Security Concerns about Skype
Back in October, Dr. Arthur S. Trotzky, a member of the Georgia Therapists Network, brought up on the online discussion list his concerns about the security of using Skype for online counseling. He specifically cited Fast Company’s post, Skype’s Huge, New Security Headaches.
Frank Pratt, III, LCSW responded on the GTN list by offering the following explanation. While I do not use Skype or provide online counseling at this time, I thought that many of you would, like me, find his explanation useful in understanding how and what potential risks might be. I contacted Frank and he graciously agreed to allow me to print his email below.
How the Internet Works
I have a good working knowledge of this kind of thing, so I’ll take a stab at it.
The point of this [Fast Company]
article is that hackers have been able to determine IP addresses of Skype users. Without going into too many details, you could easily determine the general location of an IP address, though in most cases, it would be far more difficult to pinpoint the exact location of the computer.
It is usually very easy to get an IP address, because this address is always sent when you send data to another computer on the internet. This email [from Frank to the GTN discussion list] is being sent from the following address: 68.213.17.7. We have a DSL line and BellSouth assigns this IP address to our [unique] modem, which is connected to the BellSouth system. All the computers on our network use this IP address.
Every time you send an email address or send data to a remote server (e.g. you post a message on an online forum,) there is a good chance that the remote server keeps a log of your IP address. I looked up this address on several search engines. My research indicates I am in Atlanta. Georgia. Look at my e-mail signature below, and you will see that the search engines are off by 50-60 miles.
Note that this quick and dirty search did not reveal the name on the DSL account. Just a rather inaccurate geographical location.The search engines show me to be in Atlanta, because our modem connects to a server in Atlanta, via. a phone line (much the same way as my fax machine would be connected to a fax machine in Atlanta if I sent a fax to a business in Atlanta). I would guess that hundreds, if not thousands, of a DSL modem in Atlanta and the surrounding area connect this very same computer in Atlanta. So, I am connecting to the internet from Rome? Lawrenceville? Atlanta? Athens? Snellville? Conyers? one of the Suburbs? Good question!
If a skilled hacker were so inclined, he/she could possibly hack into BellSouth’s servers to get the name on the account, which is the name of our company. This would require extensive expertise, and a possible risk of felony prosecution for the hacker. Even if a hacker decided to do it anyway, they would only get the name of our company, since that is the name on the account.
That narrows it down to 6 computers and just as many staff members. If you get the IP address for a computer at an academic institution, or a large company, you might be able to easily determine which school or company the message was sent from, or perhaps even which campus building the message originated from. However, this might only narrow it down to hundreds or thousands of individual users. Again, the servers at that institution might have logs that could tell you which user was assigned a given IP address at a given time, but a hacker would need to hack into a server to get this data. Bypassing security measures, and possible civil/criminal prosecution continue to be problems.
So, can you get the name of the person who is using an IP address for a Skype call? The practical answer is probably “no”, in most cases. The far more important question is whether or not the actual content of the conversation can be intercepted. Could a hacker listen in on a session that was conducted via Skype?
When it comes to hacking, anything is theoretically possible. However, given the encryption that Skype uses (see “Does Skype Use Encryption?”), it would be extremely difficult to do so. Breaking a 256 bit AES encryption key would probably require a considerable expertise from a hacker, and a very powerful computer (or computers).
It would probably be far easier to tap a normal phone line. Keep in mind that we all use phone lines to convey privileged information on a daily basis (along with every hospital, physician’s office, etc.) Also keep in mind that caller ID and “reverse lookup” search engines make it quite possible to pinpoint the street address of a caller, perhaps far more accurately that an IP address. After spending 30 seconds on a site such as WhitePages.com, you could very easily (and legally) use my phone number to figure out the street address of my office. I am not an attorney, but I would argue that if a phone line is secure enough to convey protected health information under HIPPA guidelines, then Skype is as well.”
Thanks, Frank! I so appreciate your explanation of how / where mental health professionals might be vulnerable online.
Other Skype-Related Resources
One of my primary resources for online / distance therapy is the Online Therapy Institute. As you are making your own decisions about if and how to conduct online therapy, you may also want to check out OTI’s post, Videoconferencing – Secure, Encrypted, HIPAA-Compliant.
And, if you know of other resources related to conducting therapy online in real time, I hope you’ll share them with us below!
[Frank Pratt, III, LCSW notes that since I writing his response above, his office has switched from traditional phone service to using a Voice Over IP (“VOIP”) service for all of voice and fax lines.]
Thank you so much for sharing this information, Tamara. This is very relevant to my online counseling work, as some of my clients PREFER to use Skype, and it makes me feel so much better about their relative safety! Great article, as always!
Hi, Stephanie! So glad you found it useful! Hey, how are the book sales going?
Seems to come and go in spurts! It’s kind of fun seeing what attracts results! I’m enjoying myself. Thanks for asking!
You go, girl! You model the gutsiness that all new professionals need to carve out their niche and soar! Hoping all my readers who are new mental health professionals pick up your book!
Aw thanks…well I had a great reviewer to help me – everyone should read what Tamara kindly said about the book below, I very much appreciated it!
Tamara, you and Beth Hayden of Blogging With Beth have also been inspirational to me with your great webinars – I am holding my second one this Thursday, remind me to send you the recording. 🙂
http://stephanieannadams.com/2011/12/01/another-great-book-review/
Good Morning Tamara,
As I use Skype, telephone, and email counselling, this was very timely information as I grow my practice.
I understand gmail is more secure. While I have not used it for my practice, I decided to do a quick check and came across the post that you might find interesting.
http://howto.cnet.com/8301-11310_39-20070429-285/how-to-secure-your-gmail-account/
Have a great day.
Dianne
Dianne! Welcome back and thank you so much for sharing this great little post on securing Gmail accounts! I moved from AOL > Comcast > Gmail and I love my gmail. Your info will come in handy for many of us. Thanks for taking time to share with our community.
Hey, Dianne, you mentioned email counseling. Care to drop back in to chat about encryption? Or, perhaps a guest post on the subject?
Hi Tamara, I’d love to talk about encryption. It is an area of current research – I’ll keep you posted – if you will pardon the pun!
Looking forward to the update! 🙂 Thanks, Dianne!
I forgot to say why – because I talk about building a counseling website and I use you as a great example of using WordPress to do so! Love your site!
🙂 Thanks, Stephanie!
Hi Tamara,
Thanks for this post!
I still caution therapists using skype and who must be HIPAA compliant that Skype says they are not HIPAA compliant- meaning, they are not willing to enter into a 3rd party agreement such as a HIPAA Business Associate Agreement. Skype’s video and audio calls may not be recorded but any chats that take place are recorded and maintained on their servers.
Dianne, Gmail is not encrypted end-to-end. Gmail offers a secure and encrypted page so that your Gmail is less likely to be hacked when you are at a hotspot for instance. But emails sent between parties are not secure. Hushmail.com offered an explanation here: http://www.onlinetherapyinstituteblog.com/?p=556
I hope this helps!
DeeAnna
DeeAnna – Thank you for dropping in to reiterate both of these facts. I fall into your camp on this one and don’t use Skype for this very reason. I so appreciate you taking a minute to share what you know with us! And, gang, for those of you who are knew to online therapy, you should take a moment to check out the vast resources DeeAnna and Kate provide for use at the Online Therapy Institute.
Hi DeeAnna, and thanks for the information about gmail. I will certainly check out your resources.
Really it is a mine field out there! The desire to ensure families are able to access needed programs not offered in their community is becoming more and more difficult – and frustrating. One of the major goals when I started was to ensure that families living in isolated locations would be able to get professional help and support when needed
Thanks to Tamara for providing a venue where this information become available.
By that same token, I am sure AT&T, Verizon, and most other landline and cell phone services would also refuse to sign a HIPPA business partner agreement. Nonetheless, virtually every hospital and doctor’s office in the county uses this technology every day, despite their inability to obtain a business partner agreement from the phone company. As I said before, I would argue that a Skype call in more secure that a a land line call, since land lines do not use encryption.
I certainly agree about you content regarding chat and g-mail. These services generally lack 2-way encryption, and are therefore not secure enough for communications involving protected health info. Hushmail seems to be a much better solution for confidential e-mail.
Frank, you make a valid argument from what I can tell. Isn’t it interesting how we place different values on different tools when the risks may be the same? You and DeeAnna certainly seem to know a lot more about this aspect than I do so I’m appreciative of your input.
Frank,
The difference between AT&T and Skype is that any chat component is recorded and remains on their server. I don’t argue that one is or isn’t more secure. I just encourage folks to use platforms that understand.d our responsibilities to hipaa and are willing to accommodate us when we need to obtain such agreements. For some, this is not a concern. I hope this clarifies my position.
DA
DeeAnna! Thanks so much – I was hoping you were tracking this conversation!
If Skype keeps records of typed chat messages, I would certainly avoid using the chat feature as means of exchanging protected health information. Indeed, you would need a Business Partner Agreement in order to be in compliance with HIPPA. Even if Skype was willing to sign such an agreement, I would still feel very uneasy about these data being stored on a remote server. Perhaps there is some money to be made in a online chat service that is designed to cater to online therapy; a service that is willing to sign HIPPA business partner agreements, and that can offer two-way encryption.
My original point was in regards to verbal conversations via. Skype. If verbal conversations are not recorded or otherwise stored on the server, I would argue that this medium is just as secure (if not more secure) than a traditional phone line. I seriously doubt that Skype records conversations, as this would likely be a violation of numerous laws that prohibit recording of phone calls without knowledge and consent of all the callers on the line. If Skype does not act as a “custodian” for verbal protected health information, then a business partner agreement is not needed.
Thanks, Frank, for continuing this discussion! As active as this online community is in most discussions, I suspect the fact that there are not more voices here indicates the lack of understanding that most of us still have concerning Skype and similar tools.
Hi Tamara and DeeAnna
I just wanted to mention that PrivacEmail – http://www.therapyonline.ca/privacemail-features.asp – also offers programs for encrypted email for online counselling. The technology adheres to Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act ) here is the link to PIPEDA http://laws-lois.justice.gc.ca/eng/acts/P-8.6/
If anyone is interested the Faculty of Social Work, University of Toronto offer cybercounselling courses on line – http://www.socialwork.utoronto.ca/conted/certificate/Cybercounsel.htm
Hey, Dianne! Thanks so much for sharing these resources! I think all of us are increasingly finding ourselves either interested in or at least engaged in conversations related to this issue. We’ve got readers here from over 23 different countries so I welcome readers and resources from around the world. In order to maximize the usefulness of this diverse online community, we need all of your voices and your resources, too!
And, in case I haven’t told you so, Dianne, I so appreciate your willingness to engage here with me and others in our community!
I wanted to give an update on my thoughts regarding this matter. At a recent ethics seminar I attended, the point was made that Skype continues to be non-compliant with HIPPA. Skype is still unwilling to sign a business partner agreement. In the three years since this article was written, a number of HIPPA-compliant video teleconferencing site have been launched, and many therapists are using them regularly. Though these sites are not free, they are more secure, and therefore preferable to Skype.
At the aforementioned seminar, a point was also recently made that federal wiretapping laws offer a level of security to any communication that takes place over a telephone connection. I am not an attorney, so I do not know why this is the case. However, it seems that wiretapping laws protect any PHI that is transmitted through the telephone system. This generally includes fax machine transmissions, voice mail recordings, et. al. I assume this also protects calls made over a VOIP system, since portions of these calls are transmitted through regular telephone lines. Some legal opinions have stated that text messages are also protected by wiretapping laws, but this may vary from state to state. Personally, I would exercise caution with using text messages to communicate with clients.
In summary, I am no longer in support of Skype as a means of therapy, given the more secure alternatives that are now available.
Hi, Frank! It’s good to hear from you and thank you for dropping back in to update us with your thoughts on this. I, too, have chosen not to use Skype for the same reason as you – their unwillingness to sign a Business Associate’s Agreement. Instead, I choose to use vSee and have found it to be comparable to Skype, free, and because of the platform that is used, no need for a BAA. (No, I can’t explain because I don’t understand the tech end enough to even go there.)
I’ll reach out to my IT security guru-turned-counselor, Roy Huggins at Person-Centered Tech to see if he can address any of this. And, you might also be interested in his guest post (series) he wrote here earlier this year – HIPAA Compliance Myth Busting – Emails, Texts, and Smart Phones.
Hi Frank,
Skype is definitely not a good plan for therapy any more, but I think it’s important to know why. Otherwise, we continue to get distracted by straw men as we progress through this hyper-fast-moving early adolescence of Health Information Technology.
The main problem with Skype, in my opinion, is related to an aspect of HIPAA called the Business Associate rule plus the fact that far more appropriate alternatives, e.g. VSee, are now available. Many arguments about Skype’s security are off-base or sometimes actually false. I’m sure that in a vacuum Skype would be perfectly appropriate for many clinician-client relationships, but not all of them. And with things like VSee available to us, why would we use Skype anyways?
I have a longer version of that paragraph with more info at this article here: http://www.personcenteredtech.com/2014/03/skype-software-non-grata-other-tech-will-too/
I also have an article about VSee, for further clarification. 🙂 http://www.personcenteredtech.com/2013/06/vsee-and-hipaa-compliant-practice-a-skype-therapy-alternative/
As for wiretapping laws: I’m not sure how the law creates an extra level of security. I can say that the classic telephone network is harder to eavesdrop on than the Internet. So even though both networks may use the same wires, they are communicating in different ways and it is harder to eavesdrop on the classic telephone networks (the fact that the Internet can be eavesdropped on is a side-effect of what makes the Internet so very effective as a mass communication network.)
THANK YOU, Roy, for dropping in to address this! I know you are crazy-busy but you are THE guy I trust when it comes to all things HIPAA and securtiy-related. I so appreciate you sharing your resources with us!
Hey, when does your next class begin? Care to leave a link so we can easily find the details?
And, here’s more current information – https://personcenteredtech.com/2013/06/vsee-and-hipaa-compliant-practice-a-skype-therapy-alternative/
hi Tamara
This is a great topic. I may have missed it along the way here, but I wanted to be sure that folks are aware of vsee. It’s totally secure because it runs computer to computer.
Cheers
Amy
Thank you, Amy, for mentioning vSee! I think I wasn’t aware of it back when this post first aired. VSee is the only platform I ever use for distance therapy and, I love it! I never have to worry about my client’s information leaking out when I’m on vSee.