I got a couple of comments a month ago regarding Skype security and in response to my previous post “Is Skype HIPAA-compliant?“ Marlene Maheu at the TeleMental Health Institute’s Center for Online Counseling and Psychotherapy has a blog post on Telehealth.net in which she voices some concerns about Skype security and in which she references an article by Jacqueline Herships titled “No More Hacking.”
Basically, Dr. Maheu points out that there is a lack of potential information about the security and reliability of Skype. Assuming that the security information on the Skype website is correct, then I think I can answer a couple of the good questions that Dr. Maneu asks.
Rather than thinking about things like firewalls (which are pretty nebulous to most people), a better way to understand what the relationship of firewalls to Skype security is to use an analogy. Suppose that you are the director of security for a factory and that you’ve been asked to investigate some nefarious things going on in the cafeteria and to straighten them out. Someone asks you if tightening up security at the guard’s station at the front door to the factory would help.
- the factory (and its grounds) are like your home network,
- the goings on at the cafeteria are like the Skype program running on your computer,
- the guard is like your firewall, and
- “Should we tighten up security at the guard’s station?” is like “Can firewalls help make Skype more secure?”
If you were the directory of security at the factory, I’m sure that you would answer something like: “It depends on how the nefarious things are happening. If some unauthorized people are getting into the factory, beefing up security at the door will help keep these kinds of people out, but if the person’s got a badge to get in, focusing on the guard at the door isn’t going to make any difference.”
Skype security is pretty similar. Having a good firewall is pretty much a must on any Internet-connected computer these days, but I don’t think changing the firewall is going to make that much difference in Skype security, any more than replacing one competent guard at the factory’s front door with another is necessarily going to solve the problems at the cafeteria. It probably it pays to investigate what’s happening at the cafeteria, rather than at the front desk.
Skype hasn’t made all the details of its security system known, but it does have a lot of information online, and, assuming that they are telling the truth, it sounds like Skype is at least a secure as a cellphone conversation, and, as far as I know, every psychiatrist I know talks to people on cell phones without worrying that much about HIPAA violations.
Skype and modern cellphones use the same basic protocol to communicate (packet switching), but basically what happens is that when you make a call, Skype or your cellphone operator sets up a connection between you and the person you are calling and then steps out of the way, leaving you and that person to talk as if you had your own circuit. Both Skype and cellphones encrypt the data they send. If anything, the AES encryption method used by Skype is probably more secure than the 30-year old A5/1 encryption method used in most cellphones. AES is approved by the government for top secret information while A5/1 has already been partially broken.
I think that the real security issues with Skype (or with cellphones) are probably more with things like whether the government can compel Skype or your cellphone operator to tap into your conversations than with details of encryption or firewalls.
Until then, I think that doctors should give up talking to patients on cellphones before they get worried about whether Skype is secure.
There’s a lot more to think about with Skype security other than whether just this protocol is sufficiently secure. There are other issues which are also important, related (back to the analogy with the guard at the factory with which I started this post) to things like corrupt guards, corrupt employees and the like, which also merit some consideration, and I’ll discuss them in a future post.