Skype Security & Other VoIP Systems: The Future & How to Protect Yourself
by Marlene M. Maheu, Ph. D. on 29/03/10 at 10:18 am
As we’ve discussed in previews blog posts, Skype runs on a “Voice over Internet Protocol” or “VoIP” which apparently is the common platform for videoconferencing online. The security of VoIP-based platforms, as well as reliability are the two issues I like to explore today.
As I look for potential sources of information about the security and reliability of systems like Skype, I am dismayed to see a lack of information in our mental health literature, despite the fact that a growing number of practitioners have no hesitancy to use these systems with psychotherapy and counseling patients.
Because I’m unaware and unsophisticated about the scientific literature related to technology, my best options are Internet discussion areas and websites related to these topics. Granted, these are secondary sources, but please let me be clear that I have no intent of pursuing academic excellence in technology or engineering, as I have in mental health.
On the other hand, if any of you have more specific information than the topics I’m providing in my blog posts, please cite them below. I have several consulting clients who are asking for this information and I’m doing my best to not only access my informational resources, but also let everyone who might read this blog know that I’m actively seeking this type of information.
Regarding the security of VoIP-based systems and our future as counselors and psychotherapists online, I’ve read an author by the name of Herships who quotes Mr. Harry Emerson III, “The Internet has produced something akin to a gold rush experience for those mining its resources and developing its vast potentialities.” But, in the midst of this frenzy, he has observed that “fundamental requirements of privacy, secrecy, and security are seldom openly discussed when it comes to Internet-based phone services known as “Voice over Internet Protocol (VoIP) systems such as SKYPE, which are rapidly being developed” (2008).
The most commonly discussed defense I can find online against a possible attack from intruders is the construction of a firewall at both ends of VoIP systems. A firewall would provide a barrier between your computer or network and security threats such as hackers and viruses. However, as VoIP technology progresses and proliferates, factory standard firewalls are not predicted to be enough.
Fortunately, many different companies are dedicating substantial resources to closing Skype and other VoIP security loopholes to make viable videoconferencing available to large undeserved populations online. My best suggestion until the secure systems are available online would be for practitioners to meet face-to-face with initial clients or patients, then use software developed by companies such as Polycom and Tandberg to deliver their services remotely. If such installations are too expensive right now, pick up the telephone and talk to them over a secure telephone line.
To learn more about the ethical issues related to practitioners can connect online with their patients/clients using videoconferencing systems that are most often used in NIH and NIMH funded research, contact me.
Herships, J. (2008, December 27). No More Hacking. Retrieved March 11, 2010, from http://ezinearticles.com/?No-¬More-¬Hacking&id=1824342
That’s the reference I have for this topic — what’s yours? Can you provide additional information that might change my view? Please comment below.
~
Marlene M. Maheu, Ph.D. is the Executive Director of the TeleMental Health Institute, Inc., offering a Certificate training program in TeleMental Health for telepsychiatry, telepsychology, telesocial work, and online counseling. Academic books authored by Dr. Maheu and colleagues include eHealth, Telehealth and Telemedicine and The Mental Health Professional & the New Technologies.
Edward Dreyfus
May 26th, 2010
I have heard about an ACN video phone that uses ViOP but claims that because theirs is a proprietary phone, when calls are made ACN-to-ACN they are secure. From a practical point of view, and for continuity of treatment, it would be great to have face-to-face video calls with patients who are temporarily out of town. Are such phones HIPAA compliant?
admin
May 27th, 2010
Hello Ed,
Good to hear from you.
Basically, if the company doesn’t say it is HIPAA compliant, it probably isn’t. If they make such a claim, then we are a bit safer because they are on record with the Federal Trade Commission for their claims, but we’re not “home free.”
Now I am not an attorney, nor am I a techie, but from what I understand, it is important to be aware of a company’s products and claims…but those claims alone won’t necessarily protect us in a court of law if we are licensed professionals. As such, we professionals are suppose to be making a determination of the fitness of our capacities (technical as well as clinical) and services for the needs of the specific client.
In other words, a vendor’s technology isn’t likely to only going to be measured in terms of128-bit encryption. Technical issues such as reliability of the connection, who can tap into it from within the network it is using, image resolution, and other issues are also important.
BUT — the clinical issues are even more daunting, and have been resolved to a far less degree than the technical ones. The real problem is that the people we are inviting to join us via technology (whether they find us or we solicit them) or relying on our professionalism to determine the security and confidentiality of the systems we choose. They might be impaired somehow and if we fail to properly assess them, or provide emergency backup, or community support or authenticate them, along with several other key issues, we and they are vulnerable online.
For example, just because someone wants to shout their problems through our living room window doesn’t mean that we as professionals will engage him or her in such a way for treatment. Yes, the window screen probably won’t break, the glass won’t shatter, but what else is wrong with such a scenario?
The consumer public expects us to be professionals, that is, for us to define when and where we treat people, and we are expected by the courts to uphold specific standards of care. Unitl those courts get up to speed with changing the exisitng laws based onr esearch, we are vulnerable when attempoting to treat people. The best way to avoid risk is education – and document that education in your files in case somethign goes wrong and you damage someone.
Ask more questions and I’ll do my best to pop in an answer. I’d also invite other professionals to comment on this thread, and spare me a ton of typing
Kind Regards,
Marlene M. Maheu, Ph.D.
PS You will find much more about these issues in web-based courses offered at the http://CenterforOnlineCounseling.com and in my books:
1. The Mental Health Professional & the New Technologies: http://www.atpdr.com/MentalHealthProfessional
2. eHealth, Telehealth & Telemedicine: http://www.atpdr.com/TelehealthEHealthTelemedicine
John Bierma
Dec 28th, 2010
According to my reading of HIPAA law and this source from the University of Miami, both telephone calls, faxes and video conferencing are exempt from HIPAA security rules.
http://privacy.med.miami.edu/glossary/xd_security_stds_applicability.htm
If you study the facts, the risk is not during transmission over video over the Internet whether it be by Skype or the Polycom or Tandberg company products. All are AES encrypted and have user authentification security features. The risk is in the room when the voice and picture are played. The people allowed to hear and see it violate the privacy rules by gossiping and doing “pillow talk” or “bar talk”.
The real risk is not technical. The risk is people talking out of school. That has been the risk since before the Internet and time.
Marlene M. Maheu
Jan 23rd, 2011
John,
Thank you for your question. These statements seem correct as they relate to the security rule, which continues to apply to ePHI only. Of course, the privacy rules covers all PHI, regardless of form or medium. See list of 18 identifiers covered by HIPAA below, which comes from the Yale University website :
PHI and ePHI
ePHI stands for Electronic Protected Health Information. It is any protected health information (PHI) which is stored, accessed, transmitted or received electronically. Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:
* The individual’s past, present or future physical or mental health.
* The provision of health care to the individual.
* The past, present or future payment for health care.
Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity.
Identifiers
Data are “individually identifiable” if they include any of the 18 types of identifiers, listed below, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:
* Name
* Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
* All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
* Telephone numbers
* Fax number
* Email address
* Social Security number
* Medical record number
* Health plan beneficiary number
* Account number
* Certificate/license number
* Any vehicle or other device serial number
* Device identifiers or serial numbers
* Web URL
* Internet Protocol (IP) address numbers
* Finger or voice prints
* Photographic images
* Any other characteristic that could uniquely identify the individual
Instead of removing the data, sometimes making the information more general is sufficient for de–identification; for example, replacing birth date with an age range.
See also the HIPAA policy on de–identification.
The “e” in ePHI
ePHI includes any medium used to store, access, transmit or receive PHI electronically.
Examples include:
* Personal Computers with their internal hard drives used at work, home, or traveling
* External portable hard drives, including iPods
* Magnetic tape or disks
* Removable storage devices such as USB memory sticks/keys, CDs, DVDs, and floppy diskettes
* PDA’s, smartphones
* Electronic transmission includes data exchange (e.g., email or file transfer) via wireless, ethernet, modem, DSL or cable network connections.
As technology progresses, any new devices for accessing, transmitting, or receiving ePHI electronically will be covered by the HIPAA Security Rule.
What standards does HIPAA impose?
HIPAA imposes the following standards on covered entities for the purpose of standardizing and protecting the use, disclosure and exchange of health information:
1. Privacy standards, developed by the Department of Health and Human Services, that address the use and disclosure of health information, patient consent and authorization for the use of information, patient rights to review their health information, request edits and demand an accounting of disclosures of health information.
2. Security standards for health information including administrative, technical and physical safeguards to ensure the integrity and confidentiality of health information and to protect against security breaches and unauthorized use or disclosure of health information.
3. Standards for the transfer of information among health plans needed, for example, for the coordination of benefits, sequential processing of claims.
4. Standards to enable electronic interchange. HIPAA calls for the adoption of standards for certain transactions and data elements, such as health claim status, eligibility for a health plan, health plan enrollment/disenrollment.
5. Standards for code sets for the data elements for the transactions covered above.
6. Standards for unique health identifiers for individuals, employers, health plans and health care providers.
7. Standards for electronic signatures.
8. Requirements related to notifying patients and DHHS in the event of a breach of PHI.
John Bierma
Jan 28th, 2011
Marlene:
Thanks for your response. I don’ t think anyone thinks that patient information should not be kept private and confidential by the provider and that reasonable efforts should always be taken to keep it so. This includes security of your paper records if your office is broken into to steal drug samples and someone carries off your triple locked file cabinets full of PHI.
I question whether the real area of risk is being addressed in this discussion thread. As with the recent shooting in Arizona of the congresswoman, the employees of the hospital improperly accessed the victims records for non-medical reasons. If this access was to an electronic record system, then it was not due to a technical flaw or virus infecting the system. It was a legal and ethical violation by humans using the system.
I maintain that the REAL risk management is not a technical issue but a human ethical and legal issue of crimes committed by providers and their staff. So when you speak of HIPAA privacy, I agree that it applies to both electronic, paper or human memory records. The improper use of these system and the simple sharing of private information inappropriately with friends, relatives and criminals is where the true risk lies, where the emphasis should be placed and where resources should be spent to prevent privacy violations of HIPAA.
In my experience, when a person in a hospital or nursing facility has HIV, it does not take long until most staff know who it is and it gets out to the community who it is. This does not happen by criminals breaking into the hospital or nursing home medical records rooms. Even though everyone is supposed to use universal precautions and act as if everyone is infected, the providers and staff learn who is infected and they tell people who should not know. This is also the way many prescription drugs get on the street. It happens by providers and staff taking them home and selling them to family and friends. These are not technical issues of how the medications are locked in the facility. People with the key take the drugs and sell them.
My concern is that the endless hyped discussion about the supposed security risks of video conferencing systems has scared many providers from using telemedicine to serve clients in need. I have been contending with these unfounded security concerns for over 10 year. I think it is time to get beyond it and think about the true needs of the patient being denied access to care. That is the true crime and violation being committed. Is anyone proposing that hospitals should not be used since the staff in Arizona improperly accessed patient information whether it be from an EMR or paper records? No.
admin
Feb 4th, 2011
John,
It appears as if we agree on many things, except that as you state, it is now “time to get beyond it [security issues] and think about the true needs of people being denied access to care.” Your thought is one I hear frequently, so you certainly are not alone.
As someone who is actively involved in working toward regulatory change, I have seen more progress in the last 10 months than all my 16 years in this area. It will take another few years for laws to be changed, but some very good people are working on it quite seriously. In my mind, the dangers of the professions not putting the proper safeguards in place before offering professional services to consumers online far outweigh the dangers of forsaking our licensing laws or ethical codes right now.
This blog is intended as a forum for discussion, and so, let us hear from you again, John.
I’m also wondering what others in our ranks think about the urgency of getting online to help people right now. Do you agree that we’ve waited long enough? Is it time for individual practitioners or groups of United States practitioners to start practicing online, regardless of the current US laws? Are you from a different country, and if so, what do your laws say?
To discuss policy issues with our colleagues, please allow me to invite you and our other colleagues to join me in any 1 or more of these venues. The first two are discussions panels I’ve organized and had accepted at 2 national conventions this year to address this very topic for details on dates and times, check this page: http://telementalhealth.com/Marlene-Maheu
1. American Telemedicine Association meeting for May 3rd, 2011 in Tampa, entitled, “Internet Telemental Health: Are We Facing a New ‘Wild West:’ Best Practices for Telemedicine and Telehealth.”
2. American Psychological Association meeting, August 2011 in Washington, DC., entitled, “”Telehealth and Telepsychology Licensure: Barriers and Possible Solutions as Psychology Adopts the PsychTechnologies”
3. Speak with Dr. Ken Drude about joining his ATA Telemental Health SIG Policy Work Group if you are an active member of the ATA. He can be reached through the American Telemedicine Association central office.
Marlene M. Maheu, Ph.D. is the Executive Director of the TeleMental Health Institute, Inc., offering a Certificate training program in Telemental Health for telepsychiatry, telepsychology, telesocial work, and online counseling. Academic books authored by Dr. Maheu and colleagues include eHealth, Telehealth and Telemedicine and The Mental Health Professional & the New Technologies>.