hipaalink.net security initial testing - eviltoast

A therapist on another list asked if anyone had experience with hipaalink.net televideo service.

This looks like a promising small company with some neat features at only $9.95 per month. See below first however. I really don’t like that Facebook Connect is being contacted from the client’s browser when they login!

I spent a lot of time fighting to sign-up (had to change my settings to see their Captcha challenges). More of a problem – there was a very basic malfunction in the password selection process. Some “special characters” (you have to have one in the password) would not work (+ and #). I eventually got “-” to work. I got an almost immediate call-back when I sent a message about trouble picking a password (bug in our system, thank you for finding it, our programmers are fixing “special characters” this evening).

Did eventually set-up a 30-day free trial. So I can further tests later if I want to.

I noticed that https://hipaalink.net/<mysite> works, but https://www.hipaalink.net/<mysite> does not – another simple thing for their programming team to fix. (Older people are very used to “www” in front of everything, so this redirect should function.)

I kinda feel like I ought to be charging for debugging services.

I have not actually tried out video sessions yet. I’ve just run Privacy Badger and Ghostery browser plug-ins in both Opera and Firefox. Results:

CLIENT LOGIN PAGE: Privacy Badger: www.googletagmanager.com – cookies blocked fonts.gstatic.com – cookies blocked

Ghostery: Facebook Connect – BLOCKED! Google Tag Manager – allowed

CLIENT IN-SESSION: Privacy Badger: www.googletagmanager.com – cookies blocked fonts.gstatic.com – cookies blocked

Ghostery: Facebook Connect – BLOCKED! Google Tag Manager – allowed

++++++++++++++++++++++++++++++++++++++++++++++++++

THERAPIST LOGIN PAGE: Privacy Badger:

www.googletagmanager.com -- cookies blocked
fonts.gstatic.co -- cookies blocked

Ghostery: Google Analytics – “tracking not detected” it says Google Tag Manager – allowed Google APIs – allowed Google Static – allowed

THERAPIST IN-SESSION: (The same) Privacy Badger: www.googletagmanager.com – cookies blocked fonts.gstatic.co – cookies blocked

Ghostery:

Google Analytics – “tracking not detected” it says Google Tag Manager – allowed Google APIs – allowed Google Static – allowed

++++++++++++++++++++++++++++++++++++++++++++++++

It’s necessary for some cookies and tracking to the functioning of a website. Privacy Badger and Ghostery are both detecting some of this from Google libraries which they choose to allow. I don’t have enough security engineering knowledge to know if these are harmless or not. I do know they are very common on most websites. Yet – Privacy Badger says they are blocking some cookies…

Facebook should not be contacted on the client side! I don’t know what Ghostery is blocking from being sent to Facebook, but this should not be on a HIPAA site. The connection between therapist and client seemed at first glance to work fine with Facebook blocked. I will discuss this with Hipaalink.net before I test it with actual clients. For now I give them the benefit of the doubt. I am told by a computer engineer that Facebook supplies some code libraries (like Google) which websites can use – maybe this is not intentional tracking, just their developers needing to fix this?

There is more tracking taking place on the home page and more public sections of the website than inside the login and televideo areas. So some effort to decrease tracking has been made. I see different trackers on the public areas of the website today than I did when I first checked on 7/24/23.

It’s a maybe… But at $9.95 per month hipaalink.net could be a nice option if they clean up minor tracking concerns. Again, I have not tested the video yet.

#psychology #neurology #socialwork #psychiatry @psychology@a.gup.pe @socialwork@a.gup.pe @psychiatry@a.gup.pe #mentalhealth #psychotherapists @psychotherapists@a.gup.pe #cookies #tracking #hacking #3rdpartytrackers #HIPAA #privacy #dataprivacy #webbeacons #telehealth #video #doxy #healthcare #dataprotection #hipaalink #hipaalinknet