Skype Is Still Scary

September 1, 2015 by By InTouch Health

It’s hard to believe that some health systems are still relying on Skype for remote consultations. This Microsoft-owned technology is great for chatting for free with a friend in Sweden, but it’s not even close to being HIPAA compliant.

Hoala Greevy, CEO of an encryption company called Paubox, recently concluded that “Skype is not HIPAA compliant, and if you’re a covered entity (hospital system or payer), stay away from it.”

The HIPAA Omnibus Rule requires all healthcare providers and their associates that transmit Protected Health Information to have Business Associate Agreements (BAAs) in place. But Microsoft doesn’t have any BAAs for Skype. In fact, one Oklahoma doctor was recently sanctioned for using Skype, mainly because there wasn’t a BAA covering its usage.

Then there’s the issue of data security. Skype was hacked last year by a group calling itself the Syrian Electronic Army. Despite that ominous name, the hack wasn’t exactly sophisticated. CNN reported that it was a simple “phishing” scam, where Skype users clicked on an email link and revealed their names and passwords.

Bear in mind that the average cost of a data breach is now roughly $3.8 million. The cost per compromised record is highest in healthcare: about $363 per record. So even a relatively small breach of 500 patient records would cost over $180,000 (not counting possible lawsuits), and the hospital’s name would get listed on Health and Human Service’s infamous “Wall of Shame.”

In an era when there are superb, HIPAA compliant telehealth networks, it’s hard to fathom why any health system would take the huge financial risk of using Skype.

Communication software isn’t “free” if it leaves an organization vulnerable to multi-million dollar data breaches and regulatory penalties. Don’t give your CFO and legal staff an unnecessary headache. Steer clear of Skype.