Skip to content

Is Skype HIPAA-compliant?, Part III

So, in my post last week , I described why I don’t think that the protocol used by Skype (assuming that it is the one they claim to be using on their website) seems fairly secure to me–it’s the same protocol used by banks and is approved by the government for the transmission of top secret information.

I used an analogy in that post that I’m going to continue this week. Basically, I started with talking about how firewalls are like the guard at the desk by the door of a factory. For review, here,

  • the factory (and its grounds) are like your home network,
  • the goings on at the cafeteria are like the Skype program running on your computer,
  • the guard is like your firewall, and
  • “Should we tighten up security at the guard’s station?” is like “Can firewalls help make Skype more secure?”

I talked about firewalls last time and how concerns about firewalls are like concerns about the security procedures at the front desk. In general, front desk security is a good thing, but won’t do much to solve a problem in the cafeteria if some rascal there has a valid ID card.

I would like to go with this analogy again. There’s a lot of ways that security could fail in terms of nefarious goings-on at the cafeteria, and those ways are just like the potential security problems of Skype.

  • Skype’s program could have a bug in it which someone could exploit. I.e., if someone knows something like putting in a contact with a name that is 50,000 characters long lets that person access some internal aspects of Skype that they aren’t supposed to, then that could be a problem. This is like having someone who works for the factory responsible for the nefarious things in the cafeteria. Here, they are just stealing from the factory.
  • More worrisome is something like someone from the outside impersonating someone who has a valid ID. The bad guy gets in by pretending to be someone who works there, and then does his nefarious deeds. The analogous thing for Skype would be for someone to make a specially modified program, convince you to download it, and then have you install the modified program. As far as I know, there are no programs that do something bad while masquerading as Skype, but I have noted the same sort of malware on Skype IM’s that appear regularly in everyone’s email, basically a bogus message saying that you need to go to some URL and install fake antivirus software, or update some kind of program that you already have, such as Adobe Acrobat.

I tend to be very suspicious of these kind of messages anyway so I hope that I, at least, wouldn’t fall for this nonsense, but I can certain see a naive user getting one of these malware spam messages and installing something that would infect their computer with a virus.

A program that works like Skype but does something bad could probably be written, but since this would be a direct shot at Skype, I suspect that Skype would respond quickly and effectively (or else they would be out of business.)

One thing that is possible, but not particularly worrisome to me is that someone could hack my or my patient’s password and pretend to be someone they are not. There is a big reason why I don’t think this would be a problem in my practice. I always see the patient face to face first, before I do Skype sessions with him or her. As long as the impostor is showing me video, then this exploit would be easy to see through.

So far as I know, HIPAA doesn’t certify software as being HIPAA compliant or not. Instead, as best I can understand, various companies claim HIPAA compliance and I guess they could be sued if they were negligent someone.

As far as I know, no one has brought up substantive HIPAA issues regarding cell phones, but every argument I’ve given on this subject would appear to apply to cell phones as well as Skype.

I think the bottom line here is that having some informed consent from the patient is essential, but that some of the discussion regarding HIPAA and Skype may be more based on commercial interests (such as the people who give the seminars on HIPAA compliance) than on believable threats to the security of patient information.

If someone bugs your landline at your office, wouldn’t they be able to gather lots of information? Do you sweep your office for bugs daily? Maybe so, but I suspect that most people would say that trying to absolutely guarantee the privacy of anybody’s practice is impossible. If someone wanted to sue you after a bad guy tapped your phone, do you really think that the government would come after you? What if someone broke into your practice at night, broke open the file cabinets, and looked through someone’s information? (Didn’t this happen during Watergate?) What if the CIA kidnapped you and put a video camera in your nose?

This is beginning to sound a little weird to me…

Lots of things to worry about here for the nervous Nellie’s. The only one I find credible is malware which masquerades as Skype, but then, malware could masquerade as your EHR software, couldn’t it?

Be Sociable, Share!

{ 5 } Comments

  1. Douglas Ikelheimer | May 19, 2010 at 11:50 pm | Permalink

    Well said. I think we’re in agreement regarding the security issues.

    But let’s take it a step further and look at the in-person question, especially as it relates to the prescribing of controlled substances – because that is the biggest challenge – and specifically the treatment of opioid dependence with buprenorphine via Skype and without an in-person evaluation. (I use “in-person” because that is the language used by the US Government in legislation pertaining to telemedicine.)

    You mentioned that you always see an patient in-person before doing Skype sessions because of the security concern that someone could hack into a password and use someone else’s account illegally? Could you please elaborate on your concerns here? Do you always check the driver’s license of patient before you see a patient in your office? I don’t see the security difference between illegal impersonation on camera vs. in your office.

    In the model I have proposed, executed, and published there is no in-person evaluation. However, I always get a faxed copy of the driver’s license as part of the registration process. The model also includes

    * complete 75-minute telepsychiatric intake examination including review (and hard-copy documentation) of medical history, psychiatric history, social history
    * documentation of vital signs (low-tech automatic cuff on patient side)
    * documentation of mental status examination
    * required participation in traditional psychosocial treatments such as NA
    * referral to primary care
    * routine follow-up exams as indicated

    Can you tell me how this does not meet standard of care or why this model should not be advanced? No one else has offered a convincing argument.

  2. patrickbarta | May 20, 2010 at 8:36 am | Permalink

    Actually, if I gave the impression that I felt that seeing someone first was somehow a principle, then I mis-communicated. I use the “see them first face-to-face” mostly as a shortcut. I agree with you in the perception that making sure that the patient is who he or she says he is doable over the Internet, but I’m not sure how to do it. Your point about driver’s licenses is well taken. The shortcut I use makes it hard to say that “he never really knew who the patient was,” but I think your argument above is basically sound. Anybody could come into my office for a face to face interview and pretend to be someone else.

    I don’t remember exactly the circumstances (I think it was signing up for Allscripts), but I remember that I was able to validate being a doctor completely over the Internet by answering a set of several questions related to things like addresses from 25 years ago, accounts in defunct banks, and the like. I don’t know who comes up with the questions though.

    I don’t prescribe buprenorphine, so that’s not an issue for me right now.

    It’s seems to me that the basic idea is that: 1) you have to be sure who you’re talking to, and 2) you have to do the same things online that you would have to do face-to-face. Sounds like your list above is pretty much what I, personally, would consider the standard of care, at least in this community.

    Thanks for the thoughtful comment.

  3. Adrian Yates | September 4, 2010 at 10:56 am | Permalink

    With regards to security and encryption there is always going to be an area that has a week link in any system, this includes not only your computer but the clients set up, any connection that allows access to an out side communication or data delivery point can never be totally secure, its about assessing the risks and implementing as many safe guards as possible to bring the level of risk down to an acceptable level.

    Its also about our perceptions and familiarity, we tend to trust our telephones to provide a secure way to communicate to Doctors police and any financial system like a bank and yet phone tapping or bugging is very possible to do, but we still consider it safe to use.

    Skype is just another way of communication using technology, its not new technology but people are only just starting to understand the opportunities available and with the added low cost see the advantages over some other forms of contacting and interacting with people.

    Verifying who your talking to is always an issue, the same issue that financial institutions have before divulging or collecting information, once again its about the level of risk involved, how many patients would likely want to impersonate some one else and what safe guards can be put in place to deter this from happening.

    I work on-line as a therapist and there are risks involving taking on unsuitable clients, I don’t offer a service that deals with serious mental health issues such as trying to help suicidal clients or high risk clients because that would need to involve accurate information regarding personal contact and emergency contact information, I have no way of validating that the information given to me is true.
    I will take on some high risk clients but only after being allowed to approach the clients doctor to verify the information needed, this is obviously a complex area regarding confidentiality and validating client authority.

    I think that in time we will use programs like Skype more and more for connecting to health services, but it also needs careful consideration before implementation.

  4. Marc Andrews | April 19, 2011 at 12:04 am | Permalink

    well my simple question is what services would provided HIPPA compliant services and associate agreements?

  5. Eric Harris | November 22, 2011 at 2:45 pm | Permalink

    It is my understanding that electronic communications carriers, such as Skype, Gmail, etc are not required to be HIPAA compliant or sign business associate agreements. Receivers of information which is unencrypted are required to sign business associate contracts. Whether Skype is safe or not, is a question which this digital alien cannot answer.

{ 2 } Trackbacks

  1. [...] Is Skype HIPAA-compliant?, Part III | Adventures in telepsychiatry [...]

  2. [...] Is Skype HIPAA-compliant?, Part III [...]