Australian Association of Consultant Physicians

Security

Videoconferencing systems security

There are a number of ways to increase the security of your IT system if you wish to participate in videoconferencing / telehealth and, given you will be discussing patient information and consulting with patients, it is important to address the relevant security issues.

 

Fortunately, with the amount of attention that has been paid to videoconferencing / videoconsultation since the Government launched its telehealth program, most of the VC (videoconferencing) vendors in Australia who are interested in selling their products for use in videoconsultations have paid attention to securing their systems from intentional and unintentional infiltration from unwanted visitors and, at the same time, have addressed the security requirements that have been outlined by the Government in relation to its telehealth program. For the most part these systems use encrypted data transmission and call logging.

 

Nevertheless, it is equally important for the medical profession to take an interest in ensuring that whatever system is used is secure and that basic precautions be taken to enhance security, in the same way that your paper-based medical records are secured within your practice offices.

 

Similarly, you should have password-protection on the system, just as you would have on your desktop or laptop computer, tablet or mobile phone.

 

Encryption

One of the early security requirements instigated was for encryption of transmission for all VC systems used to conduct a telehealth consultation and, while at the introduction of the telehealth program there were significant concerns about the encryption security of common videoconferencing methods (such as Skype), most companies have improved this element of security and it now tends to be offered by default. Nevertheless, it is important to check against the current (?NEHTA Standards) to ensure the system you want to use complies with the required encryption standard.
 

Firewalls and Virus Protection Software

Firewalls are designed to prevent unauthorized access to or from a private network and can be implemented in both hardware and software forms, or a combination of both. The firewall enables all data entering or leaving the system to be examined and data that do not meet the specified security criteria will be blocked.

 

In the AACP’s experience public hospital system firewalls can be a significant issue in seeking to set up videoconsultations between hospital based specialists and community based GPs and patients. The main issue is they often need to be configured to allow videoconference systems to interconnect and are usually the main cause of videoconference calls failing to connect or function properly. Examples of incorrectly configured firewalls could be: there is video but no audio (and vice versa) or the user is unable to dial out or the other party dial in.

 

Most software based videoconferencing systems can go through firewalls because they follow similar rules to web pages that are usually already accepted by firewalls.

 

If you cannot get your videoconference system to connect, particularly if one of your parties is using a public hospital IT system, then the firewall is the most obvious target as the problem.

 

If you have problems in this regard and are unable to get the hospital IT staff to assist, the AACP’s Technical Resources Officer may be able to assist you with advice on how to tackle this (details below).

 

The other important factor is keeping your practice software (not just programs like “Medical Director”) up to date because the vendors are constantly updating the features of the program. As with the security standards, the software vendors (including the suppliers of anti-virus programs) recognise the importance of complying with the Government’s requirements for security and will be continually upgrading software to ensure compliance.  It is important to ensure your office upgrades software whenever there is a new “patch” available to address security issues identified by the software provider.

Auto Answer and Direct Calling

It is important to remember that unless you disable functions on your computer or videoconferencing system, such as “auto answer”, it may be possible for someone to call you when they wish – and at a time that may be completely inappropriate for you.

 

If you plan to do only a relatively small number of videoconsultations, this may simply involve disabling these automated functions on your computer.

 

However, if you can see that your involvement in videoconsultations may grow because many of your referrals are from rural and remote areas, then you may need to consider whether a dedicated videoconferencing room will suit you, or whether you set up a “virtual room” which works as a form of intermediate “meeting room”, where participants dial in and wait for other participants to join. This form of virtual room does not connect directly to the end user and allows you to control the videoconference call or for your staff members to accept the calls and hold them for you. Many current videoconferencing systems can be configured to direct all incoming calls to a “virtual room”.

 

Physical lens covers for your camera and auto mute for maintaining privacy

There are also physical solutions that allow you to take control of videoconference calls, including using the lens cap that comes with many videoconferencing cameras and the automatic mute function. If you have a separate videoconference camera or system, keep the lens cap on when the camera is not in use; in the event of an inadvertent connection, at least the caller is prevented from seeing anything and if the system is set to mute on connection (which is recommended) inadvertent callers see and hear nothing.

 

If your videoconference camera does not have a lens cap, face the camera towards a wall. If your camera has “pan-tilt-zoom” capacity, i.e. it is remotely movable it would be more secure to disable these controls. These can be useful at the “patient end” when you need to direct a physical examination remotely with the assistance of the referring doctor, however it is unlikely you would require this function at your end of the videoconference.

 

Inclusion of your contact details in a telehealth directory

The AACP is encouraging CPPs who are interested in participating in videoconsultations to include their names on one of the telehealth directors (e.g. the directory being developed by the Australian College of Rural and Remote Medicine, with which the AACP is working closely on telehealth matters, is recommended) it is not recommended to publish your VC number in such directories. Publishing a contact telephone and/or email address is preferable as it maintains the referral process as it would normally exist were the patient to attend physically at your rooms.

 

Separating video and audio

This method of videoconferencing involves transmitting only the video via the videoconferencing system and calling the participant via a separate phone call for the audio component. This method may be helpful in low bandwidth situations to improve video quality although there is the major drawback that it causes the picture to be out of sync with the audio (video takes longer to transmit than audio) and this is unlikely to comply with Medicare’s requirements for videoconsultations. However, in an emergency situation, such an arrangement may prove useful.

 

Assessment of your videoconferencing system for vulnerability

It is possible to have a professional vulnerability assessment of your system and this is something you may wish to consider. Many videoconferencing vendors and IT professionals can assist you with these services. The AACP’s Technical Resources Officer can provide advice on this assessment process.