How to evaluate the security of your telehealth software

We’ve spent the last few weeks heavily focused on building telehealth into Cliniko. Initially, we looked at integrating with an existing video call service, but we were unable to find a suitable one. So instead, we decided to build our own directly into Cliniko.

In doing so, we spent a lot of time considering and researching video chat security. Whether you choose to use Cliniko or another video call service, we want to help you make an informed decision by sharing what we’ve learned and how we have chosen to implement telehealth.

We’ll cover these questions:

• How does a video call service get access to your camera and microphone?
• Is the connection encrypted and secure?
• Who can decrypt the call?
• Are calls recorded? If so, where and how are they stored?
• How is call access controlled?
• Are third-party services being used?
• Is there tracking during the call?
• Is personal data stored or sold?

How does a video call service get access to your camera and microphone?

A video call service can work one of two ways: by installing an application or through a web browser (e.g. Chrome, Safari, Firefox, Edge). For telehealth, your decision impacts not only your own use, but also your patients'.

Installing applications can be a risk.

When you install an application onto your computer, it can do things that you may not be aware of. The act of putting in your password when you download an application gives that application access to install anything. This is a vulnerable moment for your computer.

This access has been exploited in the past to make things more convenient for the video call service and create a smoother user experience. But doing so opened a backdoor, allowing malware the chance to gain access to the user’s camera and microphone without their knowledge or consent. Unfortunately, there isn’t a good way to detect that this is happening, so you really need to trust the company behind the application.

Your web browser protects your camera and microphone.

Your web browser has rigid access controls for your camera and microphone. Each website must request consent to use the camera and microphone, and you can revoke that access from the browser settings at any time. Websites can not subvert these security controls (unless there’s already a malicious application installed on your computer).

The browser also disconnects the camera and microphone when you leave the video call page ensuring that the video call service does not have continued access in the background.

How does Cliniko access the microphone and camera?

Cliniko telehealth calls are browser-based and utilise all the security controls built into your browser.  We only access your microphone and camera during video calls, and that access stops at the end of each appointment.

Is the connection encrypted and secure?

Data encryption is important for just about everything you do on the internet, particularly for health data and interactions with patients. Using encryption ensures that if anyone gains access to the information as it passes between you and your patient, they will be unable to decipher it.

it’s nearly impossible to know if an application installed on your computer is using an encrypted connection

Without technical knowledge and tools, it’s nearly impossible to know if an application installed on your computer is using an encrypted connection, and yet this is one of the most important things you can do to ensure your patients’ privacy during an appointment.

In contrast, most modern web browsers provide a clear indicator that you’re on an encrypted connection. Look to the left of the URL bar at the top of this page right now. See that little lock icon next to cliniko.com? That’s because, even on our blog, we are using an encrypted connection.

If the lock is in the URL bar, that means that all of the files required to load that web page (images, code, and instructions on how the page is styled) are also using an encrypted connection. If not, your browser will block them. At the time of writing, this is true for Safari and Firefox. Chrome and Edge are partially there, with more updates coming soon.

Not all encryption schemes are equal.

Even if a service is using an encrypted connection, it is possible they are not using a secure one. Encryption is a complex mathematical problem that’s only fully understood by experts in the cryptography field. As a best practice, software developers should make use of the most secure standard available, but that’s not always the way it goes. If a software company has decided to implement their own encryption scheme, you should be reluctant to trust their security.

What type of encryption is used for Cliniko telehealth calls?

Cliniko’s telehealth calls use the industry-standard encryption that’s built into your browser for securing real-time data. This type of encryption is called DTLS/SRTP (Datagram Transport Layer Security Extension to Establish Keys for the Secure Real-time Transport Protocol). This allows the devices in a call to use the most secure level of encryption available to them. For most devices, this will be 256-bit encryption.

Who can decrypt the call?

Even if a service is using an encrypted connection, it’s important to know who can decrypt the data.

Peer-to-peer encryption is the most secure option.

Peer-to-peer encryption means that only the devices in that call can access the video and audio. For example, only your laptop and the patient’s phone can decrypt the call.

To understand the importance of peer-to-peer encryption, imagine that you have a confidential document that you need to mail to someone. Peer-to-peer encryption is like putting that document into a lockbox, and the recipient is the only one with the key. You don’t have to worry about the security of that document because none of the couriers can open the box.

Server hosted calls have security trade-offs.

Some video call services might only use transport encryption, which allows their servers to decrypt the call. In the mailing example, this would be like putting the document in a lockbox that the postal service can unlock. When they receive the lockbox, they take the document out and move it to a new lockbox, for the recipient to unlock. This is worrying because now you have to trust that the couriers will not read or copy your confidential document.

There are some advantages to server-hosted calls. They can handle a larger number of people per call, they may use less bandwidth, and they are more resilient to bad connections. They also give you the ability to record and store your call in the cloud.

If any of those reasons to use server hosted calls are relevant to you, you need to be sure that you can trust the service you use as they have access to the content of the call.

Who can decrypt a Cliniko telehealth call?

Cliniko telehealth appointments are peer-to-peer, which means only you and your patient can decrypt the content of the call. In the coming weeks, we will be increasing the number of possible call participants to four while maintaining peer-to-peer encryption.

In the future, we may offer server-hosted calls to support a larger group. If we do this, it will be clearly stated that the feature requires the use of server-based calls.

Are calls recorded? If so, where and how are they stored?

There are two different types of recording, and both have privacy implications. You can either trust the recording to your call service provider, or you can record your video calls locally on your own computer.

Recording to the cloud means you have to trust your call service provider.

Some services offer the ability to record and store your call, but the only way to do this is if they decrypt it first. Once they’ve done that, you also need to know how they’re storing it. Some services might store the recordings for you, while some might require you to choose your own cloud storage platform. In either case, you want to be sure that the storage is configured with proper access controls and not publicly accessible to the internet.

You also want the recordings to be “encrypted at rest”. That means that if the hard drive storing your calls is stolen, the data can not be accessed without the encryption key. Depending on your country’s regulations, the location of the data centre where your recordings are stored may also be relevant.

Recording to your own computer means security is your responsibility.

There are plenty of applications that will record your computer’s screen and audio, which allows you to record peer-to-peer calls. But if you do this, you now have a hard drive full of confidential interactions that you are responsible for keeping secure.

There is an ethical—and likely legal—requirement to inform your patients if they are being recorded.

Are Cliniko calls recorded?

No, as Cliniko uses peer-to-peer encryption, we are unable to record your calls for you.

How is call access controlled?

For most telehealth service providers, the patient is not required to create an account and password to log in. Instead, they are provided with a web address link which they use to join the call. This is fast and convenient; however, the security trade-off is that anyone who has the link can access the call.

Permanent links

Some services have just one unchanging link per practitioner. Often, the practitioner chooses their own link and then shares it with all their patients. Typically, patients identify themselves by entering their name into a practitioner’s virtual waiting room. Anyone who has your practitioner link can be in your waiting room at any time.

Other services use an unchanging link per patient, which means if a link is compromised, someone could impersonate that patient. If you’re looking at a service that uses a permanent patient link, it is worth finding out what they do to make their links hard to guess and how they would handle it if one were compromised. You may also want to know if a link can be used to join a call at any time or only around the time an appointment is scheduled.

Randomized links

There are services that use a new, randomized invite link for both the practitioner and the patient for each call. Randomized links offer more security, but need to be implemented well. If a link is too short or doesn't use a mixture of letters and numbers, it can be susceptible to a “brute force” attack. This is a method of generating thousands of links and trying them all to see if any of them are successful.

Ideally, invite links should only work for a short period of time (approximate to a scheduled appointment). This reduces the chance that an active link could be guessed by someone who shouldn’t be in your call.

How do people join Cliniko telehealth calls?

Practitioners need to be signed into Cliniko using their password. This secures their access to their Cliniko account, including video calls.

Patients receive a unique link for each appointment in their confirmation email or appointment reminder. Each link includes a long, randomly generated series of letters and numbers. The possibility of someone guessing that specific sequence is so mathematically improbable that it’s essentially impossible. This is why Cliniko invite links are so long—we chose to prioritise security.

Even if someone miraculously managed to generate one of our links, it would only be valid within the time of the appointment and only in combination with one Cliniko account. Our invite links are essentially a moving target and practically impossible to guess.

Are there third-party services being used to facilitate the call?

Even if you are using a branded service from a company that you know, they might be using a third-party to handle their telehealth services. You should know who that third-party is, what data they receive, and whether they retain any data.

Does Cliniko use a third-party service for calls?

Even though we have built our own video call technology into Cliniko (using webRTC), we do use a third-party service in the process of connecting the call. Twilio is a communication provider we use to let us know when someone joins or leaves a call. The only information provided to Twilio are anonymous numeric IDs. Twilio does not receive any of the video, audio, or chat data of peer-to-peer calls. We use Twilio because they are very good at handling telecommunication. That’s a very specific type of service, and it isn’t our speciality.

Twilio does not track you and does not sell data—nor could they—as we do not provide them with any of your information.

Is there tracking during the call?

Some video call services might be tracking you and your patients with tools like Google Analytics, or a Facebook pixel. These tracking tools will send information about your telehealth session to advertising networks. This information can include the identification of the participants, duration of the call, and even the nature of your business (ie. psychology, mental health, manual therapy). Once this is a part of the individuals "advertising profile", it's accessible to any company willing to pay for it.

You need to know if your telehealth call service is tracking you or your patients. If so, what data are they collecting, what are they doing with it, and who are they giving (selling) it to?

Does Cliniko use tracking tools for telehealth services?

No, we don’t have any sort of tracking on the pages that run our telehealth services.

Is any personal data stored or sold?

Some video call services may share personal information about you and your patients with third parties. It can be difficult to know if this is happening. You should review the privacy policies of the service before using it. You may even want to ask them directly what type of data they collect and if they share, or sell that data.

If you are not the customer, you are the product.

If the service you're using is free, that's a red flag. It's worth finding out how they make their money. If you are not the customer, you are the product.

Does Cliniko store or sell personal data?

We do not sell data to anyone. Ever.

Of course, we do store the data that you enter into Cliniko, like patient information and treatment notes. However, we do not share any of this data with third parties. You can review our policies here: https://www.cliniko.com/policies/

We also follow the industry-standard practice of recording server access logs. When a patient loads the page for a telehealth call, we make a log of the time, URL accessed, IP address, and type of browser and operating system used. This information is required for us to troubleshoot problems and maintain the service we provide you.

Phew! That was a lot of information.

We know it’s a challenge to determine whether a telehealth service is private and secure. If you’re looking at other providers, hopefully this post will provide useful tips for assessing the security and privacy of their services.

If you use Cliniko for telehealth, we hope this information helps you rest easy knowing that—for us—security comes first.