So, in my post last week , I described why I don’t think that the protocol used by Skype (assuming that it is the one they claim to be using on their website) seems fairly secure to me–it’s the same protocol used by banks and is approved by the government for the transmission of top secret information.
I used an analogy in that post that I’m going to continue this week. Basically, I started with talking about how firewalls are like the guard at the desk by the door of a factory. For review, here,
- the factory (and its grounds) are like your home network,
- the goings on at the cafeteria are like the Skype program running on your computer,
- the guard is like your firewall, and
- “Should we tighten up security at the guard’s station?” is like “Can firewalls help make Skype more secure?”
I talked about firewalls last time and how concerns about firewalls are like concerns about the security procedures at the front desk. In general, front desk security is a good thing, but won’t do much to solve a problem in the cafeteria if some rascal there has a valid ID card.
I would like to go with this analogy again. There’s a lot of ways that security could fail in terms of nefarious goings-on at the cafeteria, and those ways are just like the potential security problems of Skype.
- Skype’s program could have a bug in it which someone could exploit. I.e., if someone knows something like putting in a contact with a name that is 50,000 characters long lets that person access some internal aspects of Skype that they aren’t supposed to, then that could be a problem. This is like having someone who works for the factory responsible for the nefarious things in the cafeteria. Here, they are just stealing from the factory.
- More worrisome is something like someone from the outside impersonating someone who has a valid ID. The bad guy gets in by pretending to be someone who works there, and then does his nefarious deeds. The analogous thing for Skype would be for someone to make a specially modified program, convince you to download it, and then have you install the modified program. As far as I know, there are no programs that do something bad while masquerading as Skype, but I have noted the same sort of malware on Skype IM’s that appear regularly in everyone’s email, basically a bogus message saying that you need to go to some URL and install fake antivirus software, or update some kind of program that you already have, such as Adobe Acrobat.
I tend to be very suspicious of these kind of messages anyway so I hope that I, at least, wouldn’t fall for this nonsense, but I can certain see a naive user getting one of these malware spam messages and installing something that would infect their computer with a virus.
A program that works like Skype but does something bad could probably be written, but since this would be a direct shot at Skype, I suspect that Skype would respond quickly and effectively (or else they would be out of business.)
One thing that is possible, but not particularly worrisome to me is that someone could hack my or my patient’s password and pretend to be someone they are not. There is a big reason why I don’t think this would be a problem in my practice. I always see the patient face to face first, before I do Skype sessions with him or her. As long as the impostor is showing me video, then this exploit would be easy to see through.
So far as I know, HIPAA doesn’t certify software as being HIPAA compliant or not. Instead, as best I can understand, various companies claim HIPAA compliance and I guess they could be sued if they were negligent someone.
As far as I know, no one has brought up substantive HIPAA issues regarding cell phones, but every argument I’ve given on this subject would appear to apply to cell phones as well as Skype.
I think the bottom line here is that having some informed consent from the patient is essential, but that some of the discussion regarding HIPAA and Skype may be more based on commercial interests (such as the people who give the seminars on HIPAA compliance) than on believable threats to the security of patient information.
If someone bugs your landline at your office, wouldn’t they be able to gather lots of information? Do you sweep your office for bugs daily? Maybe so, but I suspect that most people would say that trying to absolutely guarantee the privacy of anybody’s practice is impossible. If someone wanted to sue you after a bad guy tapped your phone, do you really think that the government would come after you? What if someone broke into your practice at night, broke open the file cabinets, and looked through someone’s information? (Didn’t this happen during Watergate?) What if the CIA kidnapped you and put a video camera in your nose?
This is beginning to sound a little weird to me…
Lots of things to worry about here for the nervous Nellie’s. The only one I find credible is malware which masquerades as Skype, but then, malware could masquerade as your EHR software, couldn’t it?