Categories: Health Information Technology, Privacy and Security Law, Telehealth and Telemedicine, Uncategorized

The recent discovery of a security flaw that allows Skype accounts to essentially be hijacked has again raised the issue of the security of web-based platforms—and whether providers can meet their HIPAA obligations when using these communication tools.  The issue of Skype and similar platforms and HIPAA compliance is one that I am often asked about.  In a previous post, I addressed the issue and concluded that providers who wish to use Skype or similar platforms proceed with great caution.  I noted that the use of web-based platforms, especially those that are proprietary, may make it difficult for health care entities to meet many of their HIPAA obligations, and, therefore, carries higher risk of potentially violating HIPAA rules.

My conclusion was reaffirmed earlier this week when a security flaw was discovered in Skype that put users’ personal information at risk of disclosure. At the very least, the latest security hole should make providers think long and hard before using Skype or other web-based platforms to communicate with their patients.

Without getting overly technical, the security flaw allowed would-be hackers to sign up to Skype with email addresses already being used by other Skype users and force password resets for any accounts associated with those emails. In other words, the would-be hackers could use the email address to create a new account and lockout the account’s original owner.  The hackers did not even need access to the actual e-mail accounts to reset passwords associated with those accounts.  According to news reports, Skype disabled its password reset function temporarily and has fixed the issue.

The security flaw is the latest example of the kind of security risks that may arise from the use of unencrypted web-based platforms.  Health care providers need to be aware of these risks and how they may impact their HIPAA obligations.  Among other things, HIPAA rules require:

  • Access controls.
  • Audit controls.
  • Person or entity authentication.
  • Transmission security.
  • Business Associate access controls.
  • Risk analysis.
  • Workstation security.
  • Device and media controls.
  • Security management processes.
  • Breach notification.

I understand why the use of web-based platforms to communicate with patients is attractive to many providers—it is free and ubiquitous.  But that should not blind us to the increased privacy and security risk associated with the use of these platforms.  Ultimately, it is always better to use fully encrypted and more secure technology when dealing with patients.  If providers do use web-based unencrypted platforms, however, they should consider some of the following to help mitigate some of the risks:

  • Request audit, breach notification, and other information from web vendors.
  • Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms.
  • Develop specific procedures regarding the use of Skype and similar platforms (interrupted transmissions, backups, etc.).
  • Train workforce regarding the privacy and security risks associated with these platforms.
  • Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV).
  • Limit to certain clinical uses (i.e., only intake or follow up).
Tags: HIPAA, privacy, Security, skype
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.