At Doxy.me, simplicity is key to telehealth security

The telemedicine vendor doesn't store patient data, explained founder Brandon Welch, and relies on peer-to-peer video-calling software working inside browsers to minimize potential vulnerabilities.
By Kat Jercich
10:06 AM

[Updated: This story has been updated to note that Doxy.me implemented mandatory minimum password security requirements for providers on Monday.]

In January and February, telemedicine technology vendor Doxy.me hosted about 250,000 video sessions a month, according to founder Brandon Welch.

Learn on-demand, earn credit, find products and solutions. Get Started >>

By May, Welch said, the service was hosting a million sessions per day. 

The upswing of interest in telehealth and virtual care, combined with the federal focus on interoperability, has highlighted the importance across the industry of keeping patient data secure. At Doxy.me, Welch said, much of that patient security is safeguarded through the vendor's service model.

"We don't store patient data," Welch explained to Healthcare IT News. "When patients come, they're anonymous on our system. All we see is providers had a call that lasted 30 to 40 minutes." Patients don't have to log in using their own names, and providers can ask to verify their identification through showing their ID and health insurance cards over video.

Providers can add links to their Doxy.me rooms to a patient's electronic health record – allowing the patient to access the meeting through a patient portal – but the flow of data is not bidirectional.

For the video component of its service, Doxy.me uses WebRTC, an open-source, standardized product that relies on browser security and end-to-end encryption. 

"Since we work in the browsers, we can use browsers' security teams," said Dylan Turner, COO, cofounder and security officer at Doxy.me. "That's way more secure than downloading things to the computer." 

Browsers themselves can have their own security holes, such as with extensions that scrape data, but Doxy.me's peer-to-peer communication tries to minimize the vulnerabilities that can arise from requiring users to download a separate app.

The vendor uses Healthcare Blocks for server management, daily backups and login controls. "We basically try to follow industry best practices," Turner said.

Two weeks ago, Doxy.me also started a "bug bounty" program through HackerOne, which compensates individuals who find potential gaps in its security system. Though Turner said other security companies had reviewed Doxy.me's practices, and the vendor had always had an informed disclosure system (of the "see something, say something" variety) this was a more formalized process. So far, Turner said, a "handful" of people have participated.

Of course, phishing is still a major cause of security breaches, with bad actors using social engineering and deceptive messaging to lure users into sharing passwords or personal information. Internally, Doxy.me hosts anti-phishing training and uses a password management system, so that employees don't create their own passwords. 

Providers who use the service are prompted to create secure passwords. When Healthcare IT News created a free account as a provider, the registration system marked the password "password!!!" as less safe but still allowed its use; it also did not authenticate the email address provided. Accounts with less secure passwords, such as "password," were not allowed, an update the vendor implemented on Monday.

Two-factor authentication is not an automatic feature, but hospitals and clinics who use Doxy.me can mandate it or use their own password management systems. Providers can also opt in to two-factor authentication.

Turner also added that even if someone were to break into a provider's account, all they would have access to is public information – their name and place of work.

Doxy.me representatives confirmed via email that two-factor authentication will be required in the future for all accounts, diminishing the chances of someone impersonating a provider. Email address authentication at registration will also soon be required, they said.

The vendor's goals also include adding more security features. For example, a provider can implement two-factor authentication through an app rather than through a less secure text message. Turner also pointed out Gmail's flag when someone logs onto an account through a new device as a helpful add-on.

"One of our fundamental philosophies about telemedicine is we want to focus on the best patient-doctor interaction," said Welch. "We don't want to come in as a telemedicine app and try to become an EHR."

"Our goal is to make telemedicine available for all," he continued.

Security in the COVID-19 Era

This month we look at how the COVID-19 pandemic is fundamentally changing healthcare organizations' approaches to security, now and in the future.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.