Adventures in telepsychiatry

There was an interesting article in the New York Times this weekend regarding telemedicine titled “The doctor will see you now. Please log on.”

According to the article, the telemedicine business has been growing by almost 10% annually, and is now a half-billion dollar industry.

One of the issues brought up by the article is a question regarding high end video systems (which are typically proprietary and so expensive that the patient needs to leave home to get to them) and the lower end webcams represented by those that are typically used by people using Skype.

Apparently, members of the Texas Medical Board have raised concerns that “doctors might miss an opportunity to pick up subtle medical indicators when they cannot touch a patient.”

I looked on the Texas Medical Board’s website, but couldn’t find anything there to follow up on the Times article.

I can see plenty of places where the concerns raised by the Texas Medical Board might be valid.

One example would be dermatology. A lot of dermatology is visual pattern recognition, and every couple of months of so when I have a patient with a drug rash, I usually start by looking at the rash under sunlight, rather than under the muted lighting that I usually have on in my office. My eyes are not as good as they used to be, and I think it would be really hard for me to even describe a rash from a webcam image.

Another example would be more prosaic, for example, someone on venlafaxine who needs a BP check. These days, about half my patients have access to a BP machine at home or with a relative, and I have told people to go check their blood pressure and tell it to me. I’m very aware that these drugstore machines aren’t that accurate, but, so far as I’ve been able to see, they tend to be within 10 points or so of what I measure in the office.

The question I would like to ask of the Texas Medical Board would be how many of their concerns would relate to telepsychiatry versus telemedicine.

First, most of the outpatient psychiatrists I know don’t touch the patient often other than to take vital signs, put him or her on a scale, help him or her out of a chair, check for EPS or look at a rash or a wound (with a chaperone in the room if needed).

Second, I know at least three mental health workers with fairly profound visual problems and I’ve never thought for a second about whether their visual problems would affect their care of patients.

It would be hard for me to argue that these mental health workers shouldn’t be working with patients, but that would seem to be a logical extension of some of the Texas Medical Board’s concerns.

So, in my post last week , I described why I don’t think that the protocol used by Skype (assuming that it is the one they claim to be using on their website) seems fairly secure to me–it’s the same protocol used by banks and is approved by the government for the transmission of top secret information.

I used an analogy in that post that I’m going to continue this week. Basically, I started with talking about how firewalls are like the guard at the desk by the door of a factory. For review, here,

• the factory (and its grounds) are like your home network,
• the goings on at the cafeteria are like the Skype program running on your computer,
• the guard is like your firewall, and
• “Should we tighten up security at the guard’s station?” is like “Can firewalls help make Skype more secure?”

I talked about firewalls last time and how concerns about firewalls are like concerns about the security procedures at the front desk. In general, front desk security is a good thing, but won’t do much to solve a problem in the cafeteria if some rascal there has a valid ID card.

I would like to go with this analogy again. There’s a lot of ways that security could fail in terms of nefarious goings-on at the cafeteria, and those ways are just like the potential security problems of Skype.

• Skype’s program could have a bug in it which someone could exploit. I.e., if someone knows something like putting in a contact with a name that is 50,000 characters long lets that person access some internal aspects of Skype that they aren’t supposed to, then that could be a problem. This is like having someone who works for the factory responsible for the nefarious things in the cafeteria. Here, they are just stealing from the factory.
• More worrisome is something like someone from the outside impersonating someone who has a valid ID. The bad guy gets in by pretending to be someone who works there, and then does his nefarious deeds. The analogous thing for Skype would be for someone to make a specially modified program, convince you to download it, and then have you install the modified program. As far as I know, there are no programs that do something bad while masquerading as Skype, but I have noted the same sort of malware on Skype IM’s that appear regularly in everyone’s email, basically a bogus message saying that you need to go to some URL and install fake antivirus software, or update some kind of program that you already have, such as Adobe Acrobat.

I tend to be very suspicious of these kind of messages anyway so I hope that I, at least, wouldn’t fall for this nonsense, but I can certain see a naive user getting one of these malware spam messages and installing something that would infect their computer with a virus.

A program that works like Skype but does something bad could probably be written, but since this would be a direct shot at Skype, I suspect that Skype would respond quickly and effectively (or else they would be out of business.)

One thing that is possible, but not particularly worrisome to me is that someone could hack my or my patient’s password and pretend to be someone they are not. There is a big reason why I don’t think this would be a problem in my practice. I always see the patient face to face first, before I do Skype sessions with him or her. As long as the impostor is showing me video, then this exploit would be easy to see through.

So far as I know, HIPAA doesn’t certify software as being HIPAA compliant or not. Instead, as best I can understand, various companies claim HIPAA compliance and I guess they could be sued if they were negligent someone.

As far as I know, no one has brought up substantive HIPAA issues regarding cell phones, but every argument I’ve given on this subject would appear to apply to cell phones as well as Skype.

I think the bottom line here is that having some informed consent from the patient is essential, but that some of the discussion regarding HIPAA and Skype may be more based on commercial interests (such as the people who give the seminars on HIPAA compliance) than on believable threats to the security of patient information.

If someone bugs your landline at your office, wouldn’t they be able to gather lots of information? Do you sweep your office for bugs daily? Maybe so, but I suspect that most people would say that trying to absolutely guarantee the privacy of anybody’s practice is impossible. If someone wanted to sue you after a bad guy tapped your phone, do you really think that the government would come after you? What if someone broke into your practice at night, broke open the file cabinets, and looked through someone’s information? (Didn’t this happen during Watergate?) What if the CIA kidnapped you and put a video camera in your nose?

This is beginning to sound a little weird to me…

Lots of things to worry about here for the nervous Nellie’s. The only one I find credible is malware which masquerades as Skype, but then, malware could masquerade as your EHR software, couldn’t it?

I got a couple of comments a month ago regarding Skype security and in response to my previous post “Is Skype HIPAA-compliant?“  Marlene Maheu at the TeleMental Health Institute’s Center for Online Counseling and Psychotherapy  has a blog post on Telehealth.net in which she voices some concerns about Skype security and in which she references an article by Jacqueline Herships titled “No More Hacking.”

Basically, Dr. Maheu points out that there is a lack of potential information about the security and reliability of Skype. Assuming that the security information on the Skype website is correct, then I think I can answer a couple of the good questions that Dr. Maneu asks.

Rather than thinking about things like firewalls (which are pretty nebulous to most people), a better way to understand what the relationship of firewalls to Skype security is to use an analogy. Suppose that you are the director of security for a factory and that you’ve been asked to investigate some nefarious things going on in the cafeteria and to straighten them out. Someone asks you if tightening up security at the guard’s station at the front door to the factory would help.

Here,

• the factory (and its grounds) are like your home network,
• the goings on at the cafeteria are like the Skype program running on your computer,
• the guard is like your firewall, and
• “Should we tighten up security at the guard’s station?” is like “Can firewalls help make Skype more secure?”

If you were the directory of security at the factory, I’m sure that you would answer something like: “It depends on how the nefarious things are happening. If some unauthorized people are getting into the factory, beefing up security at the door will help keep these kinds of people out, but if the person’s got a badge to get in, focusing on the guard at the door isn’t going to make any difference.”

Skype security is pretty similar. Having a good firewall is pretty much a must on any Internet-connected computer these days, but I don’t think changing the firewall is going to make that much difference in Skype security, any more than replacing one competent guard at the factory’s front door with another is necessarily going to solve the problems at the cafeteria. It probably it pays to investigate what’s happening at the cafeteria, rather than at the front desk.

Skype hasn’t made all the details of its security system known, but it does have a lot of information online, and, assuming that they are telling the truth, it sounds like Skype is at least a secure as a cellphone conversation, and, as far as I know, every psychiatrist I know talks to people on cell phones without worrying that much about HIPAA violations.

Skype and modern cellphones use the same basic protocol to communicate (packet switching), but basically what happens is that when you make a call, Skype or your cellphone operator sets up a connection between you and the person you are calling and then steps out of the way, leaving you and that person to talk as if you had your own circuit. Both Skype and cellphones encrypt the data they send. If anything, the AES encryption method used by Skype is probably more secure than the 30-year old A5/1 encryption method used in most cellphones. AES is approved by the government for top secret information while A5/1 has already been partially broken.

I think that the real security issues with Skype (or with cellphones) are probably more with things like whether the government can compel Skype or your cellphone operator to tap into your conversations than with details of encryption or firewalls.

Until then, I think that doctors should give up talking to patients on cellphones before they get worried about whether Skype is secure.

There’s a lot more to think about with Skype security other than whether just this protocol is sufficiently secure. There are other issues which are also important, related (back to the analogy with the guard at the factory with which I started this post) to things like corrupt guards, corrupt employees and the like, which also merit some consideration, and I’ll discuss them in a future post.

The term “boundary” is mental health jargon for the edge that separates professional from non-professional conduct in dealing with patients. A boundary is an imaginary line in the sand in the relationship between mental health professionals and their patients.

“Boundary violations” typically occur when a mental health practitioner does something in the context of treatment which would be more appropriate if he or she and the patient had a personal, as opposed to professional, relationship with one another. For example, dating patients is clearly verboten, but there are lots of gray areas such as how the practitioner should respond if there is some change in the relationship between him or her and the patient.

Example of gray areas include what to do if the practitioner and the patient encounter each other in public, or if the patient and the practitioner are parties to some business transaction, such as when a patient becomes the practioner’s landlord.

It seems to me that there are some potential gray areas with boundaries in telepsychiatry. Here are three examples:

First, I have had patients show me their home by moving their laptop around as they had their session. I haven’t seen anything that I feel would be unprofessional, but it does strike me that most mental health professionals don’t make house calls, and telepsychiatry is a little like a house call sometimes, as people knock on the patient’s door or their pet runs up to them during a session.

Second, both therapist and patient tend to dress more casually at home. Again, I haven’t seen anything that I thought was inappropriate, but I have wondered about whether I should change from whatever I’m wearing at home into something less casual out of respect for the patient, or whether it’s just silly of me to wonder about it.

Third, I’ve talked about using a shoji screen at home when I do telepsychiatry from there. My office at home is considerably more messy than the one at my practice, and I think that I would rather leave it like it is and hide the background with a shoji screen.

I don’t have any answers here, but, as time goes on, I’m sure some boundary issues are bound (sorry for the pun) to come up in telepsychiatry.

I read an interesting blog post in which the author, a training and supervising psychoanalyst shares his thoughts about “online therapy.”

The author was doing research on “techno-ethics” for a workshop he will be doing, and the premise of his blog post is that any online therapy is not “real” psychotherapy.

Of course, psychiatrists do more than therapy (regrettably, some do no therapy at all), so the author’s argument doesn’t necessarily apply to telepsychiatry, but I still find his argument lacking.

He begins by accusing anyone who does any kind of online therapy as “preying on vulnerable people in need of help.” I have no doubt that there are people who are doing a bad job of online therapy, just as there are people who are doing a bad job of face to face therapy, too. Even though the author admits that people have been helped by online psychotherapy,  he discounts any proof by success. Instead, he says that online therapy is a “technologically-mediated simulation of psychotherapy,” sort of like Disney World or a flight simulator.

He goes on to give a couple of reasons why he thinks online therapy is a simulation rather than “real” psychotherapy.

First, he states that “Skype or Email is just not risky enough provide the same context for the development of safety.” He states, without any support, that no therapeutic alliance can be built online. Such a statement can be refuted by one counterexample. Although I certainly believe that technology can change the therapeutic alliance, I think my own experience makes me think that the author doesn’t have any experience upon which to base his opinion. Certainly, I think that there is a therapeutic alliance that gets built when I do telepsychiatry. I wonder what the author’s experience would be if he actually tried it.

Second, he says that mirror neurons are not activated in online therapy, but are in face to face therapy. A brief search through the literature finds no evidence for this claim, and, in fact, other studies would suggest that it would be surprising if mirror neurons were not activated by online therapy, given that many studies show that mirror neurons are stimulated by things like films, videos and pictures.

The author closes by saying:

And for my colleagues out there pushing this new frontier, maybe you want to dial-back on the evangelical fervor, maybe even consider clearly stating that what you are offering is a simulation, not the actual journey that has been subject to decades of research and study.

I would say back to him two things. “Theory is not as important as people getting better,” and “Try it first, then write your article, rather than the other way around.”