Perspectives on technology in videoconferencing

Donald Trump Just Got Elected President. What Does This Mean for Telehealth?

1

There’s a lot of uncertainty going around about what the results of this election mean for the nation; healthcare being a major focus. While it’s difficult to determine what will happen with healthcare overall, you can be assured that Telehealth will always be a growing and relevant part of our lives.

Continue reading “Donald Trump Just Got Elected President. What Does This Mean for Telehealth?” »

Were you considering using WebRTC? Here’s why you shouldn’t.

Waiting for WebRTC, in the style of Waiting for Godot

WebRTC vs. Native apps; The former just isn’t ready.
WebRTC is built on a great and ambitious concept: browser-based, Real-Time Communications (RTC) that is free for any developer to implement. Google released WebRTC as an open source project in 2011 and in the years since, it has attracted contributors and private businesses that have developed on that foundation. Yet five years later, it’s still often referred to as being “in its infancy”, and has yet to be fully supported across all major browsers. Check it out here: Continue reading “Were you considering using WebRTC? Here’s why you shouldn’t.” »

SecureVideo Launches First Responder, A Specialized HIPAA-Compliant Videoconferencing Solution

As the industry leader in HIPAA-compliant videoconferencing, SecureVideo is excited to introduce a groundbreaking new service offering; First Responder was designed specifically to meet the needs of EMTs, police, and other first responders as they often find themselves in the field, presented with a situation that could benefit from a consult or a second opinion. This new system makes that second opinion available at any time and from anywhere via mobile device with a 4G network.
“EMTs, police, firefighters, and the like, they’re well trained to handle any situation, but sometimes there’s reason to call for help,” said Tom Farris, Chief Clinical Officer at SecureVideo. “We’ve talked with first responders all over the country, and one thing we hear a lot is that. They wish there was a way to get advanced medical or mental health advice in the field. That’s why we developed First Responder, and we’re excited to see it in action.”
While SecureVideo’s First Responder solution is dedicated to making on demand sessions as easily accessible as possible, it can also be used to schedule upcoming meetings for any date or time.

How does it work?
Wherever the system has been implemented, First Responders are able to send direct requests through the touch of a button to specialized medical or mental health professionals. They can either select the button for a specific remote provider or click the button for a group queue with multiple providers. With this, they can also attach a note specifying any details or comments that may be helpful to the situation. Immediately thereafter the provider(s) will see the request, respond and then real-time relevant advice is available to the First Responder — all in a matter of moments.
The First Responder platform is always on, providing continuous connection between a First Responder and medical or mental health advisors. Potential subscribers can rest assured that all clients’ Protected Health Information (PHI) will be safeguarded to HIPAA Technical Standards, which are guaranteed upon signing of a contractual agreement.
Click here to learn more about First Responder from SecureVideo

About SecureVideo
SecureVideo.com was founded in 2012 by a team of behavioral health and technology experts in the San Francisco Bay Area; they recognized a unique need for a videoconference system that could be quickly implemented and adapted to the workflows of any medical environment — hospitals, networks, clinics, individuals and more; a system that would allow existing medical organizations to offer telehealth services. It was evident that technology could now support this “do-it-yourself” approach, but the workflows needed to be designed correctly and it needed to be supported as a service, not just technology. SecureVideo was formed to meet this need, to support medical professionals as they harness technology to transform healthcare. To learn more, visit http://www.securevideo.com

When NetBIOS over TCP/IP Name Resolution Stops Working

NetBIOS over TCP/IP, also known as NBT, is a bad idea whose time never should have come. We all know we shouldn’t use it, or WINS for that matter; we should just use DNS everywhere. And we also know that we shouldn’t eat a lot of bacon. But if someone has a plate of bacon ready for me at the bottom of the stairs every morning, I will eat some of that bacon, every morning. And so it is for NetBIOS: in a few cases, such as when connecting to a particular VPN, I will eat the bacon of technology and just let NetBIOS resolve the host names on the remote network.

For the last 15 years, this has generally worked well. And why not? NetBIOS is grossly inefficient–firing broadcasts of all kinds around the entire LAN (and if on a VPN, the remote network) to find out who is who and what is what–but that’s like using a tennis racket to hit a ping pong ball: you’ll hit the ball, every time.

Yesterday, NetBIOS name resolution just stopped working for me. I had put my Windows 7 workstation onto the network of a large corporate customer, and noticed I could no longer reach remote VPN machines using their NetBIOS names. That’s OK, I thought, when I get back onto my home network, all will be well. But all wasn’t well, even on my home network.

After quite a bit of googling, trial, and failure, most of it involving running various nbtstat commands on my adapters or net view commands, I found that ipconfig /all showed a working computer to have a Node Type of “Hybrid“, and my failing workstation to have a Node Type of “Peer-Peer“.

To set the Node Type to “Hybrid”, I had to edit the registry as described here, using these steps:

1) Run the registry editor and open this key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters
2) Delete the DhcpNodeType value if it’s present.
3) If the NodeType value isn’t present, create it using type: DWORD.
4) Set NodeType to 8 (Hybrid).

Then I disabled and re-enabled my network adapter, and voila! I could once again use NetBIOS, both on my LAN and to reach remote hosts over VPN. Now that’s some good bacon!

Saving Fiddler Responses To Disk

Fiddler

Fiddler is a fantastic tool that allows developers and IT professionals to see what’s happening under the hood when a web page is requested by a user.  Somewhat simplified, when a user visits a web page, whether she knows it or not, she is using the HTTP protocol to request a web resource, and then the web server is using HTTP to respond with the HTML of the page itself.  This HTML is rendered by the browser into a pretty page, after any source files such as images or style sheets that were referenced in the HTML are downloaded, also using HTTP.

For the first time in my career, I came across a situation today where a user’s computer was crashing the moment that user visited a web page using Internet Explorer 9.  While this is apparently some issue with that particular computer–no browser should allow its host to crash, regardless of what HTML is returned–I wanted to see some Fiddler output in order to confirm that the HTML request and response causing this crash were not being intercepted and modified somewhere along the way.  The problem was this: the Fiddler log could not be analyzed or saved, because the computer was crashing the moment the web page was requested!

Fortunately, Fiddler has a scripting technology called FiddlerScript that offers hope in a situation like this.

Step 1: Click “Customize Rules”

Fiddler

 

Step 2: Add code to decode the response, and then save the response body, into the CustomRules.js file that pops up when you click “Customize Rules”:

 static function OnDone(oSession: Session) {
  // Put the URL you want to save here
  if(oSession.url.Contains("hub.securevideo.com/Pass/Join")) {
   oSession.utilDecodeResponse();
   oSession.SaveResponseBody();
  }
 }

This will write the response, after Fiddler has received it, and before it is passed to the browser, to your My DocumentsFiddler2Captures folder.

Step 3: Request the crash page, and hopefully after you recover from the crash, you will have one or more HTML files in your My DocumentsFiddler2Captures folder.

Step 4: You can then compare the HTML returned in the capture to the HTML which is returned by any other computer.  If it is the same HTML, then the computer is clearly having some problem, and needs to be fixed.  If the HTML is different, then some process either on the host computer (such as a worm) or on the host network is most likely modifying the HTML to cause the crash.

Note, depending on the timing and cause of the crash, this code might need to be placed in different functions.  I started with the code in OnDone so that it would run once the entire request and response were available, but depending on the crash timing, it might have to be placed earlier.  This whole idea also might or might not work in some cases, depending again on the crash cause and timing.

How to paste a screenshot from Google Chrome to ASP.NET MVC

If you’re like me, someone who has been building web applications for 15 years or so, then like me, you probably freaked out the first time you pasted a screenshot into your gmail.  You thought, “what just happened?”  You thought, “wait, this shouldn’t be possible!”  And your immediate next thought was, “omg, how do I do that?”

This is not a ubiquitous functionality at the moment–I’m not able to paste a screenshot into Yahoo! Mail or WordPress right now, nor did I have a need to figure out a way to paste anything using Internet Explorer or Firefox.  In building a Knowledge Base for our SecureVideo.com support team to be able to serve content onto our website, we decided to implement the ability for them to paste a screenshot to our server using AJAX, have the server show the URL, and then allow them to upload HTML and include the screenshots by creating image tags using the TinyMCE HTML Editor.

Anyone can implement TinyMCE by googling, but the tricky part was getting the paste and AJAX to work, and mind you, as of the time of this writing, this only works in Chrome.  That’s fine for me since our support team uses Chrome, but if you can’t control the browser choice, then this method will not be as valuable to you.

First, you need to capture the paste event on your web page.  This is done using some Chrome-specific Javascript to handle the paste event, and jquery to send the image to the server via AJAX.

        
   document.onkeydown = function (e) { return on_keyboard_action(e); }
   document.onkeyup = function (e) { return on_keyboardup_action(e); }

   var ctrl_pressed = false;

   function on_keyboard_action(event) {
       k = event.keyCode;
       //ctrl
       if (k == 17) {
           if (ctrl_pressed == false)
               ctrl_pressed = true;
           if (!window.Clipboard)
               pasteCatcher.focus();
       }
   }
   function on_keyboardup_action(event) {
       //ctrl
       if (k == 17)
           ctrl_pressed = false;
   }

   // Paste in from Chrome clipboard
   window.addEventListener("paste", pasteHandler);
   function pasteHandler(e) {
       if (e.clipboardData) {
           var items = e.clipboardData.items;
           if (items) {
               for (var i = 0; i < items.length; i++) {
                   // Only process anything if we have an image
                   if (items[i].type.indexOf("image") !== -1) {
                       // Get the pasted item as a File Blob
                       var blob = items[i].getAsFile();

                       // Reader will read the file
                       var reader = new FileReader();

                       // This fires after we have a base64 load of the file 
                       reader.onload = function (event) {
                           // Once reader loads, sent the blob to the server
                           $.ajax({
                               type: "POST",
                               url: '/Knowledge/Screencap',
                               data: event.target.result,
                               success: function (resultHtml) {
                                   // Show the uploaded image
                                   $("#screencap-container").html(resultHtml);
                               }
                           });
                       };
                       // Convert the blob from clipboard to base64
                       // After this finishes, reader.onload event will fire
                       reader.readAsDataURL(blob);
                   }
               }
           }
       }
   }

Once you’ve got the paste and AJAX calls set up, the user pastes an image, and then the AJAX call sends your base64 encoded image to the server.  Here’s the actual content sent in the HTTP POST:

data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABVYAAA...

On the ASP.NET MVC side, I was not able to get the controller to automatically bind the posted data into a controller parameter.  It’s probably possible, but I’m under some time pressure, so I just examined the HTTP Request’s Input Stream, and picked the image from there.

      
   public ActionResult Screencap()
   {
      // Get the raw input stream (return to the start of the stream first!)
      Request.InputStream.Position = 0;
      string payload = new StreamReader(Request.InputStream).ReadToEnd();

      string indicator = "base64,";
      int imageStartIdx = payload.IndexOf(indicator);
      if (imageStartIdx >= 0)
      {
          string base64Image = payload.Substring(imageStartIdx + indicator.Length);
          byte[] fileBytes = Convert.FromBase64String(base64Image);
          System.IO.File.WriteAllBytes(saveToPath, fileBytes);
      }
      // Return the URL of the newly saved file for display on the browser
      return Content(PathManager.ToUrl(saveToPath));
   }

Now my support staff can add Knowledge Articles, including lots and lots of screenshots (a good thing), without ever leaving the browser window!

SecureVideo For Any Professional

Did you know that SecureVideo.com is not just for people in the medical field that need to abide by HIPAA laws?

The truth is, anyone looking for an easy, secure, low-cost video conferencing connection could use SecureVideo.  Our meetings are peer-to-peer.   That means your video session isn’t routed through any servers and it can’t be saved or recorded by SecureVideo.com, nor subpoenaed from us.   Your meetings stay confidential, as if you were talking to a person face-to-face.

In general, much of our daily communication is nonverbal.  Unlike phone calls, you can read more of your clients’ or associates’ nonverbal cues through a videoconference call.  This comes in handy, especially since we spend so time communicating electronically, missing the tone and body language that accompany the actual text we read.

SecureVideo customers also benefit from the scheduler included with all SecureVideo plans and branding features you get with the Individual PLUS or Enterprise Plan.   These features enable more of your clients to keep their appointments with you.   Plus, your session invites appear to come from your own videoconferencing platform: YourCompanyNameHere.securevideo.com.   How cool is that?

Video conferencing has become a necessary tool for communication in any field.   For example, lawyers can use it to gather oral statements for a deposition, without involving expensive or lengthy travel.  Or allow loan officers to interview their borrowers remotely and process applications in collaboration with other bank branches.  It could also give Human Resource managers a way to conduct interviews with talented candidates, without restricting their choices to local applicants.

You know your workflow best.  When your business calls for secure, face-to-face communication, you have options.  Try us for free.

SecureVideo vs. Google Helpouts

Doctor’s visits online?  Having multiple carriers to choose from?  Are we living in a futuristic time or what?!  Like many of you out there, I’m new to the field of telemedicine.  Not as a practitioner but as a Technical Support Agent.

I recently moved from the bustling, densely populated San Francisco Bay Area to a picturesque town in rural western Massachusetts.  Adjusting to vast open landscapes and honking bands of geese in a town of 7,000 is radical.  One of the realities living here is a shortage of skilled medical professionals.  Looking for a new doctor has been a feat.  Office after office I’ve called across neighboring towns are not accepting new clients.  The best lead I’ve found is a health center with a waitlist of 100 people for a new doctor they hope to hire by the end of November.   It made perfect sense to learn that telehealth sprouted from the need to serve people in remote areas, according to an interview with Dr. Joseph Kvedar by Lylah M. Alphonse, Managing Editor of Special Reports for U.S. News & World Report.

Using technology to build access and connections with people is so important to our time.  Equally important is privacy.  As we send information into cyberspace, we certainly want it kept securely and ethically.  Patient privacy is of utmost concern in providing online healthcare.  SecureVideo offers a person to person, HIPAA-compliant solution that helps people gain access to care that otherwise might not be available.  We do not have the ability to record sessions, so information shared over SecureVideo.com stays private always.

As I’m reading up about telemental health, I see that the Google giants are also jumping into remote person-to-person videoconferencing solutions, called Helpouts.  Their service hinges upon people helping people in real-time.  They have different categories of Helpouts, including Health where some health providers are making themselves available.  I thought it would be worthwhile to review how SecureVideo and Google Hangouts stack up for those of you looking into videoconferencing solutions for healthcare.

SecureVideo:

Affordable. We do not take a fixed % of your session. There are three different plans ranging from $2-$4 per session.  If you are new to videoconferencing, our free account offers you four sessions a month.

True privacy.  HIPAA-compliant one to one connection.  We do not record your sessions.

Sophisticated scheduler and appointment reminder system reduces no-shows.

Branding.  Use your own color schemes, logos, etc.  All outgoing communication to clients will read from you instead of SecureVideo.com

Business Associate Agreement (BAA).  We can provide a written assurance to properly safeguard protected health information.

Easy PayPal integration. Optional for Individual Plus and Enterprise customers.  Allows your clients to pay for services directly through your session page.

Take your existing business online. SecureVideo is a great solution for your established or budding practice.

Easy!  You can be up and running literally in minutes.

Google Helpouts:

Up to 20% per transaction. There is a lack of clarity around how they charge for a health Helpout, but as of Jan. 2014 there will be a fixed percentage charged per transaction.

-A public Google+ page is required to promote your business.

-A Google wallet account is required for set up.

Screening. You must go through a third party screening process to verify your credentials.

-Helpouts offer BAA agreements. Originally, I had thought they didn’t.  It’s a good thing, since they are required by the United States Department of Health and Human Services for HIPAA compliance.  However, the world recently discovered that the NSA and the British equivalent, GCHQ hacked into Google’s overseas servers.  Levi Sumagaysay, Editor of SiliconBeat, the San Jose Mercury News’ Tech Blog, wrote “there are more government requests for Google user data than ever, with the number doubling in the past three years.”

100% money back guarantee for clients only when you allow Google to record your sessions for quality assurance.  They seem to be waiving this for Health hangouts to meet HIPAA compliance.

Your privacy is questionable. This the major sticking point.  On October 30, 2013, The New York Times reported that the National Securtiy Agency tapped Google’s and Yahoo’s fiber-optic cables.  The GCHQ has the “ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be shifted and analysed,” according to an article in June by the Guardian. Google has shown concern for this kind of spying and has been working on encryption since news of snooping leaked over the summer.  It is clear however, that NSA and GCHQ have the capacity to intercept recordings of calls, emails, and other data- including videoconfrencing sessions.

Without a doubt, Google’s Helpouts page is impressive.  There is a very cool video that reminded me how much I’ve always wanted to take guitar lessons.  But when you cut through the color schemes, the cool video, and the big name:  SecureVideo offers more for less.  Less hassle.  Less artificial constructions that keep you steps away from simple and direct one-to-one connections.  Patients are waiting with real concerns.  Don’t make them wait any longer than necessary.  Meet them with more of you and a lot more privacy.

Snowden Leaks Disclose NSA-Skype Cooperation

In a story that has been developing over the past several weeks, The Guardian disclosed last week that Microsoft has been providing the National Security Agency with access to recorded data collected on Skype, which was purchased by Microsoft for $8.5 billion in 2011.

The files provided by Edward Snowden illustrate the scale of cooperation between a number of Silicon Valley companies and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.

Microsoft has collaborated closely with US intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption, according to top-secret documents obtained by the Guardian. In the past, Microsoft has been evasive when asked about the privacy of communications over its popular VOIP platform, but these disclosures have blown the lid off Microsoft’s credibility on the issue. In fact, the recent statement by Microsoft’s general counsel, attempting to rebut the Guardian’s reporting, stated that, “going forward, it assumes Skype calls will be regarded just like any other phone call – mobile or landline.”

It should now be perfectly clear that using Skype for any telemedical communications involving Protected Health Information (PHI) is a prima facie violation of the HIPAA Security Rule.

As our Chief Technical Officer has pointed out, both here and on our website, www.SecureVideo.com, we do not record any communications which use our service. All contact between practitioner and patient is direct and unmediated, so there is no way that it can be intercepted or reproduced. Your Protected Health Information is truly protected here.

Stephen C. Taylor
General Counsel
SecureVideo.com

Implementing JSON Web Tokens in .NET with a Base 64 URL Encoded key

I wasn’t able to find any good technical examples of how to implement JSON Web Tokens (JWT) for .NET when the key is Base 64 URL encoded according to the JWT spec (http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-08#appendix-A.1, page 35).

John Sheehan’s JWT library on GitHub is a nice starting point, and works well when the key is ASCII encoded already, but it cannot be used without modification if the key is Base 64 URL Encoded.

Here’s the solution:

// URL Encode the string, according to
// http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-08#appendix-A.1, page 35
public string Base64UrlEncode(byte[] arg)
{
string s = Convert.ToBase64String(arg); // Regular base64 encoder
s = s.Split('=')[0]; // Remove any trailing '='s
s = s.Replace('+', '-'); // 62nd char of encoding
s = s.Replace('/', '_'); // 63rd char of encoding
return s;
}
public byte[] Base64UrlDecode(string arg)
{
string s = arg;
s = s.Replace('-', '+'); // 62nd char of encoding
s = s.Replace('_', '/'); // 63rd char of encoding
switch (s.Length % 4) // Pad with trailing '='s
{
case 0: break; // No pad chars in this case
case 2: s += "=="; break; // Two pad chars
case 3: s += "="; break; // One pad char
default: throw new System.Exception(
"Illegal base64url string!");
}
return Convert.FromBase64String(s); // Standard base64 decoder
}
// Implementation of http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-08,
// section A.1.1, JWS using HMAC SHA-256 (encoding), by J.T. Taylor, SecureVideo.com
public string GetAuthenticationToken(string base64UrlEncodedSecretKey, string userId)
{
// Prepare authentication token
// Get Unix-style expiration date
double unixSeconds = (DateTime.UtcNow - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds;
double expiry = unixSeconds + (2 * 24 * 60 * 60);
string jwsHeader = "{" +
""typ":"JWT"," +
""alg":"HS256"" +
"}";
byte[] jwsHeaderUtf8Bytes = Encoding.UTF8.GetBytes(jwsHeader);
string encodedJwsHeaderValue = Base64UrlEncode(jwsHeaderUtf8Bytes);
string payloadJson = "{" +
""sub":"" + userId + ""," +
""iss":"service-id"," +
""exp":" + expiry.ToString("0") +
"}";
byte[] jwsPayloadUtf8Bytes = Encoding.UTF8.GetBytes(payloadJson);
string encodedJwsPayloadValue = Base64UrlEncode(jwsPayloadUtf8Bytes);
string jwsSecuredInputValue = encodedJwsHeaderValue + "." + encodedJwsPayloadValue;
byte[] jwsSecuredInputAsciiBytes = Encoding.ASCII.GetBytes(jwsSecuredInputValue);
byte[] secretKeyBytes = Base64UrlDecode(base64UrlEncodedSecretKey);
var hmacSha256 = new HMACSHA256(secretKeyBytes);
byte[] signatureBytes = hmacSha256.ComputeHash(jwsSecuredInputAsciiBytes);
string encodedJwsSignatureValue = Base64UrlEncode(signatureBytes);
string jwt = jwsSecuredInputValue + "." + encodedJwsSignatureValue;
return jwt;
}