[Transcript] Episode 442: What You Should Know About Apple’s Private Relay Function

 

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 442: What You Should Know About Apple’s Private Relay Function.

 

Liath Dalton 

Yes, indeed.

 

Liath Dalton 

And first of all, we should explain what Apple’s Private Relay function is. And then, once we describe that, we will get into what you should know about it and how it impacts some decisions around team device security management in a group practice context.

 

Liath Dalton 

And we thought that this was a good topic right now, considering the time of year, and that we know that it’s when folks are often traveling with their BYOD devices and therefore having questions about VPNs or Virtual Private Networks and what is acceptable or not, in terms of meeting the practice’s security policies around network security and device security.

 

Liath Dalton 

And of course, this being in the context of any device that is ever used for handling Protected Health Information in any way needs to follow the network security policies at all times. So they’re applicable not just when someone is logging into the EHR or to your Google Workspace environment, but at all times for for that device. So this is why it’s it’s so important.

 

Liath Dalton 

So now that we’ve set the scene in that way, Evan, would you share with us what Apple’s Private Relay function is?

 

Evan Dumas 

Yeah. So first of all, don’t worry, you’re not getting this automatically. This is a service that you will get if you have iCloud, plus it’s an extra, additional service you can buy from Apple. But what is it? What is Private Relay?

 

Evan Dumas 

It’s kinda like a VPN, but it’s a little different. So it is, well, Private Relay. It’s just like the name sounds. It relays your traffic from not just one server, but two separate ones, and they don’t know what each other is doing.

 

Evan Dumas 

So a VPN, if you are used to that, and you know what that is, it’ll route it from one server and sort of anonymizes your data this way. But this relay has two different relays, and so it’s private also in that it doesn’t even have the way of logging your traffic or where you’re going, which there is a slight concern from VPNs. Not all VPNs do this, that they’ll be keeping logs of what you’re doing. So it’s a privacy concern. And so it’s similar when you think about, like, Oh, it’s a way to make the traffic that you’re sending safer with, of course, tons of caveats, which we’ll get into. But in that way, it makes your usage of the internet private.

 

Liath Dalton 

Exactly, and that is then protecting the data that you are sending out over that connection. And what is particularly important, in the context of device security for devices that are handling PHI, is the way that it then protects the device itself from being compromised when you are connecting to an otherwise dirty or unsecured network. So it does have the functionality that provides the security benefits of a VPN that we like to see, and what’s actually required in the VPN policy, if you’re using PCT’s HIPAA Security Policies and Procedures of having zero logging.

 

Liath Dalton 

The other component that we have required in our policies and procedure templates is that it also has a kill switch. Meaning that if you are not connected through the VPN, that your network connection is shut down altogether, so that you cannot possibly be connected without the connection being secured. Now the Private rRelay doesn’t have that same functionality, and that is not its only limitation. The other limitation, Evan, is what it only works on Safari.

 

Evan Dumas 

So okay, the good news is, secretly, every browser on your phone is Safari. They don’t tell you this, but if you ever learn some web development or whatnot, everything just routes through safari web kits, and it’s like it controls your internet. So on your iPad and iPhone, you’re actually kind of safe. It forces you, even though you say it, but it’s Chrome, actually, technically, it’s it’s Safari, but with like a Chrome wrapper. But on your computer, that is not the case. You could use Firefox, Opera, Chrome, all sorts of different browsers, but it only works if you’re using Apple’s Safari browser on your laptop.

 

Liath Dalton 

Womp, womp. Which means, then, that in order for it to be providing the security benefits that are necessary for a device that’s used for handling PHI, that it would have to be paired with an additional policy that relies on a behavioral measure of only using Safari for all things. And Evan, what do we always say about relying on behavioral measures?

 

Evan Dumas 

Don’t. If you can rely on a technical measure, do that, because people, the last thing you want to do is task them with more like caloric duties of thinking and other choices.

 

Liath Dalton 

Yeah!

 

Evan Dumas 

No, thank you.

 

Liath Dalton 

Exactly. We want to have clear guard rails and parameters that make it easy to do what’s necessary without that extra kind of cognitive load. Or I like that phrasing, Evan, caloric burden?

 

Evan Dumas 

Yes.

 

Liath Dalton 

So what is, what does all this mean in practical terms for your practice? Now, if folks are asking, Can I use Private Relay? Does it meet the requirements of a VPN service that would be practice approved?

 

Liath Dalton 

Our verdict is going to be that your answer should be no, because of the limitations and caveats, and those end up just being kind of a deal breaker. So what then are good alternatives?

 

Liath Dalton 

And I want to actually take zoom out a little bit to reiterate one thing that’s really important in the context of VPN services, because you will have heard us talk ad nauseam about the need to have a prohibition on personal service use in a practice. But the exceptions to that prohibition include VPN services.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And Internet services.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So this is why, why we’re having that convo, so you can provide a VPN service to folks, or if they have a personal VPN service that they want to use, that is absolutely HIPAA acceptable, provided that that VPN service has the necessary functionality to accomplish the required outcome, and that includes that it is zero logging and that it has a kill switch.

 

Liath Dalton 

So you can either provide a VPN service, nice and cheaply to staff members as a practice provided service, or they can use their own, bring their own personal service along with, if it meets the requirements. And so if you are getting faced with questions from team members of does Private Relay meet those requirements? I’m going to say again, no. But then what are some alternatives that do meet that requirement?

 

Evan Dumas 

Yeah, using your phone as a hot spot is a phenomenal way to meet that requirement, and anyone with a smartphone and a data plan ought to be able to do that.

 

Liath Dalton 

Exactly. And so that’s not even bringing a VPN service, that’s, and having to pay for it or make sure that it’s something that meets the requirements of a HIPAA acceptable VPN. It’s just leveraging functionality that’s already there. Evan, what are some of the potential drawbacks about that, though, or where we might say, no, they’re better off, better off actually using a VPN?

 

Evan Dumas 

Yeah, there’s some question of limitation of data like, you know, telehealth sessions will eat up a huge amount of bandwidth because it’s both sending and receiving quite a bit, and it can be a little slow for that. So, and also, you know, based on your wireless signal strength, that’s a limitation there. So it works a pinch for checking emails or doing chart notes, things like that. That’s a good, great place for it. Yeah, that’s about it, not using it for sessions, things like that.

 

Liath Dalton 

Yeah, that’s not something, like if someone’s going to be out of office and away from their secured home office network, visiting family or traveling or whatever, and they’re going to be doing a number of telehealth sessions on whatever alternative connection they set up, that should not be relying on the hotspot connection.

 

Evan Dumas 

Yep.

 

Liath Dalton 

That then is a case for a good VPN service. Evan, what is our VPN service of choice?

 

Evan Dumas 

Yeah, it’s been for a very long time, now, I haven’t seen it usurped, the Nord VPN. It’s N, O, R, D, V, P, N, and don’t worry, if you go to their website, they say they’re on sale. They are always on sale. And if they don’t, they’re

 

Liath Dalton 

Literally always.

 

Evan Dumas 

Just wait, yeah, it’s one of those, like always on sale prices. They’re great. Don’t get all the extra bells and whistles. They’ll probably want to give you a password manager or antivirus, other stuff. No, they’re not known for that. They are known for their VPN service, which is great.

 

Liath Dalton 

Exactly. And like we say, it is our top top choice, and from a number of other sort of tech reviewing and security expert companies as well, also has come out on top in terms of VPN reviews, year after year. So it’s super solid. The second choice that comes up and is perfectly acceptable as well is Express VPN, although Evan, you had some sort of didn’t love it as much when, when you were testing it out personally for compare and contrast, right?

 

Evan Dumas 

Yeah, it’s just, to me, I really actually care about interface design and things being easy to use and Nord is easy to use. I just get upset on the behalf of customers who I know will get upset, so I try not to steer them to services that are either so simple you can’t make the necessary changes, or so ugly that using them isn’t comfortable. But you know, other people don’t care about those type of aesthetics as much as I do.

 

Liath Dalton 

But the configurability and ease of navigating, and making sure it’s doing what you want need it to do is impactful. So yeah, I think your, your assessment of why Nord is preferable is has has a lot of merit.

 

Liath Dalton 

So yeah, that’s the kind of the 411 on Apple’s Private Relay function, what you need to know about it to be able to respond to questions from team members regarding its permissibility, and then what good alternatives are and how they fit into your HIPAA security and risk management picture.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And one last reminder, just realizing that folks who are listening to this episode may not have heard our prior episodes related to VPNs. So wanting to address one question that comes up really frequently, Evan knows exactly where I’m going, so I’ll let you say it.

 

Evan Dumas 

Yeah, this is great, because that means people know what a BAA is, a Business Associate Agreement. It’s usually a little thing you get with software to make sure that you’re doing it in a HIPAA friendly way, but that’s you know, you still have to change your behaviors, but it says they’re doing it, right?

 

Evan Dumas 

No, you do not need a BAA with your VPN, just like you don’t need a BAA with your Internet Service Provider, which is, you know, partly the reason why we say, hey, yeah, let your employees pick their own, because they don’t need BAAs with them. It’s notlooking at PHI at all.

 

Liath Dalton 

Exactly. So, yeah, BAA is not necessary, not really obtainable for commercial, virtually available VPN services either. I think there is one such service that does VPNs with with BAAs, but they are charging an astronomical premium for it, of course, right? And that is for a VPN service that’s doing a whole additional level of remote access management to local servers, and that’s a completely different use application, and not something that is going to be applicable to 99.99% of the practices that PCT works with.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So yeah. If, as long as you aren’t using a VPN in any way to manage remote server access for servers that you’re running locally, you do not need to worry about BAAs with a VPN.

 

Evan Dumas 

No.

 

Liath Dalton 

All right, folks, thanks for joining us. We hope you found this helpful. And we also wish you a Happy Thanksgiving, although this episode will be released the day after. So we hope that you have had a happy Thanksgiving with your with your loved ones, and wewill chat to you next time.

 

Evan Dumas 

Yeah, talk to you next time, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.