key: cord-0943114-d9xrrqke authors: Cubo, Esther; Arnaiz-Rodriguez, Adrian; Arnaiz-González, Álvar; Díez-Pastor, José Francisco; Spindler, Meredith; Cardozo, Adriana; Garcia-Bustillo, Alvaro; Mari, Zoltan; Bloem, Bastiaan R. title: Videoconferencing Software Options for Telemedicine: A Review for Movement Disorder Neurologists date: 2021-10-11 journal: Front Neurol DOI: 10.3389/fneur.2021.745917 sha: e0f6b595afe134c38f9db344e5c24ae934e25c70 doc_id: 943114 cord_uid: d9xrrqke Background: The use of telemedicine has increased to address the ongoing healthcare needs of patients with movement disorders. Objective: We aimed to describe the technical and basic security features of the most popular telemedicine videoconferencing software. Methods: We conducted a systematic review of articles/websites about “Telemedicine,” “Cybersecurity,” and “Videoconferencing software.” Technical capabilities and basic security features were determined for each videoconferencing software. Results: Twenty-six videoconferencing software programs were reviewed, 13 (50.0%) were specifically designed for general healthcare, and 6/26 (23.0%) were compliant with European and US regulations. Overall technical and security information were found in 5/26 software (19.2%), including Microsoft Teams, Google Hangout, Coviu, Doxy.me, and Thera platforms. Conclusions: Detailed information about technical capabilities and data security of videoconferencing tools is not easily and openly retrievable. Our data serves as a guide for practitioners seeking to understand what features should be examined when choosing software and what options are available. BACKGROUND Advances in technology have expanded telemedicine opportunities in medical practice, research, and education. After the declaration of the COVID-19 outbreak as a pandemic, the use of telemedicine has increased to address the ongoing healthcare needs of patients with chronic illnesses, for example, by the introduction of interdisciplinary telehealth services (1) (2) (3) . Such services have helped reduce the number of in-person clinic visits and thereby minimize human exposures to Coronavirus. In response to the surging needs for remote care, many countries worldwide have expanded laws and regulations to permit greater adoption of telemedicine systems, have provided increased guidance on digital health technologies and cybersecurity expectations, and have expanded reimbursement options (4, 5) . Many organizations, including the American Academy of Neurology and the International Parkinson and Movement Disorder Society, have also issued telemedicine guidelines (6, 7) . As demands increased, the pandemic caused a global surge in the use of videoconferencing tools (8) . Movement disorders may be considered particularly fitting for distance health/remote visits with videoconferencing, because of the critical importance of observing phenomenology, visual aspects of the exam, speed, presence, distribution, and characteristics of tremor, dyskinesias, etc. In addition, patients with movement disorders are characterized by mobility limitations, and the sparse distribution of movement disorder specialists increasing the difficulty to access (1) . Even before telehealth burst into the forefront, movement disorder specialists have been gathering videos of patients for decades at major meetings and weekly video conferences within their group. However, physicians need unbiased and expert guidance in choosing a video conferencing software, including insights into the legal framework, technical capabilities, licenses, patients' access, and costs. Compliance with software data protection requirements is likely to be different worldwide. Examples in data protection regulations include the European Union General Data Protection Regulation (GDPR), which is essential for protecting personal data in Europe. In North America, physicians would look for Health Insurance Portability and Accountability Act (HIPAA) compliant software. Given the increasing offers for videoconferencing in the market, in this article, we describe the technical and basic security standard features of the most popular telemedicine videoconferencing software platforms to inform neurologists interested in developing telemedicine programs. This review is not aimed to provide international or national-based legal information for videoconferencing tools. For the selection of recent videoconferencing software, we conducted a systematic review of articles published since January 2020 from Medical and Telemedicine Societies, PubMed, and Google using the following keywords: "Telemedicine, " "Cybersecurity, " and "Videoconferencing software." Only articles and websites in English with detailed information about videoconferencing software characteristics were reviewed. We excluded supplementary applications designed to increase the security to access electronic health medical records or video-based pose estimation of movements with artificial intelligence-based analysis. The following characteristics were determined for each videoconferencing software: chat capability (ability to send/receive text messages), call capability (phone calls), videoconference capability (one-to-one, group meetings), screen share capability (ability to share your screen with different documents), healthcare-based (previous use in medicine), pricing, supported operative systems and platforms, communications protection (encryption), extra security layer, security measures in group meetings (administration of pass-invitations), Security Standard Compliance, and Privacy policy. Twenty-six videoconferencing software programs were identified (Tables 1, 2; Supplementary Figure 1 ). Regarding the technical capabilities, 13/26 (50.0%) were designed specifically for use in healthcare. All requested information was only found in 5/26 (19.2%) applications, including frequently asked information by users such as pricing in 11/26 (42%), and security information in 11/26 (43%) with 6 out 26 (23.0%) were both compliant with HIPAA and GDPR. All detailed information and definitions are included in Tables 1, 2 . This article summarizes the main technical and security aspects of commercially available videoconferencing software for healthcare use, features that a clinician should consider while choosing a videoconferencing software. Overall, the main features of current videoconferencing software are applicable to healthcare in general and they are not specific to movement disorders. Surprisingly, we collected complete data regarding capability and security in less than 20% of videoconferencing software platforms in use, suggesting that information about technical capabilities and data security is not easily and openly accessible for interested future users. In addition, complete and explicit information on whether the vendor/subcontractors have access to the data, including the video and other medical information, was also not entirely available for review. In this review, we have not included other essential aspects for a successful videoconference visit. Firstly, the size of the room and the number of participants where the videoconference is conducted. These aspects will determine the exact type of equipment (camera, microphone, speakers, etc.) we will need to get good video and audio quality. Secondly, it is recommended to use videoconference etiquette tips, including adequate lighting in a professional environment, eliminating background noise and looking straight at the camera, dressing professionally, and avoiding multitasking 1 (9) . Given the significantly increased use of remote care delivery during the Covid-19 pandemic, neurologists are facing an opportune time to expand the access to patients with movement disorders using videoconferencing tools (3, 10) . A shift to video conferencing visits must be accompanied by efforts to prepare for and protect against breaches of security and privacy. Concern over such breaches is one of the many barriers and challenges against the more widespread adoption of telemedicine (2) . Cybersecurity must be appropriately addressed to continue providing the best and safest care to our patients. To date, the most common strategies to enhance the cybersecurity of videoconferences include (1) password requirements, preventing unsolicited visitors from joining the meeting; (2) careful selection April 12, (2021) . If an application has two versions of its product and one of them is healthcare-based, only the healthcare-based was analyzed. The features of each health-based platform were gathered for the complete version (e.g., If there are three pricing plans for an application, the features of the complete one were selected). ? in any column means that we have not found any information. HIPAA and SOC2 (and others) are additional security standards. ADFS, Active Directory Federation Services (AD FS). It is a software developed by Microsoft. Provide users with unique credentials to access all applications within the same organization. AES, Advanced Encryption Standard is a specification for the encryption of electronic data. It was established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES can use three different key lengths: 128, 192, and 256. APP, Advance Protection Program. It is a system developed by Google, protecting users from all kinds of intentional online attacks. New protections are added automatically to deal with emerging threats. BAA, Business associate agreement. BAAs are hybrid contractual and regulatory instruments, meaning they both satisfy HIPAA regulatory requirements and create liability between the parties. CCPA, California Consumer Privacy Act (CCPA). The CCPA, approved in 2018, gives consumers more control over businesses' personal information about them. The CCPA regulations also guide how to implement the law. CSF, Common Security Framework. It is a set of documented policies and controls that govern an organization's security implementation and ongoing management. COPPA, Children's Online Privacy Protection Rule. It is a privacy act that imposes specific requirements on operators of websites or online services that collect personal information from children under 13 years of age. DTLS, Datagram Transport Layer Security. It is a protocol that provides privacy in communications. This protocol secures the client/server applications to avoid unwanted eavesdropping, unauthorized access, or message modification. E2EE, End-to-end encryption. It is a communication system where only the end users can read the messages. No third party can decrypt the data that is being communicated or stored. ECDHE-RSA, The acronym RSA comes from the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who publicly described the algorithm in 1977. RSA is a public-key cryptosystem that is widely used for secure data transmission. ECDHE (Elliptic Curve Diffie-Hellman) is an anonymous key establishment protocol. EEA, European Economic Area. Face-ID, A facial recognition system that allows biometric authentication, it was designed and developed by Apple. it is used to exchange authentication and authorization data between parties, particularly between an identity provider and a service provider. SaaS, Software as a Service. It is a cloud computing model in which it is possible to pay for the use of a particular software without worrying about buying or operating that software. SIP, Session Initiation Protocol. It is a protocol used for initiating, maintaining, and terminating real-time sessions that includes voice, video, and messaging applications. It is used for private voice and video calls. SHA, Secure Hash Algorithms. They are a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST). SHA is used as a checksum to verify data integrity. SCEP, Simple Certificate Enrollment Protocol. Does IETF create a protocol designed to make the request and issuing of digital certificates as simple as possible. SOC2, System and Organization Controls, there are defined three levels SOC1, SOC2, and SOC3. It is an audit that measures the effectiveness of a cloud system based on the Principles and Criteria of the American Institute of Certified Public Accountants (AICPA). SSO, Single Sign-On. An authentication scheme allows users to log in with a single ID and password to several related yet independent software systems. SRTP-RTP, Secure Real-time Transport Protocol. An extension of the Real-Time Transport Protocol adds security features, such as message authentication, confidentiality, and response protection, mainly intended for VoIP communications. TLS-SSL, Transport Layer Security and its now-deprecated predecessor, Secure Sockets Layer. They are protocols for web browsers and servers that allow the authentication, encryption, and decryption of data sent over the Internet. MFA/2FA, Multi-factor authentication (MFA) or two-factor authentication (2FA). It is a method that reinforces the security of the applications, granting access to the system only after a user presents two or more different proofs of their identity. Frontiers in Neurology | www.frontiersin.org April 12, (2021) . If an application has two versions of its product and one of them is healthcare-based, only the healthcare-based was analyzed. The features of each health-based platform were gathered for the complete version (e.g., If there are three pricing plans for an application, the features of the complete one were selected). ? in any column means that we have not found any information. HIPAA and SOC2 (and others) are additional security standards. ADFS, Active Directory Federation Services (AD FS). It is software developed by Microsoft. Provide users with unique credentials to access all applications within the same organization. AES, Advanced Encryption Standard is a specification for the encryption of electronic data. It was established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES can use three different key lengths: 128, 192, and 256. APP, Advance Protection Program. It is a system developed by Google, protecting users from all kinds of intentional online attacks. New protections are added automatically to deal with emerging threats. BAA, Business associate agreement. BAAs are hybrid contractual and regulatory instruments, meaning they both satisfy HIPAA regulatory requirements and create liability between the parties. CCPA, California Consumer Privacy Act (CCPA). The CCPA, approved in 2018, gives consumers more control over businesses' personal information about them. The CCPA regulations also guide how to implement the law. CSF, Common Security Framework. It is a set of documented policies and controls that govern an organization's security implementation and ongoing management. COPPA, Children's Online Privacy Protection Rule. It is a privacy act that imposes specific requirements on operators of websites or online services that collect personal information from children under 13 years of age. DTLS, Datagram Transport Layer Security. It is a protocol that provides privacy in communications. This protocol secures the client/server applications to avoid unwanted eavesdropping, unauthorized access, or message modification. E2EE, End-to-end encryption. It is a communication system where only the end users can read the messages. No third party can decrypt the data that is being communicated or stored. ECDHE-RSA, The acronym RSA comes from the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who publicly described the algorithm in 1977. RSA is a public-key cryptosystem that is widely used for secure data transmission. ECDHE (Elliptic Curve Diffie-Hellman) is an anonymous key establishment protocol. EEA, European Economic Area. Face-ID, A facial recognition system that allows biometric authentication, it was designed and developed by Apple. it is used to exchange authentication and authorization data between parties, particularly between an identity provider and a service provider. SaaS, Software as a Service. It is a cloud computing model in which it is possible to pay for the use of a particular software without worrying about buying or operating that software. SIP, Session Initiation Protocol. It is a protocol used for initiating, maintaining, and terminating real-time sessions that includes voice, video, and messaging applications. It is used for private voice and video calls. SHA, Secure Hash Algorithms. They are a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST). SHA is used as a checksum to verify data integrity. SCEP, Simple Certificate Enrollment Protocol. Does IETF create a protocol designed to make the request and issuing of digital certificates as simple as possible. SOC2, System and Organization Controls, there are defined three levels SOC1, SOC2, and SOC3. It is an audit that measures the effectiveness of a cloud system based on the Principles and Criteria of the American Institute of Certified Public Accountants (AICPA). SSO, Single Sign-On. An authentication scheme allows a user to log in with a single ID and password to several related yet independent software systems. SRTP-RTP, Secure Real-time Transport Protocol. An extension of the Real-Time Transport Protocol adds security features, such as message authentication, confidentiality, and response protection, mainly intended for VoIP communications. TLS-SSL, Transport Layer Security and its now-deprecated predecessor, Secure Sockets Layer. They are protocols for web browsers and servers that allow the authentication, encryption, and decryption of data sent over the Internet. MFA/2FA, Multi-factor authentication (MFA) or two-factor authentication (2FA). It is a method that reinforces the security of the applications, granting access to the system only after a user presents two or more different proofs of their identity. Frontiers in Neurology | www.frontiersin.org of software with the involvement of the IT department; (3) downloading the official release with regular updates for security patches; (4) ensuring there is no storage of video or medical data by the vendor; (5) identifying and monitoring attendees, with an alert when new attendees join the videoconference; (6) setting up waiting rooms that allow the organizer to determine whether those waiting are eligible to participate; and (7) encrypting meeting recording, making the information unreadable when obtained by third parties. Presently and in the future, telemedicine may continue to be necessary to overcome infectious or other public health disasters/pandemics, where a healthcare response can be mobilized in a short period of time (5) . In response to Covid-19 pandemic, telephone calls, messaging apps, or video visits have replaced or supplemented outpatient clinics (5) . New regulations for telemedicine were created, and for example, in South Korea, the illegal status was lifted to follow established patients through telemedicine (5) . Governments from several countries have initiated legislation to promote and regulate telemedicine and/or amended their prior restrictive regulations, including the US 2 , Europe (11), and Saudi Arabia 3 . The strength of our conclusions is tempered by some limitations, including selection bias given the lack of information on non-English-based videoconference software. There are also important aspects to users which were not included in our table, such as "How" to conduct a videoconference (with a laptop, mobile phones, tablets) and with "Whom" (with patients, caregivers, or other health professionals), which are decisive critical factors for a successful videoconference in certain populations. We also did not elaborate on the ongoing debate concerning the best indications for the use of videconference visits in movement disorders. However, most would appear to agree that videoconferencing should be reserved for followup visits, intermingled with in-person visits to the hospital whenever possible, but preferably not for making a diagnosis in a new patient (12, 13) . Previous literature has shown a digital gap and poor eHealth literacy (14) , especially in elderly, uneducated patients, limiting telemedicine's usefulness in certain groups of patients. An extra layer of support is sometimes required to facilitate and expand the use of videoconferences by patients, including caregivers' assistance, telemedicine health personnel assistants ("telepresenters"), and the use of health care facilities designed to establish videoconferences. One of the most established telemedicine programs to date is "The Ontario Telemedicine Network" (OTN) in Canada, which employs strategies to ensure that even patients with limited technological capabilities can access telemedicine care. The OTN supports all practice specialties, including movement disorders and those with deep brain stimulation (DBS) 4 . Therefore, an optimal telemedicine program with videoconferencing should balance security aspects with user-friendliness for patients and providers, cost, browser integration, operating systems, mobile platforms, and electronic health record integrations. In conclusion, we have described the main technical and security features of the most popular videoconferencing tools used at present. Our data serves as a checklist guide for practitioners to understand what features should be examined when choosing a videoconference software and available options. However, because technology is a science characterized by a fast evolution, it is necessary to keep updating this type of information to neurologists interested in developing telemedicine programs. All authors confirm that they have significantly contributed to the review of the literature, writing and review of this article. This work was supported by the project PI19/00670 of the Ministerio de Ciencia, Innovación y Universidades, Instituto de Salud Carlos II, Spain. The Supplementary Material for this article can be found online at: https://www.frontiersin.org/articles/10.3389/fneur. 2021.745917/full#supplementary-material The promise of telemedicine for movement disorders: an interdisciplinary approach Global perspective on telemedicine for parkinson's disease Implementation of telemedicine for urgent and ongoing healthcare for patients with parkinson's disease during the COVID-19 pandemic: new expectations for the future Incorporating telemedicine as part of COVID-19 outbreak response systems Global Survey on telemedicine utilization for movement disorders during the COVID-19 pandemic Telemedicine in Your Movement Disorders Practice Groups/Telemedicine-in-Your-Movement-Disorders Telemedicine and COVID-19 Implementation Guide Data security management and data protection for video conferencing software Telemedicine and COVID-19 Implementation Guide Use of telehealth during the COVID-19 pandemic: scoping review Exchange of Electronic Health Records across the EU A new day: the role of telemedicine in reshaping care for persons with movement disorders Reply to: a new day: the role of telemedicine in reshaping care for persons with movement disorders Navigating the digital divide: a systematic review of eHealth literacy in underserved populations in the United States The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.Publisher's Note: All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article, or claim that may be made by its manufacturer, is not guaranteed or endorsed by the publisher.Copyright © 2021 Cubo, Arnaiz-Rodriguez, Arnaiz-González, Díez-Pastor, Spindler, Cardozo, Garcia-Bustillo, Mari and Bloem. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.