 qliqSoft, Inc. All rights reserved.

2. WHY SMS IS NOT HIPAA COMPLIANT *
*or, more accurately, “Why SMS does not support HIPAA compliance
HIPAA CONSIDERATIONS
According to the HIPAA Security Rule, Covered Entities and Business Associates acting on PHYSICAL SAFEGUARD CHALLENGES
their behalf are required to implement a number of technical and non-technical safeguards
if they transmit or otherwise maintain electronic protected health information (ePHI). As a
controls without defeating the core purpose of consumer wireless communications
result, if a member of a Covered Entity or one of its Business Associates uses SMS-based text
messaging to transmit PHI, then the Covered Entity or Business Associate is required to
comply with the safeguards outlined in the Security Rule.
compliance, however infrastructure beyond the domain of the core facility, third-party
providers and non-regulated facilities in foreign countries cannot be reliably managed.
Based on the security vulnerabilities described above, Covered Entities and Business
Associates confront the following compliance challenges when sending PHI via SMS:
TECHNICAL SAFEGUARD CHALLENGES
ADMINISTRATIVE SAFEGUARD CHALLENGES
not be implemented across heterogeneous networks and a disparate subscriber base.
applied across all of
the organizations involved in the transmission and delivery of SMS messages.
ePHI with regard to access and audit controls, or personnel management. In SMS systems,
there is no reliable means of identification of ePHI, and therefore no reliable means of
segregation of the data for the purpose of focusing security controls. This condition also
makes fulfillment of the required terms for Business Associate Agreements not feasible.
© 2012 qliqSoft, Inc. All rights reserved.