VoIP in health care, HIPAA issues

Posts: 13 · Posted: Sat Sep 03, 2005 9:38 pm Post subject: VoIP in health care, HIPAA issues

Many health care organizations in recent years, particularly private non-profits have been ravaged by cuts in state Medicaid programs which provide the lions share of funding as general fund dollars have evaporated.

Not surpisingly, Voip and sevices like Vonage have been looked at hard as alternative to the costly traditional phone services. But a serious obstical has shown itself in the lack of clear information of what happens to transmissions (data packs) from Voip phone systems. Or if there are ways that voice data can be assured to meet HIPAA standards.

Traditional phone lines are generally felt to be "safe" in terms of maintaining confidentiality of protected health information, but as I have discussed the issue with IT professionals it is clear there are still serious questions about the security of PHI at this time with Voip.

I'm interested in who else out there has been looking at the use of Voip in health care settings, either actually using it, considering it or has made the decision that it can not meet HIPAA standards.

I certainly hope that Vonage is working on this type of issue as health care is a significant industry challenged by ever more costly phone systems.

Posts: 1424 · Posted: Sat Sep 03, 2005 9:55 pm Post subject:

If the PSTN is considered "safe" enough for HIPAA then Voip services such as Vonage can reasonably be considered safe as well.

I happen to speak from personal experience as I did some telephone installation to get money for college. One of the jobs was in a hospital and the phone lines were run above patient rooms above a drop ceiling and were thus significantly more accessible than tapping into the network should be.

Upstream from the hospital is no different. People can capture the calls but those people have to have access to the carriers infrastructure. It is almost the same exact situation for for POTS.

Finally we can take the special case of a Voip phone connected via WiFi (either a WiFi phone or using a WiFi bridge). The same rules should apply as using a cordless phone. I don't know what they are, but it should be permissable as long as sufficient encryption is in use.

Voip has the potential to be significantly more secure by using end to end encryption, however since a significant percentage of all Voip calls terminate on the PSTN end to end encryption can't be used. The benefit of encryption for only encrypting the digital part of the call does not yet outweigh the cost.

Until recently Voip had a major advantage in that it was not subject to government wire taps. That is no longer the case.

If you want a fair comparison ask your IT guys for the steps to capture a Voip call and then ask your telecom guys the same thing for your POTS calls. The POTS solution is a whole lot simpler.

Posts: 52 · Full Forum Member Joined: Jun 21, 2004 Posts: 52

HIPAA is a subject I delve deep into. I understand its purpose perfectly well, but the purpose and its actual implementation/policing and associated policies are a joke.

As Lewis Black suez " there is nothing worse than Democrats and Republicans working together; the republican says 'I have a crappy idea , and the DDemocratsays " I can make it crappier'

A client visited by a HIPAA inspection team during the initial roll-over as a guinea-pig. (phase 2) last year:
Made them do the most rridiculousthings, from changing the sign in clipboards - theirs left indentations if a person wrote too hard.

Durning the wrap up I confronted the team about telephony. They never really questioned it.

I pulled out my test set and said follow me: I took them the phone box outside clipped two clips and viola! you could hear the PA talking to a patient on the phone. I pointed to the box and said "see it suez property of Verizon" now how can the HCP protect something that does not belong tot them- HIPAA is concerned over clipboards, but not this? get real. They told me they would look into this and a brief discussion happened - what about dictation systems (dictaphone lanier, dvi, etc) that are telephony based?

Then I saw a doc on his phone - and noticed it was an older analog motorola - went and grabbed my modified scanner and showed them that it is possible to intercept a call there too.

So I suggested that they stipulate that all phones should be removed from hospitals especially those that carry dictation since I have just shown them how insecure they were. Twisted Evil

Especially if they were worried about impressions of a name on a clipboard. A sign in clipboard does not usually carry PHI, but a phone does.

I also showed them that a CGA/EGA monitor (yes they still exist) can be shown on the UFO band of any TV in the immediate area (fuzzy jumpy but readable)

They were dumfounded. Speechless. And on behalf of my client I stated that unless HIPAA wants a really bad name they need to look where the leaks really are! Insurance companies, billing agencies, untrained staff...

Their final analysis was that this facility had excellent HIPPA compliance at this phase.....

HIPAA is to reduce release of PHI in a REASONABLE method, to bypassers and other passive releases.
It is not intended as a totally exhaustive policy to eliminate all illegal thievery. That would be impossible. The SPECTRE program of the past 20+ years has proven that an IBM Selectric can be deciphered 50 feet away.

So the argument is - is Voip a reasonably safe method of communication? The simple answer is yes. In fact the signal is digitized usually BEFORE it leaves the building (unlike POTS) making the reasonable passive release much lower.

Ok. I babbled to much, and before I tell you that my wife has a medical condition that I am not authorized to talk about I will shut up.

Posts: 1715 · Posted: Sat Sep 03, 2005 11:20 pm Post subject:

MANY healthcare facilities are moving to Voip, not only for internal phone systems, but also regular phone service. As I see it, there's no real difference in security between the two, but Voip has the potential to be far more secure. I saw tons of knee-jerk reactions to HIPAA, with the clipboards, pagers instead of calling out patient names, etc. I'm seeing healthcare admins starting to see that HIPAA really was meant to address the leaks mentioned by sdstuckey. A couple of the facilities that I work in have gone to Voip on a trial basis and so far, so good. I do find it curious that they're not willing to rip out the old Northern Telecom PBX from the critical care areas, but I don't blame them either. Firmware updates, viruses, DoS attacks, etc, don't traditionally happen with the old-school PBXs, compared to the IP phones.

Posts: 13 · Posted: Sun Sep 04, 2005 8:05 am Post subject:

sdstuckey wrote:

I pulled out my test set and said follow me: I took them the phone box outside clipped two clips and viola! you could hear the PA talking to a patient on the phone.

Obviously you understand the real life issues and gaps in logic with HIPAA, I appreciated some of your insight as well as the others who've posted since a couple of the others were also points I'd like my organization to think about.

For the moment though, we're not looking at scenarios where someone purposfully taps a phone line, neither we or HIPAA are responsible for that, the sticking point is how easy/difficult might it be with Voip to accidently release PHI to others, actually I've been looking for health care administrators who've either had positive or negative experiences with moving to Voip.

The comment by scerruti about WiFi potentially being more "secure" (provided end to end encryption is possible) is something myself and folks in my organization are quite aware of and with Vonage nearing release of it's WiFi phone are certainly highly interested in.

I am curious about scerruti's comment that "
Upstream from the hospital is no different. People can capture the calls but those people have to have access to the carriers infrastructure. It is almost the same exact situation for for POTS." while this makes perfect sense, I'm wondering though about whether it was meant capturing a call in the moment or potentially packets of saved calls on a server somewhere potentially being found like a pile of virtual sticky notes. For the moment we follow the policy of not sending PHI via e-mail unless it's encrypted for that reason, our IT folk feel once data is sent via the net it's potentially available on a server somewhere for long time.

Thank you all for some of the most common sense and thoughtful ideas about Voip and HIPAA.

I personally like Vonage at home and appreciate the service, I hope it can become more of an option to help reduce some of the cost of our nations expensive health care system.

Again, thank you all for some insightful common sense discussion.

Posts: 1424 · Posted: Sun Sep 04, 2005 8:56 am Post subject:

painterjl wrote:

I am curious about scerruti's comment that "
Upstream from the hospital is no different. People can capture the calls but those people have to have access to the carriers infrastructure. It is almost the same exact situation for for POTS." while this makes perfect sense, I'm wondering though about whether it was meant capturing a call in the moment or potentially packets of saved calls on a server somewhere potentially being found like a pile of virtual sticky notes. For the moment we follow the policy of not sending PHI via e-mail unless it's encrypted for that reason, our IT folk feel once data is sent via the net it's potentially available on a server somewhere for long time.

Email is a store and forward protocol. When your email is sent it is sent to a server which makes a copy and sends it to another server. It may go through multiple servers before being stored on the server from which the end client downloads it.

Voip on the other hand is a real-time protocol. Individual packets may be held in memory on a network device for a fraction of a second, but they are either passed on or dropped.

It is technically possible that your carrier could surreptitiously make a copy of your call. However that gets back to the tapping issue. So, under normal operation no copies of PHI are created that would be left hanging around.

If that is your policy, do you also have a policy of not leaving voicemail? In the case of a Vonage customer they can have their voicemail sent by email.

Posts: 233 · Posted: Sun Sep 04, 2005 9:13 am Post subject:

My sister is a physician in private practice. She currently does not have Voip. I have encouraged her to examine it to save money, but she hasn't yet.

One problem not discussed here with the traditional network is crosstalk. Now the days of rampant crosstalk is gone since we no longer have the open wire networks, shielding is better, etc. But, we still have crosstalk to this day. That too would be a problem that I don't know how to fully exterminate until the traditional phone companies rid themselves all analog lines.

Remember how everyone once thought the doctor was one of the higher paid individuals in town? Well, they can still make a living and keep the family fed, but the days of making a very high salary and being able to put some away are gone for a doctor. Between malpractice insurance, medical school loans, office overhead, and every insurance company having a different twist the doctors are on the wrong end. In my state doctors are leaving because they can no longer afford to be in private practice. As for insurance companies, they have to keep profits up for the investors and find new ways to push away the lawsuits. I know of at least one insurance company that pays the doctor half when billed and the rest at the end of the year if all goes well.

While the new privacy acts seem great to all of us, we won't need them if we don't have a doctor to treat us. May seem a little off subject, but I will bring it back home. Most of these small office doctors could benefit from Vonage. Getting a free fax line with their business account, basing it all on the cable modem they already need, and getting multi-city phone numbers at the Voip discount. Vonage may be one light that can help.

Posts: 52 · Full Forum Member Joined: Jun 21, 2004 Posts: 52

painterjl wrote:

For the moment though, we're not looking at scenarios where someone purposfully taps a phone line, neither we or HIPAA are responsible for that, the sticking point is how easy/difficult might it be with Voip to accidently release PHI to others, actually I've been looking for health care administrators who've either had positive or negative experiences with moving to Voip.

I am curious about scerruti's comment that "
Upstream from the hospital is no different. People can capture the calls but those people have to have access to the carriers infrastructure. It is almost the same exact situation for for POTS."

To even further clarify that Voip is 'as safe as POTS' I offer the following:
Most (POTS) analog phone lines are as easily intercepted as I described, and have an analog signal. They travel along a public switched telephone network. At the CO they are usually converted to data (VoIP) and transmitted via routing protocols - through appliances, gateways and firewalls (which can be glorified pc's) usualy along the same 'backbones" as normal data networks until they reach a destination and are sent to a destination CO and reconverted to analog after the CO signals the recievers phone. Therefore almost every phone call is Voip at one point or another - those that have T-1 voice lines are exactly Voip.

With Vonage (or any other Voip) the signal is data at the point it hits your router/modem. Just like a T-1 voice connection.

Just because Vonage (or anyother Voip provider) is cheaper than a phone line, does not mean they use less secure equipment (less redundant maybe...) They are just using a technology that the Bells have been doing for years between long distances, and brought that technology to the home/business directly.

How many times have you dialed a number (which you know was right) but got another party... "I'm sorry I must have the wrong number" only to find that you had the right number - it just didnt go through to the right destination? My bet is quite a few....

Which brings me to the final point: If POTS is "safe" for HIPAA, then Voip is really safer - same technology except instead of being

analog (switchingpoint->) Voip (switching point->) analog --> receiver
it is
Voip --> analog (switching point ->) receiver or VoIP->VoIP(receiver)

Now for my involvement in HIPAA -
I work/design/install/upgrade/maintain and consult about digital and analog dictation systems (including Lanier, Dictaphone, DVI, Fusion, Olympus and WinScribe) for hospitals, medical centers and clinics and are usually responsible as a 'HIPAA partner' for the security of the PHI involved that these systems contain and transmit.