If you use telehealth in your psychology practice, how confident are you in its security? A video call service can work one of two ways: by installing an application or through a web browser such as Chrome, Safari or Firefox. This article will take you through some of the features of each and give you information to keep in mind when you’re choosing and using telehealth software.
Installing applications can be a risk
When you install an application onto your computer, it can do things that you may not be aware of. The act of entering your password when you download an application gives that application access to install anything. This is a vulnerable moment for your computer.
This access has been exploited in the past to create a smoother user experience, but it also allowed malware the chance to gain access to the user’s camera and microphone without their knowledge or consent. Unfortunately, there isn’t a good way to detect this, so you really need to trust the company behind the application.
Your web browser protects your camera and microphone
Your web browser has rigid access controls for your camera and microphone. Each website must request consent to use the camera and microphone, and you can revoke that access from the browser settings at any time. Websites cannot subvert these security controls (unless there’s already a malicious application installed on your computer).
The browser also disconnects the camera and microphone when you leave the video call page, ensuring that the video call service doesn’t have continued access in the background.
Is the connection encrypted and secure?
Data encryption is essential when it comes to health data and interactions with patients. Using encryption ensures that if anyone gains access to the information as it passes between you and your patient, they’ll be unable to decipher it.
Without technical knowledge and tools, it’s nearly impossible to know if an application installed on your computer is using an encrypted connection, and yet this is one of the most important things
you can do to ensure your patients’ privacy during an appointment.
In contrast, most modern web browsers provide a clear indicator that you’re on an encrypted connection – just look to see whether there’s a lock icon in the URL bar. If that icon is visible, it means that all the files required to load that webpage (images, code etc) are using an encrypted connection. If not, your browser will block them.
Not all encryption schemes are equal
Even if a service is using an encrypted connection, it’s possible that they’re not using a secure one. Encryption is a complex mathematical problem that’s only fully understood by experts in the cryptography field. As a best practice, software developers should use the most secure standard available, but that’s not always the case. If a software company has decided to implement their own encryption scheme, you should be reluctant to trust their security.
Who can decrypt the call?
Even if a service is using an encrypted connection, it’s important to know who can decrypt the data. Peer-to-peer encryption is the most secure option, which means that only the devices in that call can access the video and audio. For example, only your laptop and the patient’s phone can decrypt the call. Peer-to-peer encryption isn’t used by every service, though, which could mean it’s possible for a third party to decrypt the call and access the content.
How is call access controlled?
For most telehealth service providers, the patient isn’t required to create an account and password to log in. Instead, they’re provided with a web address link to join the call. Some services provide one unchanging link per practitioner (which is then shared with their patients), other services use one unchanging link per patient. But, while these options are fast and convenient, the security trade-off is that anyone who has the link can access the call.
Alternatively, other telehealth services use a new, randomised invite link for both the practitioner and the patient for each call. Randomised links offer more security but need to be implemented well or they can still be susceptible to security breaches.
Is there tracking during the call?
Some telehealth services will track you and your patients with tools like Google Analytics or a Facebook pixel. These tracking tools send information about your telehealth session, e.g. identifying the participants, the duration of the call or even the nature of your profession, to advertising networks. Once this is a part of your ‘advertising profile’, it’s accessible to any company willing to pay for it.
What we do at Cliniko
We hope you found these tips about telehealth security useful. At Cliniko, security shapes every decision we make. Our telehealth calls are browser-based and use industry-standard peer-to-peer encryption. Access to each call is carefully controlled through randomised invite links. And we don’t use tracking on the pages that run our telehealth service or ever sell your data. If you’re keen to check it out for yourself, APS members get a special 90-day free trial!
Visit www.cliniko.com/aps-member