I used an analogy in that post that I’m going to continue this week. Basically, I started with talking about how firewalls are like the guard at the desk by the door of a factory. For review, here,

• the factory (and its grounds) are like your home network,
• the goings on at the cafeteria are like the Skype program running on your computer,
• the guard is like your firewall, and
• “Should we tighten up security at the guard’s station?” is like “Can firewalls help make Skype more secure?”

I talked about firewalls last time and how concerns about firewalls are like concerns about the security procedures at the front desk. In general, front desk security is a good thing, but won’t do much to solve a problem in the cafeteria if some rascal there has a valid ID card.

I would like to go with this analogy again. There’s a lot of ways that security could fail in terms of nefarious goings-on at the cafeteria, and those ways are just like the potential security problems of Skype.

• Skype’s program could have a bug in it which someone could exploit. I.e., if someone knows something like putting in a contact with a name that is 50,000 characters long lets that person access some internal aspects of Skype that they aren’t supposed to, then that could be a problem. This is like having someone who works for the factory responsible for the nefarious things in the cafeteria. Here, they are just stealing from the factory.
• More worrisome is something like someone from the outside impersonating someone who has a valid ID. The bad guy gets in by pretending to be someone who works there, and then does his nefarious deeds. The analogous thing for Skype would be for someone to make a specially modified program, convince you to download it, and then have you install the modified program. As far as I know, there are no programs that do something bad while masquerading as Skype, but I have noted the same sort of malware on Skype IM’s that appear regularly in everyone’s email, basically a bogus message saying that you need to go to some URL and install fake antivirus software, or update some kind of program that you already have, such as Adobe Acrobat.

I tend to be very suspicious of these kind of messages anyway so I hope that I, at least, wouldn’t fall for this nonsense, but I can certain see a naive user getting one of these malware spam messages and installing something that would infect their computer with a virus.

A program that works like Skype but does something bad could probably be written, but since this would be a direct shot at Skype, I suspect that Skype would respond quickly and effectively (or else they would be out of business.)

One thing that is possible, but not particularly worrisome to me is that someone could hack my or my patient’s password and pretend to be someone they are not. There is a big reason why I don’t think this would be a problem in my practice. I always see the patient face to face first, before I do Skype sessions with him or her. As long as the impostor is showing me video, then this exploit would be easy to see through.

So far as I know, HIPAA doesn’t certify software as being HIPAA compliant or not. Instead, as best I can understand, various companies claim HIPAA compliance and I guess they could be sued if they were negligent someone.

As far as I know, no one has brought up substantive HIPAA issues regarding cell phones, but every argument I’ve given on this subject would appear to apply to cell phones as well as Skype.

I think the bottom line here is that having some informed consent from the patient is essential, but that some of the discussion regarding HIPAA and Skype may be more based on commercial interests (such as the people who give the seminars on HIPAA compliance) than on believable threats to the security of patient information.

If someone bugs your landline at your office, wouldn’t they be able to gather lots of information? Do you sweep your office for bugs daily? Maybe so, but I suspect that most people would say that trying to absolutely guarantee the privacy of anybody’s practice is impossible. If someone wanted to sue you after a bad guy tapped your phone, do you really think that the government would come after you? What if someone broke into your practice at night, broke open the file cabinets, and looked through someone’s information? (Didn’t this happen during Watergate?) What if the CIA kidnapped you and put a video camera in your nose?

This is beginning to sound a little weird to me…

Lots of things to worry about here for the nervous Nellie’s. The only one I find credible is malware which masquerades as Skype, but then, malware could masquerade as your EHR software, couldn’t it?

Basically, Dr. Maheu points out that there is a lack of potential information about the security and reliability of Skype. Assuming that the security information on the Skype website is correct, then I think I can answer a couple of the good questions that Dr. Maneu asks.

Rather than thinking about things like firewalls (which are pretty nebulous to most people), a better way to understand what the relationship of firewalls to Skype security is to use an analogy. Suppose that you are the director of security for a factory and that you’ve been asked to investigate some nefarious things going on in the cafeteria and to straighten them out. Someone asks you if tightening up security at the guard’s station at the front door to the factory would help.

Here,

• the factory (and its grounds) are like your home network,
• the goings on at the cafeteria are like the Skype program running on your computer,
• the guard is like your firewall, and
• “Should we tighten up security at the guard’s station?” is like “Can firewalls help make Skype more secure?”

If you were the directory of security at the factory, I’m sure that you would answer something like: “It depends on how the nefarious things are happening. If some unauthorized people are getting into the factory, beefing up security at the door will help keep these kinds of people out, but if the person’s got a badge to get in, focusing on the guard at the door isn’t going to make any difference.”

Skype security is pretty similar. Having a good firewall is pretty much a must on any Internet-connected computer these days, but I don’t think changing the firewall is going to make that much difference in Skype security, any more than replacing one competent guard at the factory’s front door with another is necessarily going to solve the problems at the cafeteria. It probably it pays to investigate what’s happening at the cafeteria, rather than at the front desk.

Skype hasn’t made all the details of its security system known, but it does have a lot of information online, and, assuming that they are telling the truth, it sounds like Skype is at least a secure as a cellphone conversation, and, as far as I know, every psychiatrist I know talks to people on cell phones without worrying that much about HIPAA violations.

Skype and modern cellphones use the same basic protocol to communicate (packet switching), but basically what happens is that when you make a call, Skype or your cellphone operator sets up a connection between you and the person you are calling and then steps out of the way, leaving you and that person to talk as if you had your own circuit. Both Skype and cellphones encrypt the data they send. If anything, the AES encryption method used by Skype is probably more secure than the 30-year old A5/1 encryption method used in most cellphones. AES is approved by the government for top secret information while A5/1 has already been partially broken.

I think that the real security issues with Skype (or with cellphones) are probably more with things like whether the government can compel Skype or your cellphone operator to tap into your conversations than with details of encryption or firewalls.

Until then, I think that doctors should give up talking to patients on cellphones before they get worried about whether Skype is secure.

There’s a lot more to think about with Skype security other than whether just this protocol is sufficiently secure. There are other issues which are also important, related (back to the analogy with the guard at the factory with which I started this post) to things like corrupt guards, corrupt employees and the like, which also merit some consideration, and I’ll discuss them in a future post.

I think the blog post’s author is rightfully worried about some of the clinical implications of things like this. With Skype, it’s not just the security of my password that’s important, but of the patient’s as well. If the patient uses an insecure password, then their privacy may be impaired. The post’s author also brings up the idea that mental health professionals who use Skype should probably say something about this in their informed consent form, and I agree.

I discussed bad passwords in a previous post,  so I won’t go over that again. In a future post, I’ll talk about ways for people to generate passwords that aren’t so easy to hack, but can be remembered.

However, on one point, I think that the author of the post on telehealth.net is probably off the mark. At least one of  the examples she describes in which a person’s Skype password was hijacked is a hacker exploit called “social engineering.” Social engineering is basically manipulating people into divulging confidential information. In that case, the victim clicked on a file attachment for an untrustworthy source.  In the other case, the victim was apparently using a chat room, and I wonder how good the security was in that room.

Somehow though, her concerns about these cases then segue into a concern about unencrypted wireless networks as a Skype security risk. The scenario is that you go, laptop in tow, to your local coffee place, make a Skype call there, and the bad guys use something like a packet sniffer to capture your Skype password as it goes across the unencrypted wireless network.

This scenario assumes that Skype doesn’t encrypt the password you type in when it transmits it over the network. That’s probably not true. According to this post, Skype uses a public key encryption technique to set up the channel over which users communicate.  If that’s true, then whether or not the wireless network is encrypted should make no difference, at least in terms of Skype security. Skype gets a lot of attention from hackers and from security people because so many people use it. If Skype were sending passwords in the clear, I think there would be numerous articles on this on the Internet, and I wasn’t able to find one. This kind of hacking is at the level of the script kiddies, and I’ll bet hundreds of them have tried (and failed) to use the exploit that the author at telehealth.net is worried about.

So, I suspect worries about Skype on an unencrypted wireless network are off base, but I’m glad someone brought it up.