With so many professionals already using Skype as a tool to communicate with clients and colleagues, one would think someone who would have researched the systems security protections and warranted them as being HIPAA compliant. On the contrary, I’ve been looking for this data for months now online, offline, in medical and non-medical circles and keep coming up with the same old answers, which are vague. Run an online search for “skype security,” and you’ll see what I mean.
Some of the reported information shows that Skype security flaws were documented as late as in October of 2005. Attackers ran a hostile code on computers running vulnerable versions of Skype. Luckily the problem apparently only affected Skype for Windows. The attacker placed a malformed URL using the Skype URI format, and lured the user to use it in order to accomplish the attack.
The second security bug documented for Skype affected all platforms, and not just Windows. Skype tackled the problem by fixing the bugs and issuing a security patch (Garfinkel, 2005).
The real question with hackers getting more sophisticated all the time is whether or not Skype will be able to defend itself itself in the face of future attacks. Is there any legal requirement for Skype to inform users of security violations, such as HIPAA for health care? After all, if we’re using Skype for health care delivery, shouldn’t we expect that our patients be afforded the same protections as with other electronic systems we advocate using for contact, or that the same rules apply?
Not necessarily. If Skype never says they are secure enough for health care, and clinicians voluntarily choose to use it anyway, why should Skype stop us? I haven’t seen them encourage or discourage us from using their platform, have you?
Aside from that little detail, why else should anyone really be concerned? Lots of reasons.
Have you ever stopped to think how your patient’s confidence in you, your professionalism and perhaps even your profession can be compromised by what can happen when you encourage them to meet with you in an unsecured platform online, and it backfires?
Garfinkel shed some light on the problems in his 2005 publication, where he explained that hackers use essentially the same tools to access VoIP transmissions as they do to obtain any other data. He identified several points in the transmission of VoIP calls where hackers can interfere with sensitive data transmission.
- When VoIP is used on an external network, gateway technology converts the data package from the IP network into voice before sending them over a public telephone network. These gateways are potentially the weak links in the transmission chain. The concern is that at this point, VoIP can be hacked by unscrupulous users to gain access to free calls, and an attack on a VoIP server could result in the loss, theft, or alteration of potentially sensitive data such as log files.
- In addition to retrieving actual conversations, hackers can also access user identities and VoIP phone numbers. With this information, a hacker can place phone calls using someone else’s identity. If that’s not enough, VoIP calls are as vulnerable to eavesdropping as traditional telephone calls, but in this case, hackers can also manipulate VoIP to create conversations that never existed.
- Another security threat is the possibility of sending viruses with VoIP data. This hasn’t surfaced yet, but viruses could potentially overload VoIP networks, reducing sound quality and creating delays. Less dangerous, but just as irritating, VoIP isn’t secure against spam either, leaving businesses and their clients open to receiving unsolicited marketing calls.
- Also in terms of privacy, Skype uses a “History” file saved on the user’s computer to document all exchanges of communication between users. This feature is facilitated as default though few users are made aware of that. This enables attackers to obtain the file through spyware or other adware applications (Garfinkel, 2005).
Do you know with any certainty that Skype security is in place for health care? Isn’t it your job to secure the office when you invite patients to meet you? If you haven’t done your homework, you’d better be careful about suggesting that your patients meet you in Skype or any other VoIP-based system.
I’ve been fruitlessly looking for this type of information, and invite you to post a below if you find it. Honestly, I be greatly relieved if somebody could show me that these companies have made public FCC-scrutinized announcements about being ready for health care before we witnessed yet more of our colleagues invite patients to use these public platforms to offer confidential treatment to vulnerable patients and clients.
Garfinkel, S. (2005, January 26) VoIP and Skype Security. Page 1. Retrieved March 11, 2010, from http://www1.cs.columbia.edu/~salman/skype/OSI_Skype6.pdf
Those are my reference about Skype security for today- and my opinion, what’s yours? Might you have better references to help me change my perspective? Please comment below.