The recent discovery of a security flaw that allows Skype accounts to essentially be hijacked has again raised the issue of the security of web-based platforms—and whether providers can meet their HIPAA obligations when using these communication tools. The issue of Skype and similar platforms and HIPAA compliance is one that I am often asked about. In a previous post, I addressed the issue and concluded that providers who wish to use Skype or similar platforms proceed with great caution. I noted that the use of web-based platforms, especially those that are proprietary, may make it difficult for health care entities to meet many of their HIPAA obligations, and, therefore, carries higher risk of potentially violating HIPAA rules.
My conclusion was reaffirmed earlier this week when a security flaw was discovered in Skype that put users’ personal information at risk of disclosure. At the very least, the latest security hole should make providers think long and hard before using Skype or other web-based platforms to communicate with their patients.
Without getting overly technical, the security flaw allowed would-be hackers to sign up to Skype with email addresses already being used by other Skype users and force password resets for any accounts associated with those emails. In other words, the would-be hackers could use the email address to create a new account and lockout the account’s original owner. The hackers did not even need access to the actual e-mail accounts to reset passwords associated with those accounts. According to news reports, Skype disabled its password reset function temporarily and has fixed the issue.
The security flaw is the latest example of the kind of security risks that may arise from the use of unencrypted web-based platforms. Health care providers need to be aware of these risks and how they may impact their HIPAA obligations. Among other things, HIPAA rules require:
- Access controls.
- Audit controls.
- Person or entity authentication.
- Transmission security.
- Business Associate access controls.
- Risk analysis.
- Workstation security.
- Device and media controls.
- Security management processes.
- Breach notification.
I understand why the use of web-based platforms to communicate with patients is attractive to many providers—it is free and ubiquitous. But that should not blind us to the increased privacy and security risk associated with the use of these platforms. Ultimately, it is always better to use fully encrypted and more secure technology when dealing with patients. If providers do use web-based unencrypted platforms, however, they should consider some of the following to help mitigate some of the risks:
- Request audit, breach notification, and other information from web vendors.
- Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms.
- Develop specific procedures regarding the use of Skype and similar platforms (interrupted transmissions, backups, etc.).
- Train workforce regarding the privacy and security risks associated with these platforms.
- Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV).
- Limit to certain clinical uses (i.e., only intake or follow up).