Dr. Elhai, you are a psychologist and researcher on PTSD, but I wanted to interview you because I know you have a strong interest in how mental health practitioners can use digital technology to communicate with patients. Before getting into some specifics or privacy protection, I’m curious about who is wanting to steal health information, and what they intend to do with it.
Dr. Elhai: There’s a thriving black market for medical information. For example, people from other countries can use the information to create fake IDs to use healthcare services in the U.S. It can be used for Medicare fraud or to buy durable goods like wheelchairs that can be resold on the black market. Each individual’s credentials can be quite valuable.
Let’s begin with something simple like email. HIPAA requires that any communication be encrypted, but what does that actually mean?
Dr. Elhai: When we talk about encryption in terms of the transmission of data, encryption is the mechanism that enables two people to talk to each other electronically only if they both have a special key—kind of like a password—that allows them to send and receive communication. So if you’re having an encrypted email exchange with a patient, for example, and someone tries to intercept that communication, the interceptor won’t be able to read it unless they have the same special key as you and your patient (the sender and receiver). So even if that person was able to intercept the content of the communication, it is going to look like gibberish because they don’t have a key to unlock that message, so to speak.
Can someone intercept, or hack into, my communications at home even if I’m using my own router?
Dr. Elhai: Yes. If you’re using a router that isn’t set up with a password, anybody could just drive by and log onto your Wi-Fi. If someone is able to get on your network, it’s pretty easy to intercept your electronic communications either by purchasing special software or doing a Google search on how to intercept email communication.
So as long as I set a password on my home network, it’s encrypted?
Dr. Elhai: Yes, but it’s a little more complicated. There are two kinds of encryption types you can use. The less secure is called WEP (Wired Equivalent Privacy), and the more secure is called WPA (Wi-Fi Protected Access).
And how do we select WPA over WEP?
Dr. Elhai: When you first use a new router, you will usually have the option of choosing different kinds of passwords, usually in a drop-down menu after you install the software. You simply select the WPA option, then create your password. WPA is harder to hack than WEP.
So if both my patient and I have WPA passwords on our routers, then regular email using those routers is OK?
Dr. Elhai: Yes, as long as the passwords themselves are strong.
What about if I’m using my computer at Starbucks? I assume those networks are very hackable.
Dr. Elhai: That’s true if a password is not required. Public establishments don’t always use encrypted routers because they want to make it easy for you to access their Wi-Fi. If you can hop on to the network of a coffee shop without a password, anybody with some technology skills could see what you’re actually typing or what you’re reading on your device. But often these days, there is a password, and if you use it, the encryption may be as good as you’d get with your home network. Of course, a café may be using the less secure WEP system. For example, if an establishment’s Wi-Fi password is a pretty short numerical password, it may indicate a less secure WEP network.
All right, let’s say I’m in some public area, whether a café or a clinic, and I’m not very confident about the security of the network. Is there any way I can securely communicate with patients some other way?
Dr. Elhai: Yes. Some email providers have an “https” at the front of the Web address.
In fact, I just logged onto my Gmail account in Google and it shows https in the address bar. What does that mean in terms of security?
Dr. Elhai: It means you are going through a secure socket layer-encrypted connection so that it is not possible to see what you’re doing. Google now uses https as its default so that any Gmail communication is secure even if you’re using a public Wi-Fi connection.
That’s reassuring. But let’s say I’m using Gmail but my patient is using a provider that doesn’t use “https”. Can I assume our correspondence is protected because of my Gmail account?
Dr. Elhai: No, it’s still hackable on their end. Keep in mind that encryption is only as strong as the weakest link. If you are receiving email from a server that doesn’t use an https connection by default, then anybody who hacks into that connection could intercept your communication. So at a minimum, you’d want you and your patients to be using an email provider that encrypts by default.
What other options are there to make sure email is private?
Dr. Elhai: Another way to go is to use a virtual private network, or VPN, which also provides protection if you’re using a public Wi-Fi connection. The idea behind a VPN is that your Internet traffic is tunneled through your own VPN server off-site even if you’re using a different wireless connection. That way, even if someone is able to hack into what you’re doing or if you’re using a site that is not https encrypted, no one would be able to see it because all of your Internet traffic would be securely transmitted to a non-local, private server.
This sounds ideal for doctor-patient communication. But aren’t VPN servers really expensive?
Dr. Elhai: They used to be, but not any longer. You can now subscribe to a VPN service for an average cost of $5.00 per month. Some of the more popular VPN providers are HotSpotShield, VPN Unlimited, Cloak, and Hide My Ass. Once you are connected, they are pretty simple to use; you just go into their app and click a button to connect to the VPN.
So if a patient is using the same security email provider that I’m using, or if I’m using a VPN, I can feel pretty confident about the security of my emails. Still, we are sometimes talking about very sensitive clinical information. Are there any further levels of security I should be thinking about?
Dr. Elhai: There is also another type of technology called Virtru that I sometimes use when I send sensitive information. Instead of using standard encrypted Gmail, Virtru sends an email from my Gmail account to the recipient saying something like, “You have an email encrypted through Virtru. Click here and you will be taken to a Virtru server to see that email.” Virtru also lets you do things like disable forwarding of an email message or set a time limit to delete messages from the server after a set number of days. Using Virtru is basically like wrapping your email client with self-destructing encryption.
There is an ongoing debate about how HIPAA compliant Skype, FaceTime, and Google Hangouts are (see the article in this issue that addresses this topic, “Are Skype, FaceTime, and Google Hangouts HIPAA Compliant?”). Are there any solutions that make video teleconferencing a more secure option—without costing an arm and a leg?
Dr. Elhai: Yes. One of the solutions is a free service called Jitsi that adds an additional layer of protection from interception. There is also something called Doxy.me, which is also free as well as HIPAA compliant. AK Summit is another one. I don’t think you need to spend thousands of dollars to buy special hardware services from telecommunication companies that provide high-end telemedicine solutions given these free security and privacy solutions.
So if I download a solution like Jitsi or Doxy.me, would my patient have to download it as well, or is it secure if I have it just on my end?
Dr. Elhai: Ideally you’d want both the sender and the receiver to use it to ensure that extra layer of protection. The Electronic Frontier Foundation (www.eff.org), which is a nonprofit organization that advocates for digital Internet rights, has evaluated a lot of the videoconferencing services out there. With Skype, you can do video as well as audio calls and instant messaging. Google Hangouts is basically an alternative to Skype. One advantage of Google Hangouts is that it lets you communicate with multiple people at the same time for free. With Skype, you pay an added fee for a multiple-video connection. And then there’s also the platform. Apple tends to be one of the companies that focuses on privacy and security a little bit more than some of the other ones, so FaceTime has that to offer. You cannot currently use FaceTime across different phone or computer platforms. Unlike FaceTime, however, you can use Skype and Google Hangouts on either an Apple or an Android device. You probably want to use a platform that is universal enough so that you can communicate with your patients no matter what type of device they are using.
Finally, what about text messaging? Is that a secure way to communicate electronically?
Dr. Elhai: It depends on the type of messaging. Many people use iMessaging on iPhones, and as long as both the sender and receiver have an Apple device, these messages are extremely secure. Not only are they encrypted, but they are encrypted in such a way that even Apple can’t read the message. However, I would not use standard SMS text messaging with patients, which is not encrypted.
What’s the difference between an iMessage and an SMS message?
Dr. Elhai: Say you are using an iPhone to send a text message. The message will look blue if you are sending it to someone who has an Apple device because it’s being transmitted through iMessage, which is Apple’s own closed system. But if you’re sending a message to someone who doesn’t have an Apple device, the messages appear green, which means it is being transmitted as a standard SMS message. SMS messages are not encrypted.
What options are there for sending encrypted text messages using non-Apple platforms?
Dr. Elhai: There are other closed platforms for messaging. You could send a message through Facebook—that would be closed, but it’s not necessarily private. The most popular messaging platform is currently WhatsApp, which is very secure, but it requires both the sender and the receiver to have a WhatsApp account. Whereas with standard messaging, as long as you have someone’s number, you can text message them without using a specific platform. That’s a convenience vs. security issue. There’s also a newer wave of messaging apps that provide both encryption and self-destructing messaging. Some of these are called Wickr, Wiper, and Telegram.
What would be the easiest way for us to discuss with patients how to message each other?
Dr. Elhai: Your best bet with patients is to establish under what circumstances you want to be text messaging with one another. Usually it’s for something brief like confirming or canceling an appointment. If you both have iPhones that makes it easy. Otherwise, choose a secure platform such as WhatsApp, or one of the other popular services like Wickr, rather than standard messaging. You also want to confirm that your patients have passcodes on their phones and discuss any privacy risks if their phones were stolen and/or someone read their messages. By the way, I’m talking about fairly strong passwords, not just like 1111 or 1234. Using a digital fingerprint is also a good way to ensure security if your phone is lost or stolen.
On a final note, what are the legal ramifications to our technology use? I haven’t heard of a lot of doctors getting sued for trying to communicate with their patients and taking reasonable precautions, but is this something we need to be wary of down the road?
Dr. Elhai: I haven’t seen any examples of legal action at the individual doctor level, but certainly there have been recent class-action lawsuits filed against companies who have been hacked, and several hospital systems have also been hacked as well. So I suspect lawsuits would probably target the organization first, but doctors are part of organizations, and if there is a particular doctor who is being especially negligent with patient communication in a non-secure way, that could be a problem. So, yes, I think electronic security should be a concern for clinicians, especially more so in the future as hacking gets more widespread and sophisticated.
Thank you for your time, Dr. Elhai.