Skype for Healthcare: Secure? Reliable? What do the Experts Say?
Skype is a VoIP service that has become so familiar to many in the digital world, with over 300 million users regularly making and receiving calls within the platform. This free platform provides a simple way for people to meet face-to-face, without the need for installed equipment, subscription to services or the purchase of Video Conferencing systems. Many of the appeals for using Skype in Telemedicine include it’s familiarity, simple access, and the fact that it is free.
However many have questioned whether Skype can be used, securely and confidentially, in the world of healthcare, and whether it meets the strict requirements for data storage and sharing in the NHS and UK Healthcare sector, alongside whether the quality of service required for effective remote consultations can be met.
By simply viewing the easily accessible terms, conditions & policies of Skype, there are quite a number of points that should raise some red flags regarding security & usage in healthcare:
- Skype has the rights to data that is transmitted, & can review the data at it’s own discretion
- Data can be monitored via digital wiretapping, if required, by government organisations
- Skype does not provide audit trails or notifications in case of a breach, which can therefore go completely undetected
- There is no specific Service Level Avalability for Skype, so quality cannot be guaranteed
In the world of healthcare, it is well known that controls such as auditing, backups and breach reporting are extremely important, and that organisations should always make the best efforts to ensure privacy through applying measures in both administration and technology that prevents unauthorised or inappropriate access or use. So are these controls in place, and best efforts being made at Skype? Unfortunately, it doesn’t seem so.
“Skype is not looking after the privacy of your client data, therefore it shouldn’t be used to communicate about mental health issues.”
Dr. Kate Anthony, Fellow of the British Association for Counselling and Psychotherapy
HIPAA Compliance?
In the United States, the Health Insurance Portability and Accountability Act 1996 (HIPAA) is a legislation that provides data security and privacy provisions to ensure the safeguarding of medical and patient information. HIPAA compliant platforms ensure that conversations are kept confidential, and all healthcare providers now legally have to comply to this gold standard of security and privacy for health data. Skype representative, Harvey Grasty, openly stated that:
“Skype is not a business associate subject to HIPAA nor have we entered into any contractual arrangements with covered entities to create HIPAA compliant privacy and security obligations.”
Harvey Grasty, Skype
One of the leading concerns for healthcare professionals using Skype is both the lack of compliance with HIPAA, and the fact that Skype has previously publicly stated that is does not wish to become HIPAA compliant. Skype is regularly found to be used by therapists and councillors around the world, generally due to it’s free Skype-to-Skype ability, however the lack of obligation to HIPAA compliance leaves possible vulnerabilities where data and information could be viewed or misused, or distributed in ways unacceptable to healthcare professionals and patients.
Now no-one believes Skype wants to put patient data at risk or do anything malicious to undermine security within healthcare. But is everything being done that could be done to protect this data? Not one bit. And they aren’t meant to – personal and private information sharing is not what the service has ever been designed to transmit, and therefore HIPAA compliance isn’t of importance.
If you opt to use Skype to communicate with patients, be aware of the risk that HIPAA rules may be violated
American Psychological Association Practice Central
Although HIPAA compliance is not required in the UK, the fact that a solution is not compliant means that it does not meet the standards set out within the legislation, designed to protect patient data and confidentiality, and to ensure access is monitored, data breaches are prevented, and risks are regularly reviewed and amended to safeguard individuals and clinicians.
The NHS & Skype
Skype is used in a number of trusts around the UK to enable simple consultations for many patients who require remote access. Skype can be used to facilitate remote consultation at no cost to the patient using an interface the patient is already familiar with. The NHS have published many guides to using Skype for these consultations, and shows that clinicians should:
A) Not use where quality must be guaranteed
As there is no specific Service Level Availability or guarantee of service for Skype, it should never be used for emergency responder type calls, where it is important that the call connects and lasts every time, as a replacement for other communication tools, or where quality (and regularity of quality) is important, such as board meetings, MDT meetings,training & sessions with patients where visuals are important. Video Conferencing tools can be highly beneficial for diagnosis of disease, direct sharing of imaging (such as Cardiovascular & radiology imaging), teaching speech & for those hard of hearing, and it is extremely important that professional technology is used to ensure consistently high quality video, audio and data.
B) Not use where security is important
Skype users peer to peer protocols, making centrally controlling or recording conversations very difficult, and consultants are recommended not to record the meeting via Skype due to this issue. If the video stream should be recorded, which can be very important for revisiting during more indepth diagnosis, secure recording servers should be implemented on the network, designed for this purpose.
Some aspects of Skype design also uses proprietary protocols – ones that are not Internationally recognised and designed/used by that specific manufacturer rather than through consortiums & the International community. The NHS and others generally believe this to be considered a security risk as proprietary protocols are often not secure by design. 
Proprietary protocols also cause other difficulties such as not being able to communicate with standards-based systems. If security is important, standards-based, professional technology designed with security in mind and integrated properly into your secure network should be considered instead.
C) Use Pseudonym Usernames
As Skype has an open address book, anyone can find any other Skype user, whenever they like. Therefore, it is recommended that doctors and clinicians use pseudonyms for usernames, rather than their surgery or real name, as they may find themselves overrun with video calls of which they have no control. Through scheduling systems, tailored professional solutions with SDKs and special network implementations, this can be prevented, or “meet in the middle” style meeting spaces may be more beneficial, so that the doctor can call into the Virtual Meeting Room , such as ProHealth VMRS, only when they are ready.
Overall, it seems that Skype can be used in some consultations, where quality of service and security is not paramount, and free, quick access for patient to GP is a leading factor in the reason for remote communication. If they are carried out, the clinicians should be highly aware of the risks associated with free VoIP calls and make best efforts to minimise these risks, along with ensuring that the far end patient also understands the risks of sharing data online in this way, before the Skype meeting takes place. However if quality, security and data confidentiality is important, organisations should be looking to utilise technology designed for purpose – standards-based, HIPAA compliant, professional and supported with teams knowledgeable in communications and your network.
More information?
- Is Skype HIPAA Compliant? If not, what is?
- HSCIC NHS & QIPP: A brief Guide to Skype Remote Consultations
- Authority Figures Oppose the use of Skype for Online Therapy
