David Baxter PhD
Late Founder
Is Skype HIPAA-compliant?
by Patrick Barta
2009.10.26
I was talking with a friend a few days ago about telepsychiatry, and she asked a good question. ?Is Skype HIPAA-compliant??
For those fortunate individuals who don?t know what HIPAA is, HIPAA is a law passed in 1996 governing, among several other things, privacy of medical records. This law is responsible for the unintelligible two to three page form that you have to fill out anytime you go to a doctor, dentist or pharmacy these days.
HIPAA says that protected health information (PHI) must be encrypted if it is sent over the Internet. Skype says that they use AES encryption, which is approved by the NSA for encryption of top secret information, so that would seem to be defensible as having encrypted PHI for HIPAA purposes.
Over at Voyager Telepsychiatry, there is a post in which the author describes having sent emails inquiring about whether Skype was HIPAA-compliant to the Office of eHealth Standards and Services at the CMS Headquarters in Baltimore, Maryland and received a reply:
Without getting involved in the subtleties of key exchange, whether weak keys exist, and a lot of high level cryptography that I don?t really know anything about, I think that the main issue here is whether AES would meet a legal challenge. I think it would. My argument would be that Skype is clearly harder to hack into than into my telephone line and that anyone willing to go to that much trouble to get to someone?s PHI would be better served by much cheaper technology like hidden recording devices, electromagnetic emission keystroke loggers or just hiring someone to break into my office when I wasn?t there. I would bet a lot of money that it would be easier for someone to get confidential psychiatric records out of any hospital in Baltimore than it would be to hack my Skype conversation while it was going on as long as my Skype password was secure.
Another post at Telehealth.net brings up just this issue. Nothing on Skype or any other encrypted system I know of is secure if you use crappy passwords that someone can guess like:
by Patrick Barta
2009.10.26
I was talking with a friend a few days ago about telepsychiatry, and she asked a good question. ?Is Skype HIPAA-compliant??
For those fortunate individuals who don?t know what HIPAA is, HIPAA is a law passed in 1996 governing, among several other things, privacy of medical records. This law is responsible for the unintelligible two to three page form that you have to fill out anytime you go to a doctor, dentist or pharmacy these days.
HIPAA says that protected health information (PHI) must be encrypted if it is sent over the Internet. Skype says that they use AES encryption, which is approved by the NSA for encryption of top secret information, so that would seem to be defensible as having encrypted PHI for HIPAA purposes.
Over at Voyager Telepsychiatry, there is a post in which the author describes having sent emails inquiring about whether Skype was HIPAA-compliant to the Office of eHealth Standards and Services at the CMS Headquarters in Baltimore, Maryland and received a reply:
CMS does not advise on technology specific issues, because the HIPAA [Privacy] Rule specifically allows for flexibility in the approach to safeguarding information?
The author of the post then goes on to say:
Who can argue that use of Skype?s 264-bit encryption technique [sic] does not meet HIPAA?s intentionally vague requirement that covered entities safeguard the transmission of private health information?
I looked at the linked document that referred to Skype?s 264-bit encryption technique and I think the post author mistook 256 somewhere for 264 when reading it. Actually, as the article points out, there are really two kinds of encryption going on with Skype. First, Skype uses 1024-bit public-key key exchange protocol to establish keys for a 256-bit AES encrypted channel between the two people using Skype.
Without getting involved in the subtleties of key exchange, whether weak keys exist, and a lot of high level cryptography that I don?t really know anything about, I think that the main issue here is whether AES would meet a legal challenge. I think it would. My argument would be that Skype is clearly harder to hack into than into my telephone line and that anyone willing to go to that much trouble to get to someone?s PHI would be better served by much cheaper technology like hidden recording devices, electromagnetic emission keystroke loggers or just hiring someone to break into my office when I wasn?t there. I would bet a lot of money that it would be easier for someone to get confidential psychiatric records out of any hospital in Baltimore than it would be to hack my Skype conversation while it was going on as long as my Skype password was secure.
Another post at Telehealth.net brings up just this issue. Nothing on Skype or any other encrypted system I know of is secure if you use crappy passwords that someone can guess like:
- 1234
- your name
- your name plus your birthdate
- dragon
- 696969
- letmein
- qwerty