Privacy, Security and Scalability
How Video Call consultations are made secure and private at scale
Privacy, security and scalability is fundamental to Video Call. This document explains how Video Call consultations are made secure and private at scale.
Video Call is based on 4 important concepts:
- Privacy - defines the obligation to collect, use, disclose and store personal information correctly, under the Commonwealth Privacy Act 1988 and Australian Privacy Principles.
- Security - video calls are safe from unauthorised access and use, and that data is reliable, accurate and available for use.
- Data sovereignty - patient information must not be transferred overseas, as required by Australian privacy regulations
- Scalability – Video Call as a national capability is architecturally scalable to handle high volumes of video consultations without a need for traditional video conferencing infrastructure setup.
These four concepts are fundamental to the design of Video Call. Its network architecture is covered by design assurance processes which ensure new features and capabilities continue to meet the required standards.
Summary
Video Call is built on Web Real-Time Communications (WebRTC) technology. WebRTC’s built-in security uses fully-encrypted connections.
Video Call has been designed as a holistic telehealth ecosystem, made up of servers and applications, running through WebRTC technology.
healthdirect Video Call follows the applicable Australian Government Information Security Manual (ISM) Essential Eight baseline and Health Insurance Portability and Accountability Act (HIPAA) for cyber-security guidelines and safeguards privacy by leaving no digital footprint. The Video Call platform is also ISO 27001 certified.
Other video consultation platforms store the details of the call, including the call recording, in central servers (usually outside Australia) accessible by the video service provider and may put clinicians at risk of breach of privacy legislation without informed patient consent.
Additional security measures have been applied to make the WebRTC-based system truly secure and private:
- Virtual rooms, peers and sessions provide a secure environment for users to communicate.
- Video Call does not by default store personally identifiable information or protected health information.
- State-of-the-art network security prevents eavesdropping and man-in-the-middle attacks.
- Load testing and code reviews provide a high level of application security.
On this page we explain what steps are undertaken to ensure video consultations are safe, secure, private and scalable.
Health-grade privacy, security, and data protection are fundamental to Video Call design
Call security
WebRTC video call media traffic is protected with AES 128-bit or AES 256-bit encryption between web browsers. This is the standard for WebRTC based services such as Video Call. However, this security applies only to peer-to-peer calls and not to the system infrastructure. Several infrastructure elements in any WebRTC video call can be attacked and Video Call has been developed to inhibit these attack vectors.
For example, standard WebRTC call encryption cannot stop an attacker impersonating a user at either end of the call. Neither can encryption prevent a signalling, application, or relay (TURN) server from being hijacked.
Key privacy and security measures have been applied to Video Call to protect against:
- impersonation by someone to gain wrongful access to the online clinic to consult with patients.
- unlawful interception by someone to gain unauthorised access to the video call signalling or a TURN server.
- call history observation by third parties accessing call logs on the patient device or on a monitoring server.
- Video Call’s privacy and security model ensures that:
- only authorised service providers and administrators from the clinic are able to service a patient,
- every patient consultation can be held in a private one-time video session,
- one-time video sessions are differentiated from persistent video rooms (the latter can be used for clinic-internal purposes),
- patient data exchanged during a video call or in a video room does not persist beyond the end of the consultation or if the clinic decides to store it, is stored in encrypted fashion with decryption keys only available to the clinic,
- signalling and relay servers only deal with encrypted media traffic,
- state-of-the-art security setup and procedures are followed so that server infrastructure cannot be hacked into in order to impersonate a clinician or observe a consult, and
- peer code review for all software patches is carried out to maximise application security.
Data security
All data - not just the live video call - is encrypted.
Video Call stores service provider information and passwords securely on Amazon RDS (Relational Database Service). Passwords are transmitted using TLS (Transport Layer Security) and are never stored in plain text. Video Call only stores hashed and salted password hashes in RDS, meeting current industry standards in user authentication and authorisation.
No personally identifiable or protected health information is stored by Video Call.
Network security
All audio and video data, and all other data exchanged during a live video call is encrypted.
Video Call uses state-of-the-art security mechanisms for all connections as well as for its WebRTC implementation. Connections between browser and application server, signalling server, or STUN/TURN are all TLS-encrypted and authenticated, with strong cryptography and proper certificate checks. The TLS protection for STUN/TURN negotiation ensures that no re-routing of video call communication can take place.
Security for WebRTC communication is enhanced by having the signalling server facilitate the cryptographic setup for browser-to-browser communication: browsers securely establish a shared key for every data channel.
Application security
As a distributed system, all components of the Video Call ecosystem are hardened against attacks.
- Protocol fuzzing - as the signalling server uses a custom protocol to transport messages, it has been subjected to a protocol fuzzer to ensure there are no code paths that lead to unpredicted or undesired behaviour. The browser implementation of Video Call has been subjected to the same protocol fuzzing.
- Penetration testing (pen-testing) - the application server and the call monitoring system have been pen-tested to defend against intrusions. Pen-testing is conducted regularly.
- Browser security – WebRTC connects browsers, peer-to-peer. Protocol fuzzing is used to test Video Call browser implementation.
- Monitoring security – communication only takes place in one direction; from browsers to the call monitor. Browsers only send information to the call monitor; browsers cannot pull or receive any information from the call monitor. The call monitor has been pen-tested and fuzzed to defend it against common threats.
Privacy
Video Call complies with Australian government privacy policies.
Video Call infrastructure and service conform with the guidelines of the Commonwealth Privacy Act 1988, the Australian Privacy Principles (section 8) relating to data sovereignty and, wherever practicable, the Australian Government Information Security Manual (ISM).
Video Call connections are made peer-to-peer (browser-to-browser without traversing central video infrastructure). Data shared in actual calls between participants is only ever available in decrypted form to the participating endpoints of the call. All other intermediaries that forward the call can only see encrypted data. This applies to audio and video data, as well as all information exchanged in the session such as chat messages and documents. Video calls do not, by default store any of the shared data from calls.
Patients enter waiting areas via a trusted service provider website and wait in their own private video room. For example, if a service provider runs late because a consultation with another patient is running over time, patients will not run into each other. The room created by Video Call is deleted after the consultation.
Patients can be seen by any service provider or clinic administrator who is authorised to access the clinic. Authorisation is defined by a unique login and assigned roles in the platform. Clinic administrators are responsible for assigning such access to their staff.
By default, the Video Call does not retain identifiable patient information. Patients do not leave a digital footprint on the platform.
Data Sovereignty
If Australian data or data management moves offshore, it is no longer controlled within Australia and becomes subject to the laws of a foreign country or the practices of a foreign corporation. Access and control of Australian’s data by foreign companies does not recognise the existing rights of Australians to have their privacy and data adequately protected.
Sensitive data about Australian citizens must therefore be stored on an ASD (Australian Signals Directorate) certified cloud that can guarantee information is not accessible by foreign entities.
Video Call takes a strict approach to hosting only within the AWS (Amazon Web Services) cloud, which has been certified by the ASD’s IRAP (Information Security Registered Assessors Program) which provides assurance that AWS has in place the applicable controls required by the ISM (Australian Government Information Security Manual).
Video Call can confirm that for Australian users:
- personal health data is used solely within the Australian legal jurisdiction,
- the confinement of all data storage is restricted to onshore data centres, and
- security protocols and systems are kept in Australia and within ASD requirements.
Scalability
Peer-to-peer calls take place directly from browser to browser, and between health service providers and their clients. This avoids intermediary video servers and allows an unlimited number of parallel calls.
Sometimes, peer-to-peer calls get stuck behind corporate firewalls. For this purpose, relay servers (STUN/TURN) are in place to forward audio, video and data streams to their recipients outside the corporate boundary. While relay servers can handle a substantial load before being saturated, it is important to deploy them in a scalable fashion. Video Call has been deployed on AWS Cloud so relay servers are monitored and if a higher load is discovered, additional relay servers are spawned that will transparently take over additional relay work. This is called ‘load balancing’.
Signalling servers are involved in setting up video calls, so particular attention has been given to deploying a scalable signalling infrastructure. Load testing has been undertaken on the Video Call signalling servers and they have been able to support hundreds of thousands of parallel calls. In addition, a network of signalling servers has been deployed in different AWS locations to lower latency between the endpoints of a video call and the signalling server by picking the closest signalling server to provide call signalling.
The web application is distributed into web browsers from an application server. As a large number of users start using Video Call, web application servers may also become very busy. Video Call has implemented load balancing for the application servers.
Video Call has been designed to scale. All database and server infrastructure has been designed using a stateless microservices architecture, allowing each component to be fault tolerant and capable of individually horizontally scaling to match the load on each service at any given point in time.
Support for your organisation
WebRTC based - WebRTC components are implemented in Chrome, Firefox and Safari from Open Source projects, under the guidance and review of many Web and telecommunications industry security experts.
Designed for health care - the Video Call environment is regularly reviewed and optimised for health-care. Exposure to vulnerabilities that are present in other communications services are limited in Video Call.
Accessed wholly via the web - Video Call is updated to work with the latest versions of Chrome, Firefox and Safari (Microsoft Edge support is planned as it moves to the blink engine). These browsers run regular security updates, so there is no need to wait for updates to Video Call.
Browser-confined application - Video Call runs securely within web browsers, limiting its ability to impact a computer's desktop environment or the mobile device being used through standard security measures implemented in web browsers.
Network security - Video Call only needs access to a few standard HTTPS and secure media ports from your desktop, laptop, or mobile device. These are detailed in the Network basics page in the Resource Centre.
Web proxy services - web traffic for Video Call uses existing web proxy services and security policies.
Call quality profiles - by setting Video Call quality profiles, clinicians can lower media demands on network links to stay within particular limits.
Accessibility - Video Call is committed to universal access for all users, so that all service providers and their patients can have the best experience possible. To support blind and vision-impaired users, the web application is accessible to screen readers, and zooming tools can be used. Video Call can also be used in three-way and four-way calls so a sign language interpreter can join a live video session and support the deaf user with ASLAN sign language.