VOIP for Telerehabillitation - A Risk Analysis

7/31/2019 VOIP for Telerehabillitation - A Risk Analysis

1/12

International Journal of Telerehabilitation telerehab.pitt.edu

3International Journal of Telerehabilitation Vol. 2, No. 2 Fall 2010 (10.5195/ijt.2010.6056)

VOIP for Telerehabilitation: A Risk Analysisfor Privacy, Security, and HIPAA Compliance

Valerie J.M. Watzlaf, PhD, RHIA, FAHIMA, Sohrab Moeini, MS,and Patti Firouzan, MS, RHIADepartment of Health Information Management, School of Health and RehabilitationSciences, University of Pittsburgh, Pittsburgh, PA

Abstract

Voice over the Internet Protocol (VoIP) systems such as Adobe ConnectNow, Skype, ooVoo, etc. may include the useof software applications for telerehabilitation (TR) therapy that can provide voice and video teleconferencing betweenpatients and therapists. Privacy and security applications as well as HIPAA compliance within these protocols have beenquestioned by information technologists, providers of care and other health care entities. This paper develops a privacyand security checklist that can be used within a VoIP system to determine if it meets privacy and security procedures

and whether it is HIPAA compliant. Based on this analysis, specic HIPAA criteria that therapists and health care facilitiesshould follow are outlined and discussed, and therapists must weigh the risks and benets when deciding to use VoIPsoftware for TR.

Keywords: Risk analysis, Voice over the Internet Protocol (VOIP), telerehabilitation, HIPAA, privacy, security

Introduction

Voice over the Internet Protocol or VoIP technologiesare used for more than just talking long distance to familymembers in another city or country. VoIP can take onseveral different forms including telephone handsets,conferencing units, and mobile units (Kuhn, Walsh,& Fries, 2005). Some of these software systems areused by health care providers to provide telemedicine,telepsychiatry, and TR services to patients via voice andvideo teleconferencing. According to the National Instituteof Standards and Technology (VoIP 800-58) the mainadvantages of VoIP are its cost and integration with otherservices such as video across the Internet which thenprovides a teleconferencing system. Most VoIP systemsare cheaper to operate than an ofce telephone orteleconferencing system. The disadvantages of VoIP arethe start-up costs and security. Since VoIP is connectedto the data network and may share some of the samehardware and software, there are more ways for the data

to be compromised, so increased security on a VoIPsystem may be necessary. Most VoIP technology systemsprovide a very reliable, high quality and competentteleconferencing session with their patients. However, todetermine if the VoIP videoconferencing technologies areprivate, secure and compliant with the Health InsurancePortability and Accountability Act (HIPAA), a risk analysisshould be performed. This paper will provide a descriptionof risk analysis issues as well as a HIPAA compliance

checklist that should be used for VoIP software systemsthat may be used in the TR setting.

Background of Hipaa Privacyand Security Regulations andHitech

The Health Insurance Portability and Accountability Act(HIPAA) implemented in 1996 encompasses a number ofdifferent provisions related to health insurance coverage,and electronic data exchange, along with provisionsthat address security and privacy of health data. Recentrevisions were enacted as part of the American Recoveryand Reinvestment Act of 2009, and address the privacyand security concerns associated with the electronictransmission of health information under the HITECH Act

(Health Information Technology for Economic and ClinicalHealth Act) (Lazzarotti, 2009).

The Privacy Rule, which took effect in April 2003,established regulations for the use and disclosure ofProtected Health Information (PHI), and set into play anumber of sections that outline an individuals privacyrights with regard to PHI, and the expectations set forthfor health care organizations and providers in ensuring


2/12


4 International Journal of Telerehabilitation Vol. 2, No. 2 Fall 2010 (10.5195/ijt.2010.6056)

that those rights are upheld.The Security Rule, also implemented in April 2003,

outlines three types of security measures that must betaken in order to comply with the privacy rule regulationsand deals specically with Electronic Protected

Health Information (EPHI). These measures includeadministrative, physical and technical safeguards thatshould be administered as part of the security rule.

The HITECH Act revisions require increases in civilpenalties for different categories of violations andpenalties will apply even where the covered entity did notknow (and with the exercise of reasonable diligence wouldnot have known) of the violation.

Information Security Risks:

There are three types of information security risks:Condentiality, Integrity, and Availability. Condentialityrefers to the need to keep information secure andprivate. Integrity refers to information remainingunaltered by unauthorized users. Availability includesmaking information and services available for use whennecessary. According to the NIST SP 800-58, thereare many places in a network, for intruders to attack.Intrusions may also occur when VoIP telephone isrestarted or added to the network

The vulnerabilities described by NIST in their reporton VoIP technologies are generic and may not applyto all systems, but investigations by NIST and otherorganizations have found these vulnerabilities in manyVoIP systems (Kuhn, Walsh, & Fries, 2005).

Hipaa Compliance Checklist

A HIPAA compliance checklist, specic to VoIPvideoconferencing used between patients and therapiststo provide TR therapy, is included so that therapists andhealth care facilities can take any VoIP software systemthey are thinking of using and determine if it meetsbasic privacy and security provisions. Every potentialuser (therapist or healthcare facility) should review theprivacy and security policies that are found on the VoIPsoftware systems website to determine if they answerthe questions listed in this checklist. If the question isnot addressed in the policy, then the user may want tocontact the software company and ask them how thecompany will address a particular question(s). Thenthe user can determine whether the question(s) thatare not answered outweigh the benets of using a VoIPvideoconferencing system to provide TR therapy to theirpatients.


3/12



HIPAA Compliance Checklist for VoIP (Vidbetween Patients and Therapists

eoconfer ncing)

PRIVACY Yes No Not included

in policy

1. Personal Information Will employees and other users of VoIP software be

able to listen in to video-therapy calls betweenpatient and therapist?

Will video-therapy content of sessions between thetherapist and patient be accessible to individuals

within (employees) and outside of the softwareorganization (other users/consumers)?

Will video-therapy content be shared further toprotect the companys legal requirements, interests,enforce policies or to protect anyones rights,property or safety?

Will video-therapy content be shared with distributorsof the software or with analytical services or banking

organizations etc.?

Will the VoIP software company provide the user

30-60 days to comply with a new privacy policy, if ithas changed?

Will the user be able to amend personal informationwithin a reasonable period of time and upon

verification of their identity?

Can a users contact see that they are online andchoose to send them an email during a videoconferencing session?

RETENTION OF PERSONAL INFORMATION

Are video conferencing sessions for TR therapyservices recorded?

Will video conferencing TR therapy sessions beretained and for how long?

How long will other personal information be retainedand what will this include?


4/12



If a patient requests that past information be deleted,does the privacy policy state how this will occur?

Is the level of access (management) of the TRvideoconferencing recording up to the user?

Does the user get the option of archiving theirrecords offline on storage network devices?

2. Voicemail:

Will voicemail for another VoIP user be transferred toa third party service provider?

If a third party service provider is used to convert

and analyze the voicemail, is the background andtraining of the third party provided?

Does the background include training related toprivacy and confidentiality issues related to HIPAAand other privacy statutes?

3. Requests for Information from Legal Authorities etc.

Will personal information, communications content,

and/or traffic data when requested by legal

authorities be provided by the VoIP softwarecompany?

Is information on the educational backgrounds andexperience of employees working at the VoIPsoftware company who will decipher these requests

provided?

Will a qualified individual who is a Registered Health

Information Administrator (RHIA)with privacy,confidentiality, and HIPAA compliance experienceanalyze these requests?

Will a complete and accurate consent to patientdisclosure be made?

Will appropriate processing of the personal data thatis necessary to meet a valid request be made?


5/12



Will a subpoena or court order be requested fromlaw enforcement and government officials requestingpersonal information?

Will an accounting of disclosures be made and

provided to the user?

Are patients able to request a restriction of uses anddisclosures?

4. Sharing of Personal Information in Other Countries

Will a transfer of personal information outside of yourcountry to a third party be made by the VoIPsoftware company?

Will the use of any VoIP products automatically

consent to the transfer of personal informationoutside of your country?

Since privacy and confidentiality regulations changeacross different countries, how will different countriesmaintain personal health related data and video?

Will other countries who may not abide by the

HIPAA requirements, have the opportunity to releasepersonal information more easily and without regard

for legal requirements?

Should personal information that is acquired duringvideo conferencing be transferred to a third partythat the software company may buy or sell as part ofits business agreements?

Should the patient have the right to consent to thistransfer of personal information?

If the patient consents, with how many different

countries will their personal information be shared,when participating in TR video conferencingtherapy?


6/12



5. Linkage to Other Websites:

Will the VoIP software contain links to other websitesthat may have a different privacy policy than theirpolicy?

Does the VoIP software company acceptresponsibility or liability for these other websites?

Is the VoIP considered a business associate with the

tele-therapy site being the covered entity?

Will the covered entity need to have businessassociate agreements with each of the other

websites in which personal information may travel?

Will the other websites need to comply with privacyand security (HIPAA) requirements on their own?

How will the VoIP software company handle privacyand security protections under the HITECH

amendment of HIPAA rules?

SECURITY

6. Encryption:

Are voice, video, and instant message conversationsencrypted with strong encryption algorithms that are

secure and private during transmission?

Does the encryption protect video TR therapysessions from potential eavesdropping by thirdparties during transmission?

Does the encryption implementation contain specificinformation to explain what it entails?

Can third parties be able to decode a recorded VoIP

video and voice conversation by accessingencryption keys?


7/12



7. Anti-Spyware and Anti-Virus Protection:

Is it the users responsibility to make sure thatappropriate anti-virus and anti-spyware protection is

on their computer in order to prevent eavesdroppingduring videoconferencing TR sessions?

How secure are videoconferencing TR sessions andhow much personal health information may betransmitted to other authorities?

Are patients informed of the security issues and isthis included in their informed consent?

8. Users Public Profile:

Is it optionalfor the user to enter information intotheir public profile

Is the userrequiredto enter any information into thepublic profile?

If the public profile information be seen by otherusers can the user determine which information can

be seen by whom?

Is the public profile separated into the following threecategories?

1. Information that everyone can see.(1)

2. Information foronly the users contacts to see.(1)

3. Information forno one to see.(1)

Is the users email address encrypted so no one can

see it when looking at the profile?

Are there instructions on how users can update andchange the profile information?

1As per Skype Privacy Policy, http://wwwskype.com retrieved August 15, 2010


8/12



Voip Risks and Recommendations:

The risks, threats and vulnerabilities related to aVoIP as explained by NIST are described below withrecommendations on how these can be reduced oreliminated. This list is not exhaustive as some of theVoIP systems may have privacy and security risksthat are not included below. However, it does provideinformation as to where a risk may occur, the level of riskand a recommendation on how to prevent the risk fromoccurring (Kuhn, Walsh, & Fries, 2005).

9. Allowing, Removing, Blocking Callers:

Does the VoIP software system allow the user todetermine if they want to contact a person in their

contact list?

Are contacts easily removed by the user?

Can the user remove or revoke authorization byblocking the user on each computer that is used?

Does the VoIP software system provide instructionson how to block a user?

10. Audit System Activity:

Are server logs generated to provide a record of thecompliance settings that the user developed?

Do the logs also provide an audit trail to track whohad access to TR videoconferencing sessions andwhich functions were enabled or disabled for thesession?

11. Security Evaluation:

Has a security evaluation of the VoIP softwaresystem been performed by an independent group?

Does the security evaluation include authentication,password management, data management etc. andverifies that the software system implements proper

security measures?


9/12



Risk,Vulnerability orThreat

Specific Area RiskLevel

Recommendation

1. Confidentialityand Privacy

Retention of personaldata and informationas well aseavesdropping onconversations.

High(increases inVoIPbecause ofthe manynodes in apacketnetwork)

Change default passwords;disable remote access tographical user interface; useauthentication mechanisms.

Systemvulnerabilities:

viruses, worms,Trojans

High Implement VLAN with standalone workstation, separate

from user workstation.Separate softphoneapplications from regularsoftware applications.

IP (Internet Protocol)Packet Transmission

High Outside of the networkenvironment, properencryption protocols such asIPsec should be incorporatedwhen transmitting data.IPSec uses proper

authentication and encryptionprotocols whencommunicating andtransmitting data.

Wiretap vulnerability/intercept voice traffic

High(attaching apacketcapture toolto the VOIPnetworksegmentincreaseschanges tointerceptvoice traffic)

Establish a good physicalsecurity policy; develop analarm system to notifyadministrator when an IPphone is disconnected; useauthentication mechanisms.Preferably use a wirednetwork over WiFialternatives.


10/12



Web server interfacesused to gainconfidential

information

High Use the more secure webserver if it is necessary to useit for remote administration.

IP address extensionleads to other attacksof confidentialinformation

High Disable the IP phone; it isvery simple to turn it back ononce an attack is prevented.

2. Integrity Issues Legitimate user mayperform incorrect orunauthorized functionwhich may be due to

a level of accessgiven to the user thatis higher thanneeded.

High Provide the user with a levelof access that is appropriateto their need. (For example,do not provide users to gain

access to personal healthinformation if it is notnecessary for their level ofwork.)

Intruder acting like alegitimate user

High Use IP phone instrumentsthat can download signedbinary files by users.

Insecure state of theswitch (switch is asmall hardwaredevice that joinsmultiple computerstogether within onelocal area network)

High Firewalls, change defaultpasswords, disable graphicaluser interface. Disable portmirroring and port forwardingand implement VoIP awarefirewalls.

3. Availability ofService

Flooding the link withbogus messagescausing severedeterioration or denial

of service orfunctionality

High (VOIPmay haveadditionalvulnerabili-

ties withInternetconnection)

Deploy a firewall thateliminates connections fromunnecessary or unknownnetworks; change default

passwords and disablegraphical interface; checksoftware updates; limit loginattempts until accountbecomes locked out.


11/12



Overall Recommendations:

Whatever software application is chosen to be used forTR videoconferencing therapy, each therapist and healthcare entity should consider implementing the following

recommendations before its use: Form a team of health and legal professionals that will

examine VoIP software systems to determine if it meetsfederal (HIPAA), state, local, and facility-wide privacy andsecurity regulations. Since VoIP software systems canchange frequently, a team of professionals is neededto stay up-to-date on those changes. Also, federal andstate policies change frequently, so again the team mustensure that someone is on top of these changes. Theteam may consist of the health care facility attorney, riskmanagement personnel, health information administrator/privacy ofcer, security ofcer (IT) and representativetherapists (e.g., occupational therapist, physical therapistand speech-language pathologist).

Educate and train therapists and other rehabilitationpersonnel who use TR software applications for videoconferencing on all aspects of privacy and securityissues related to video conferencing as well as exchangeof other PHI. Awareness training on all aspects of HIPAAsecurity rules in relation to TR and software use, spyware,password security, and encryption should be emphasizedin relation to video conferencing. Education and trainingshould emphasize what therapists should look for whenconsidering use of certain software applications forvideo therapy in relation to privacy and security as wellas quality and reliability. Many times the privacy andsecurity of a system is overlooked because of how well itcan provide a TR service.

Develop an informed consent form that patients sign thatexplains the TR therapy that will be provided, how the VoIPtechnology software will be used and why, the benets ofthe TR and use of video conferencing communication, as

well as the risks related to privacy and security. Have theteam attorney review the informed consent to make sureit meets all federal (HIPAA), state and local regulations.

Incident response is necessary and should includedocumentation regarding the incident, the response tothe incident, any effects of the incident as well as whetherpolicies and procedures that were followed in responseto the incident. If policies and procedures are not in placefor incident response, then these should be developedwith the security and privacy ofcers.

Use the HIPAA compliance checklist and compare it to theVoIP technology software privacy and security policies.Or, purchase HIPAA compliance software specic toVoIP that will walk you through each piece of the HIPAAlegislation to make certain the software is private andsecure.

Consider the future of using VoIP technology softwareif the HIPAA regulations change to include them asbusiness associates or if stronger recommendations aremade for VoIP software technology, since the DHHS isalso looking more closely at entities that are not coveredby HIPAA rules to understand better how they handle PHIand to determine whether additional privacy and securityprotections are needed for these entities.

Follow all applicable security safeguards when usingVoIP, such as those recommended by the NIST (Kuhn,Walsh, & Fries, 2005) and Garnkel (2005). These include

not using the username and password for anything elsebut video conferencing, changing it frequently and notmaking it easy to identify; not having computer viruseson the computer used for video conferencing; never useit for emergency services; and consistently authenticate

who you are communicating with especially when usedfor tele-therapy video sessions. Provide audit controls for using software applications so

that they are secure and private. Focus on the transmissionof data through video conferencing, how that data ismade private and secure during the telecommunication,and also how private and secure it is stored and releasedto internal and outside entities.

References

Centers for Medicare and Medicaid Services, HIPAAGeneral Information. Retrieved September 9, 2010 fromhttp://www.cms.gov/HIPAAGenInfo/.

Garnkel, S. (2005). VoIP and Skype security. SkypeSecurity Overview-Rev 1.6 Retrieved July 11, 2010 fromhttp://www.tacticaltech.org/les/tacticaltech/Skype_Security.pdf.

Kuhn, D., Walsh T., & Fries S., (2005). Securityconsiderations for voice over IP systems:Recommendations of the National Institute of Standardsand Technology (NIST). Technology Administration, U.S.Department of Commerce Special Publication, 800-58.

Lazzarotti, J., HIPAA Enforcement Regulations Updatedfor Penalty Increases and Enhancements under theHITECH Act, Retrieved September 9, 2010 from http://www.workplaceprivacyreport.com/2009/11/articles/hipaa-1/hipaa-enforcement-regulations-updated-for-

penalty-increases-and-enhancements-under-the-hitech-act/.


12/12



Date post:	05-Apr-2018
Category:	Documents
Upload:	bill-wong
View:	217 times
Download:	0 times

VOIP for Telerehabillitation - A Risk Analysis

Documents