Is Skype HIPAA-compliant?

[David Baxter PhD]

Is Skype HIPAA-compliant?
by Patrick Barta
2009.10.26

I was talking with a friend a few days ago about telepsychiatry, and she asked a good question. ?Is Skype HIPAA-compliant??

For those fortunate individuals who don?t know what HIPAA is, HIPAA is a law passed in 1996 governing, among several other things, privacy of medical records. This law is responsible for the unintelligible two to three page form that you have to fill out anytime you go to a doctor, dentist or pharmacy these days.

HIPAA says that protected health information (PHI) must be encrypted if it is sent over the Internet. Skype says that they use AES encryption, which is approved by the NSA for encryption of top secret information, so that would seem to be defensible as having encrypted PHI for HIPAA purposes.

Over at Voyager Telepsychiatry, there is a post in which the author describes having sent emails inquiring about whether Skype was HIPAA-compliant to the Office of eHealth Standards and Services at the CMS Headquarters in Baltimore, Maryland and received a reply:

CMS does not advise on technology specific issues, because the HIPAA [Privacy] Rule specifically allows for flexibility in the approach to safeguarding information?
​

The author of the post then goes on to say:

Who can argue that use of Skype?s 264-bit encryption technique [sic] does not meet HIPAA?s intentionally vague requirement that covered entities safeguard the transmission of private health information?
​

I looked at the linked document that referred to Skype?s 264-bit encryption technique and I think the post author mistook 256 somewhere for 264 when reading it. Actually, as the article points out, there are really two kinds of encryption going on with Skype. First, Skype uses 1024-bit public-key key exchange protocol to establish keys for a 256-bit AES encrypted channel between the two people using Skype.

Without getting involved in the subtleties of key exchange, whether weak keys exist, and a lot of high level cryptography that I don?t really know anything about, I think that the main issue here is whether AES would meet a legal challenge. I think it would. My argument would be that Skype is clearly harder to hack into than into my telephone line and that anyone willing to go to that much trouble to get to someone?s PHI would be better served by much cheaper technology like hidden recording devices, electromagnetic emission keystroke loggers or just hiring someone to break into my office when I wasn?t there. I would bet a lot of money that it would be easier for someone to get confidential psychiatric records out of any hospital in Baltimore than it would be to hack my Skype conversation while it was going on as long as my Skype password was secure.

Another post at Telehealth.net brings up just this issue. Nothing on Skype or any other encrypted system I know of is secure if you use crappy passwords that someone can guess like:

• 1234
• your name
• your name plus your birthdate
• dragon
• 696969
• letmein
• qwerty

and the like. Maybe I?ll write a post in the future on generating passwords for Skype, but I?m happy to tell anyone who wants to know how I generate the passwords I use for anything that?s important to me. I use Diceware with 20 words. If you?re a hacker, good luck! I hope that you have a fast computer.

 

[David Baxter PhD]

Is Skype HIPAA-compliant? Part II

Is Skype HIPAA-compliant? Part II
by Patrick Barta
2010.05.10

I got a couple of comments a month ago regarding Skype security and in response to my previous post Is Skype HIPAA-compliant? Marlene Maheu at the TeleMental Health Institute?s Center for Online Counseling and Psychotherapy has a blog post on Telehealth.net in which she voices some concerns about Skype security and in which she references an article by Jacqueline Herships titled No More Hacking.

Basically, Dr. Maheu points out that there is a lack of potential information about the security and reliability of Skype. Assuming that the security information on the Skype website is correct, then I think I can answer a couple of the good questions that Dr. Maneu asks.

Rather than thinking about things like firewalls (which are pretty nebulous to most people), a better way to understand what the relationship of firewalls to Skype security is to use an analogy. Suppose that you are the director of security for a factory and that you?ve been asked to investigate some nefarious things going on in the cafeteria and to straighten them out. Someone asks you if tightening up security at the guard?s station at the front door to the factory would help.


Here,

• the factory (and its grounds) are like your home network,
• the goings on at the cafeteria are like the Skype program running on your computer,
• the guard is like your firewall, and
• ?Should we tighten up security at the guard?s station?? is like ?Can firewalls help make Skype more secure??

If you were the directory of security at the factory, I?m sure that you would answer something like: ?It depends on how the nefarious things are happening. If some unauthorized people are getting into the factory, beefing up security at the door will help keep these kinds of people out, but if the person?s got a badge to get in, focusing on the guard at the door isn?t going to make any difference.?

Skype security is pretty similar. Having a good firewall is pretty much a must on any Internet-connected computer these days, but I don?t think changing the firewall is going to make that much difference in Skype security, any more than replacing one competent guard at the factory?s front door with another is necessarily going to solve the problems at the cafeteria. It probably it pays to investigate what?s happening at the cafeteria, rather than at the front desk.

Skype hasn?t made all the details of its security system known, but it does have a lot of information online, and, assuming that they are telling the truth, it sounds like Skype is at least a secure as a cellphone conversation, and, as far as I know, every psychiatrist I know talks to people on cell phones without worrying that much about HIPAA violations.

Skype and modern cellphones use the same basic protocol to communicate (packet switching), but basically what happens is that when you make a call, Skype or your cellphone operator sets up a connection between you and the person you are calling and then steps out of the way, leaving you and that person to talk as if you had your own circuit. Both Skype and cellphones encrypt the data they send. If anything, the AES encryption method used by Skype is probably more secure than the 30-year old A5/1 encryption method used in most cellphones. AES is approved by the government for top secret information while A5/1 has already been partially broken.

I think that the real security issues with Skype (or with cellphones) are probably more with things like whether the government can compel Skype or your cellphone operator to tap into your conversations than with details of encryption or firewalls.

Until then, I think that doctors should give up talking to patients on cellphones before they get worried about whether Skype is secure.

There?s a lot more to think about with Skype security other than whether just this protocol is sufficiently secure. There are other issues which are also important, related (back to the analogy with the guard at the factory with which I started this post) to things like corrupt guards, corrupt employees and the like, which also merit some consideration, and I?ll discuss them in a future post.

 

[David Baxter PhD]

Is Skype HIPAA-compliant? Part III

Is Skype HIPAA-compliant? Part III
by Patrick Barta
May 17, 2010

So, in my post last week , I described why I don?t think that the protocol used by Skype (assuming that it is the one they claim to be using on their website) seems fairly secure to me?it?s the same protocol used by banks and is approved by the government for the transmission of top secret information.


I used an analogy in that post that I?m going to continue this week. Basically, I started with talking about how firewalls are like the guard at the desk by the door of a factory. For review, here,

• the factory (and its grounds) are like your home network,
• the goings on at the cafeteria are like the Skype program running on your computer,
• the guard is like your firewall, and
• ?Should we tighten up security at the guard?s station?? is like ?Can firewalls help make Skype more secure??

I talked about firewalls last time and how concerns about firewalls are like concerns about the security procedures at the front desk. In general, front desk security is a good thing, but won?t do much to solve a problem in the cafeteria if some rascal there has a valid ID card.


I would like to go with this analogy again. There?s a lot of ways that security could fail in terms of nefarious goings-on at the cafeteria, and those ways are just like the potential security problems of Skype.

• Skype?s program could have a bug in it which someone could exploit, e.g., if someone knows something like putting in a contact with a name that is 50,000 characters long lets that person access some internal aspects of Skype that they aren?t supposed to, then that could be a problem. This is like having someone who works for the factory responsible for the nefarious things in the cafeteria. Here, they are just stealing from the factory.
• More worrisome is something like someone from the outside impersonating someone who has a valid ID. The bad guy gets in by pretending to be someone who works there, and then does his nefarious deeds. The analogous thing for Skype would be for someone to make a specially modified program, convince you to download it, and then have you install the modified program. As far as I know, there are no programs that do something bad while masquerading as Skype, but I have noted the same sort of malware on Skype IM?s that appear regularly in everyone?s email, basically a bogus message saying that you need to go to some URL and install fake antivirus software, or update some kind of program that you already have, such as Adobe Acrobat.

I tend to be very suspicious of these kind of messages anyway so I hope that I, at least, wouldn?t fall for this nonsense, but I can certain see a naive user getting one of these malware spam messages and installing something that would infect their computer with a virus.

A program that works like Skype but does something bad could probably be written, but since this would be a direct shot at Skype, I suspect that Skype would respond quickly and effectively (or else they would be out of business.)

One thing that is possible, but not particularly worrisome to me is that someone could hack my or my patient?s password and pretend to be someone they are not. There is a big reason why I don?t think this would be a problem in my practice. I always see the patient face to face first, before I do Skype sessions with him or her. As long as the impostor is showing me video, then this exploit would be easy to see through.

So far as I know, HIPAA doesn?t certify software as being HIPAA compliant or not. Instead, as best I can understand, various companies claim HIPAA compliance and I guess they could be sued if they were negligent someone.

As far as I know, no one has brought up substantive HIPAA issues regarding cell phones, but every argument I?ve given on this subject would appear to apply to cell phones as well as Skype.

I think the bottom line here is that having some informed consent from the patient is essential, but that some of the discussion regarding HIPAA and Skype may be more based on commercial interests (such as the people who give the seminars on HIPAA compliance) than on believable threats to the security of patient information.

If someone bugs your landline at your office, wouldn?t they be able to gather lots of information? Do you sweep your office for bugs daily? Maybe so, but I suspect that most people would say that trying to absolutely guarantee the privacy of anybody?s practice is impossible. If someone wanted to sue you after a bad guy tapped your phone, do you really think that the government would come after you? What if someone broke into your practice at night, broke open the file cabinets, and looked through someone?s information? (Didn?t this happen during Watergate?) What if the CIA kidnapped you and put a video camera in your nose?

This is beginning to sound a little weird to me?

Lots of things to worry about here for the nervous Nellie?s. The only one I find credible is malware which masquerades as Skype, but then, malware could masquerade as your EHR software, couldn?t it?