In our recent post about the iCouch therapist calendar, we discussed some of the great new features coming to the new iCouch therapy practice management system. A commenter, Mr. Daniel Jackson, had several concerns about our product. First, I want to thank Mr. Jackson for his thoughtful comment. It’s clear that he cares deeply about taking care of patients and protecting their privacy. We certainly share his passion. I would like to respond to each of Mr. Jackson’s concerns here.

Please read the original comment in order to get the full context, however, I will quote him selectively throughout this post.

Mr. Jackson said:

“In all honesty, I am concerned with any vendor software which doesn’t list compliance as a CRITICAL requirement. I am, and will always be, more concerned that the software I am using protects my patient’s right to privacy, PHI, and enables me to be compliant, than it being “simple and beautiful.”

iCouch takes security and HIPAA compliance seriously

iCouch takes security and compliance extremely seriously. In fact, we write frequently on the subject. However, when we’re showcasing the functionality of a new feature, we assumed, perhaps incorrectly, that compliance is a given.

There is not a single car being sold today that mentions the quality of their seat belts. Not one. Seat belts are among the most important features of any car, but car manufacturers rarely discuss them. Why? Any car sold today is required by federal law to meet specific safety requirements, including seat belts.

HIPAA is not dissimilar to the laws regulating auto safety features. To build a therapy practice management system that isn’t compliant would be like building a car without seat belts.

Two factor authentication and behavioral health software vendors

However, the fact that compliance is even worth mentioning is really the deeper issue with behavioral health software products. In a previous post we talked about how every behavioral health practice management solution except iCouch fails on requiring two factor authentication. In “Therapist website security and why it should scare you,” we discuss in detail the irresponsibility of behavioral health software vendors who do not require two factor authentication.

Two factor authentication, for those who might not be familiar with the term, is a requirement to use both a password as well as a secondary authentication method (such as a code sent by text message to the account owner’s phone.) WeCousel, TherapyNotes, TherapyAppointment, TherapySites, eTherapi, Breakthrough — not a single one has mandatory two factor authentication as a requirement.

iCouch does.

What that means is that they can have the very best, most Ft. Knox-secure infrastructure in the world, but if the therapist’s login isn’t protected, then it’s like an open bank vault. If a therapist loses their computer and someone gets access to their email account — suddenly every piece of PHI stored on any service they use is now compromised. A malicious person need only send password reset requests to the service and voila.. that person can now access everything. With two factor authentication, that becomes nearly impossible.

I get the point about the concern over compliance. We obviously assumed that absolute security and compliance was par for the course when it comes to mental health software. However, given your concern, it’s clear that the standards followed by our competition are so low that we ought to have mentioned our incredible “seat belts.”

SSL and the irresponsibility of TherapySites

However, two-factor authentication isn’t enough. In another post, “SSL for therapists, what it is and why it matters,” we discuss the importance of having SSL (https) protection on therapist websites. Not just practice management systems, but even marketing websites for therapists.

One of the biggest offenders in failing therapists in this regard is the vendor TherapySites. They have an SSL secured admin section, but the actual therapist websites hosted on the system aren’t secure at all.

It’s unbelievable!

What’s even worse is that therapists aren’t generally expected to be technology experts. That’s why they pay a vendor who is. So there are therapists using TherapySites thinking that they are actually reputable when it comes to security. The American Psychological Association and other highly respected professional organizations have partnerships with TherapySites. Surely if the APA supports the company it must be “secure” right?

Not at all.

The APA and the American Counseling Association (among others) ought to immediately suspend their partnerships with TherapySites.

Why? Let me show you.

Here’s the definition of individually identifiable health information (full text available from our friends at HIPAA.com)

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i)   That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”

Now let’s consider the following screen shot from a TherapySites-hosted therapy practice website:

 

First, let’s take a look at the footer of the page:
©2016 TherapySites.com. All rights reserved.
So TherapySites is asserting ownership of this content, which means they are responsible for what’s on this page. I’m not going to place much blame on the practitioner in this case because, as a customer of TherapySites, they have an expectation that the product being offered is appropriate for the use case for which they purchased it.
Next, let’s look at the URL bar. Here’s a detailed view:
Notice that there is no https.
The connection isn’t secure.
Now, let’s look at the form itself.

 

Let’s review the relevant parts of the definition of individually identifiable health information:

(2) …the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i)   That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

TherapySites forms are a HIPAA nightmare.

There’s the disclaimer that says the following:

We are committed to your privacy. Do not include confidential or private information regarding your health condition in this form or any other form found on this website.This form is for general questions or messages to the practitioner.

However, if this form is for “general information,” why does it ask for a “Preferred Date and Time?” Any reasonable person could conclude that the form is actually an “Appointment Request” form and not a “Request for General Information” form.

The title of the form, the fields contained within the form make it very clear that the purpose of the form is to attempt the provisioning of health care services. Even the URL is “/AppointmentRequest.en.html” — it isn’t “/GeneralInformationRequest.en.html.”

On top of all that, there’s another disclaimer:

By clicking send you agree that the phone number you provided may be used to contact you (including autodialed or pre-recorded calls). Consent is not a condition of purchase.

Not only is the form not secure, it’s also serving as a consent form to receive pre-recorded calls. “Consent is not a condition of purchase,” it says, yet consent does seem to be a condition of submitting the form.

This isn’t a “general information” form. It’s without question an appointment request with a name, phone number, email and requested appointment time. All of those are personally identifiable parameters that clearly make this form a virtual cornucopia of HIPAA failure.

The reason I bring this example into the discussion is because TherapySites has partnerships with several respected professional organizations.

Some of the professional organizations with TherapySites partnerships:

  • The American Psychological Association
  • The American Counseling Association
  • The American Association of Marriage and Family Therapists
  • and many others…

They all promote TherapySites discounts as a member benefit. Yet TherapySites is enabling some of the most incredible patient privacy violations possible.

If someone were to submit this form while connected to public Wifi at a coffee shop, a junior high school hacker could intercept this entire form. Easily. It’s sent in plain text without even a semblance of security.

Please read this frightening PC World article: “Here’s what an eavesdropper sees when you use an unsecured Wi-Fi hotspot.”

While I would suggest that the general public should become more educated in the realm of digital security, the fact is that a potential client, visiting a website of a mental health professional, does have some amount of trust that they actions they are taking on the website are “safe.”

They might read the disclaimer but they might not have any idea how their privacy is being dangerously compromised by this irresponsible TherapySites website.

They’re going to assume (rightly or wrongly,) that a health professional would know what they’re doing. This isn’t just an issue with online therapy sites. This is an issue with any health site, an issue even more personal and dangerous for mental health practitioners.

It’s shameful because the practitioners aren’t expected to be digital experts, however they expect that the vendors that they hire absolutely are.

What’s even worse is the tacit endorsement of the TherapySites product by important professional organizations, thus lending the company an air of credibility.

Behavioral Health professional organizations should severe all ties with TherapySites until they’ve resolved their complete disregard for the security and privacy of clients, potential clients and practitioners.

I am right there with you Mr. Jackson. I feel that most technology targeting the behavioral health industry is not only ugly, but dangerous.

I absolutely understand your concerns about the blog post discussing new iCouch features and I regret we didn’t emphasize compliance as it’s clear that compliance isn’t the given that we should hope it to be.

The Security of the iCouch Platform

Now that I’ve spent some time pointing out flaws among other products, let me discuss some of the security aspects of the iCouch platform. There’ll be a few things I leave out for proprietary reasons, but I’m happy to share our general security approach.

Under HIPPA, iCouch is considered a business associate and as such, we provide our practitioners with a Business Associates Agreement. As many know, business associates and covered entities have some significant requirements in the protection of Protected Health Information.

The HIPAA Security Rule includes “addressable implementation specifications” and “required implementation specifications.” The addressable ones are considered recommended but optional. However, they aren’t optional with us — they’re requirements!

Network Traffic Encryption

One of those addressable specifications is that PHI is encrypted both in-transit and at-rest. We require that all systems that touch PHI encrypt both in transit and at-rest. All iCouch network traffic is encrypted using TLS (Transport Layer Security.) This protocol is the successor to SSL.

iCouch uses only dedicated servers

All of our servers are dedicated. We don’t use any shared systems. We have a private cloud with dedicated hosts that are physically isolated at the hardware level from other servers. We have network security features such as stateless network access control lists and dynamic reassignment of instances into stateful security groups (which is essentially a whitelisting firewall.) which makes is easier to protect against unauthorized network access.

We have flow logs for our private cloud that provides an audit trail of every accepted or rejected connection within our system.

Database Encryption

Our database clusters are also encrypted to protect data at rest. All data, including backups, is encrypted using hardware-accelerated Advanced Encryption Standard (AES)-256 symmetric keys. We also have a four-tier key-based architecture for encryption.

These keys consist of:

  • data encryption keys
  • a database key
  • a cluster key
  • a master key

The cluster key encrypts the database key for our cluster. That cluster key is managed by a hardware security module.

Load Balancing Architecture

Our load balancing architecture uses an encrypted protocol for connections. This enables traffic encryption between the web browser HTTPS/TLS sessions and the load balancer and servers. We require that all sessions containing PHI encrypt both front-end and back-end listeners for transport encryption.

Disaster Recovery and Audit Requirements

iCouch systems are designed to meet or exceed HIPAA related disaster recovery and audit requirements. We have detailed activity logs that are permanently stored that logs who accessed what, IP addresses, and what specific data was accessed. It’s all tracked, logged and stored for audit purposes. We have logging even down to the packet layer.

We also have contingency plans in case of a disaster along with multiple redundancies our our systems spread over several, geographically distinct data centers. All US-based data is stored in US-based data centers, data from outside the United States is stored in two European data centers.

We also have a 99.99% uptime standard. That means less than 9 seconds a day of downtime is all that is allowed.

We have geographically diverse, fault tolerant systems that are highly resilient in terms of natural disasters, network failures or pretty much any other potential risk. If a nuclear missile were to hit our Northern Virgina data center, we have Oregon, Chicago or Northern California ready to take over. In Europe, we have Dublin and Frankfurt. We haven’t yet set up any Asia-Pacific data centers yet; it’s not the cheapest thing in the world to do and our primary concerns are North America and Europe. Though, after the launch of the new iCouch, we’ll likely be bringing Sydney on board as a data center to support Australia-Oceania customers.

Caching and Content Delivery Network

We use Varnish for our caching and CDN (content delivery network.) Caching and a CDN is what speeds page loads and improves the user experience. Our vendor, Fastly, has a Business Associates Agreement with us. All of the systems of their we use are PHI-compliant. While the focus of this post is security and compliance, it’s worth noting that our caching and CDN system results in lightning fast performance. It makes using the iCouch system like using a desktop application rather than a “website.”

The Security of Email and SMS notifications

Mr. Jackson’s points about email and text messages are good ones. The way iCouch handles email and text messages is designed specifically around security.

No PHI ever travels over email or SMS.

What happens instead is an email/SMS is sent to the user that prompts them to log into their account to read any messages. So PHI is never exposed over email or SMS. Additionally, email addresses are never exposed either. What this means is that if someone were to hijack a practitioners computer, there would be no client emails or other information within their email accounts.

Someone would have to actually log into the iCouch account to have access to any of this. So in a potential botnet situation, the only thing that would be spammed would be the iCouch generic notification address. We certainly can’t control what information practitioners chose to save outside of our system, but iCouch itself never exposes email or phone numbers outside of the iCouch system. If you were to hack a practitioner’s email, you’d see nothing but “You have a new message on iCouch.” No client information whatsoever would be exposed. If you were to send iCouch a reset password request from a hacked or stolen computer, our two-factor authentication system would prevent the malicious login.

The Security of the iCouch Calendar

To Mr. Jackson’s specific concerns about potential clients seeing a practitioner’s calendar:

  • The public calendar for a practitioner only shows available appointment slots.
  • A visitor never, ever has access to a practitioners actual calendar.
  • A visitor, client or no one other than the practitioner can see when a practitioner has been booked. They would only see available time slots.

The Security of Online Counseling

Regarding the non-compliance of Skype, on that Mr. Jackson and I agree completely! In fact, we wrote about that in a previous post about how Skype is not HIPAA compliant. Interestingly, the problem with Skype isn’t the video stream itself, it’s the metadata as well as any text chats that have occurred. The video stream itself is encrypted and generally works peer-to-peer, however the metadata (i.e. who you talked to and when) as well as text chats, are stored on Microsoft servers that are not covered by any Business Associates Agreements.

Security of the iCouch Online Therapy System

With the iCouch system, we use peer-to-peer encrypted streams and for larger numbers of participants, we have a compliant TURN server to relay audio and video streams. The text chat component is transmitted via a pub-sub system backed by a Redis key-value store which is, of course, within our HIPAA-compliant infrastructure.

Chat transcripts aren’t permanently preserved — they’re stored in Redis RAM until a session has completed. Once the session has ended, the text chat is purged. The only reason we even use a key-value store at all (rather than going purely peer-to-peer) is because of an interrupted session or a premature disconnect, this ensures that a chat history within a session isn’t lost during a session if one party is inadvertently disconnected. Essentially our Redis backend for the text chat feature is there in order to increase the stability of the online therapy experience.

You can have confidence in the security of iCouch

Assuming I haven’t put most of our readers asleep, I hope that everyone finds this post helpful and hopefully increases your confidence that iCouch is highly conscious of our security obligations. After all, our entire reason for existence is to make therapy simple (and secure) for everyone.

I didn’t delve into exhaustive detail of all of our security features. There are several that we don’t publicly discuss, however if you were to do something like log into your account from your office in Chicago and ten minutes later you log in from Nebraska, our system can respond appropriately. We can detect unusual account activity and lock accounts automatically if there is a security concern.

We also do penetration testing as well in order to attempt to “hack” our own systems. We also have security policies for our team as well that govern who can access what in our systems.

Why iCouch development takes so long

Many practitioners have been excitedly contacting us wondering when the new iCouch will be released. As you might be able to tell from this post, we aren’t just building some cool features with great design. We’re creating the most beautiful and secure therapy practice management system ever built. And, we want to get it right. Your patience will be rewarded!

Published by Brian Dear

Brian is the cofounder and CEO of iCouch, Inc. He has an extensive background in software engineering, inbound marketing and mental health practice management.

Leave a comment

Your email address will not be published. Required fields are marked *