Telemedicine on Google+ Hangouts or Skype. Is it encrypted?

Question

Would one be able to have a telemedicine conversation with a patient with google+ hangouts the way one can over a telephone? In other words does the security satisfy the HIPAA regulations that say private health information can only be transmitted over secure channels? So my technical questions are, "Is video conferencing secure? Is it encrypted?". The security rule of HIPAA does not lay down specifications but rather says safeguards have to be in place. In other words one cannot just leave it in the open.

Today, I heard that Skype is not encrypted. I heard Google+ is not encrypted. I heard that of the consumer video conferencing platforms, only Apple Facetime was encrypted. True or False?

This started to be discussed in a thread that is now closed.

I also found the following Google+ information semi-useful but do not know what happens if UDP connection is not in use.

Answer 1

Here's the answer to the technical part of the question. As for the legal bit, well... here's the technical bit:

All three services are encrypted, but there's some concern about the scope of that encryption:

Client-only encryption:

   Me              Provider            You
+-------+        +----------+       +-------+
| Plain |========|  Plain   |=======| Plain |
+-------+        +----------+       +-------+

End-To-End Encryption:

   Me              Provider            You
+-------+        +----------+       +-------+
| Plain |===========================| Plain |
+-------+        +----------+       +-------+

If your worry is eavesdropping by between you and your provider, then client-only encryption is fine. If you want to make sure that there is no evesdropping or modification anywhere along the path between between me and you, then only end-to-end encryption is sufficient.

Voice and data are often encrypted end-to-end simply as a matter of performance: it's a lot of data to move around, so the traffic goes directly between the two callers ("Peer to Peer"), which means it's also encrypted from one caller to the other.

Text data (chats) are typically routed through the provider's servers. This allows them to store chat history and deliver messages to offline users when they come back online. These are typically not encrypted end-to-end.

As for as who does what, all three systems are proprietary, so you don't know. We know with certainty that Skype's text messages are not encrypted end-to-end because Microsoft actually visits URLs you send over Skype, we know Google+ text messages are not end-to-end encrypted because your chat history shows up in your Gmail box. And it appears that Apple has access to your facetime text messages as well.

As for the security of voice and video; as mentioned before, peer-to-peer communication is typical, which would prevent snooping. But it is at least possible for all these providers to route traffic through their own servers as intermediaries, perhaps on a call-by-call basis.

But perhaps most importantly: All three of these services are more secure than a telephone. The security of telephone calls is approximately zero. Most phones make no attempt at encryption; listening to the phone call is as simple as attaching a speaker to the wire.

Answer 2

I would ask a lawyer about HIPAA compliance -- that's a legal question, not a technical one. However, I would consider the following: http://greenwirehealthcare.com/hipaa/is-voip-hipaa-compliant/

Skype and Google+ both encrypt data between the client and the server, but do not provide end-to-end encryption.

Answer 3

You are right. Skype and Google+ are not secured solutions. You may try using on premise RHUB web video conferencing appliances. It works from behind your firewall, hence provides better security.