FaceTime calls are encrypted; and HIPAA compliant when using proper encryption

FaceTime calls are encrypted; and HIPAA compliant when using proper encryption

Summary: Apple gear is HIPAA compliant when using WPA2 Enterprise security. It's arguable that WPA and WPA/Personal connections are also compliant, but it's debatable.

SHARE:
16

Back in July 2010 Apple responded to a rumor that FaceTime calls were unencrypted saying that the entire FaceTime conversation stream is encrypted.

This raised an interesting question from an IT professional in local County government who wondered about the type of encryption Apple uses in FaceTime calls.

The reader wanted to know if Apple gear like the iPad and iPhone were HIPPA compliant, and eligible for government funds.

Government grants in the healthcare industry require HIPAA compliance. The section on Access Control requires systems ensuring that only authorized users are granted access to Electronic Protected Health Information (EPHI). While somewhat vaguely worded, strong encryption is the only practical means of meeting the government "authorized users" requirement.

An Apple representative involved with the iPad emailed me this response:

iPad supports WPA2 Enterprise to provide authenticated access to your enterprise wireless network. WPA2 Enterprise uses 128-bit AES encryption, giving users the highest level of assurance that their data will remain protected when they send and receive communications over a Wi-Fi network connection.  In addition to your existing infrastructure each FaceTime session is encrypted end to end with unique session keys. Apple creates a unique ID for each FaceTime user, ensuring FaceTime calls are routed and connected properly.

Simply put, Apple gear is HIPPA compliant -- if your wireless connections use WPA2 Enterprise security. Some interpret the HHS requirement to include WPA and WPA2 Personal as compliant, but HIPAA is a big complex hairy monster and, well, it depends on several variables.

One thing's for sure: WEP is out, and you should avoid mentioning that swiss cheese security protocol around your friends at the U.S. Department of Health and Human Services -- if you want a check from the Feds, that is.

Topics: Legal, CXO, Health, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • RE: FaceTime calls are encrypted; and HIPPA compliant when using proper encryption

    HIPAA, not HIPPA. You've got the right link. Re-check it to confirm the acronym.
    snaab4
    • RE: FaceTime calls are encrypted; and HIPPA compliant when using proper encryption

      @snaab4
      fixed. thanks!
      - Jason
      Jason D. O'Grady
      • RE: FaceTime calls are encrypted; and HIPPA compliant when using proper encryption

        @Jason D. O'Grady
        You still have a couple places where it is spelled wrong.
        erickwong
  • FaceTime on desktops also compliant

    FaceTime is available on desktops as well. These could be hard-wired to the network so they aren't affected by wireless encryption. Calls are still encrypted end-to-end so all uses of FaceTime should be HIPAA compliant. This article did not address the basic encryption algorithms FaceTime uses and it would be beneficial if Jason could find out what approval this encryption received. It still is good news but how does FaceTime compare to Skype and other video chatting applications? Hopefully FaceTime is more secure than all of them.
    prl99
  • Apple's answer doesn't really resolve the question

    The response from Apple doesn't make much sense, and the article reads too much into the answer.

    To come to a conclusion about HIPAA, you need some information about the encryption strength provided by the FaceTime application for data passing across the internet (not just across your living room).

    If Facetime's security depends on the WiFi encryption, then it's not adequately encrypted once the data is passing over the network beyond your access point. If FaceTime does not depend on the encryption of the WiFi network, then why bother including the WiFi information in the response -- tell us about the encryption strength provided by FaceTime itself.
    adrianludwig
    • RE: FaceTime calls are encrypted; and HIPPA compliant when using proper encryption

      Agreed. The author should press for more details.
      dqdbb
    • agreed.. it's the end to end encryption that matters most for hipaa...

      and I have no idea what encryption that is or is not, but am certain hipaa has something to say about it. but it's not as if they have a police force to come after you. neither do I know if facetime internet conversations in general carry the same legal protections as do landline voice networks. since there are legally permitted ways to tap phone calls, there must be a way to tap internet calls too.
      oldorange1
  • What about FaceTime on iPhone?

    Is FaceTime on iPhone encrypted as well? The Apple rep specifically says iPad, with no mention of iPhone.
    bretlowery
  • RE: FaceTime calls are encrypted; and HIPPA compliant when using proper encryption

    Lame, local network encryption has nothing to do with a FaceTime call over the Internet.

    If you only use FaceTime internally I fail to see how HIPPA would even be involved.

    I'm not a HIPPA expert but Apple has totally avoided the question. From the text of the response I suspect the call isn't encrypted to a level anyone other than Apple would find acceptable.
    Sing the Blues
  • WPA2 May Not Be Enough

    The difference between WPA and WPA2, as I understand it, is that WPA mandates TKIP encryption with AES as an option, whereas in WPA2 AES support is mandatory.

    TKIP is also broken, so do not use it. But it's still available in WPA2, so it's not enough to specify WPA2, you must say WPA2 with AES encryption.

    Also you should stick with AES-128. Some have been using AES-256, but weaknesses have been found with that.
    ldo17
  • RE: FaceTime calls are encrypted; and HIPPA compliant when using proper encryption

    It's rtp not srtp only the authentication is encrypted endpoint to endpoint. So it cannot be compliant unless the protocol itself is "totally" encrypted in the stream not just bits and pieces.. Once off the wi-fi just sniff the protocol with wireshark...
    bubbagump2012
    • RE: FaceTime calls are encrypted; and HIPPA compliant when using proper encryption

      @bubbagump2012 This is inaccurate. The video stream is encrypted end-to-end with AES.
      arthrotome
  • Hmmm

    "Apple has stated that a best practice for any WiFi use is to ensure that WiFi encryption is being used with the access point (preferably WPA2) ??? accordingly, if enabled, then FaceTime is secured using this encryption.. If your WiFi uses a different type of security???namely the much maligned WEP??? or, as in the case with much of public WiFi, no security, your Facetime calls may be open to hacking or theft."

    So really??

    "Tech blog ZDNet also recently reported on a Health and Human Services update that requires all healthcare providers looking for government funds to be HIPAA compliant. In order to gain compliance, health care providers must update wifi security if they plan to use FaceTime. The HIPAA statute declares that, while WPA and WPA Personal may be acceptable depending on the circumstances, WEP security is not allowed."

    Sounds to me like it really isnt the above are from 9/2011
    ehask71@...
  • FaceTime And HiPAA compliance

    The encryption may meet one part of HIPAA compliance, but there is a LOT more to compliance than JUST encryption. No technology can claim compliance because HIPAA and HITECH compliance (HITECH being the enforcement laws of HIPAA and more rules on electronic communication) involve the people and access protocols involving that technology and access to PHI. This includes things like Business Associate Agreements (BAA), a Breach Notification Plan, ensuring all the engineers who have acess to the server have HIPAA training, Acess logs that are variable to each person who has PHI on the server and more. By the way, you may be surprised by what consistutes PHI - IP addresses, zip codes and more. See this link http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html.
    In mental health there are a lot of technologies that do abide by the HIPAA compliance policies. There is an independent comparison of them at this site www.telementalhealthcomparisons.com.
    Jay Ostrowski, MA, LPC, LPCS, NCC, DCC, ACS
    • Not so fast on the compliance

      Jay is right.

      Interestingly, I just happened to be doing a little research today on the use of FaceTime with mental health professionals and HIPPA compliance. From what I understand, While FaceTime might be "safe" it would not be compliant because Apple holds the encryption key and the odds of getting Apple to sign a Business Associate Agreement is null.
      TechnoMinds
  • thanx for info

    as for me, i prefer to record FaceTime calls using this tool http://www.imcapture.com/IMCapture-for-FaceTime/, it'a easy-to-use and works great!) but thanx for info)
    dede!