SmartBot360™ is a leader in secure and HIPAA-compliant chatbots. Our chatbots are being used to engage patients, and exchange private information directly between the customer and the business, bypassing the man-in-the-middle concern. Please contact us for more information and a free quote.
key security and privacy concerns with chatbots
The above figure shows the main modules involved in a chatbot deployment. These are the main security concerns:
- Man-in-the-middle: If a chatbot is deployed on one of the chat media (Facebook Messenger, Slack, Skype and so on) or on standard mobile texting (SMS), then the owner of the medium (Facebook or the mobile carrier) have access to the conversation. This automatically makes the conversation non-HIPAA compliant.
- Chat log stored on user device: For example, if you use SMS to exchange sensitive data, anybody with access to your phone could read these messages as they are stored unencrypted and without password protection on your phone.
- Encryption of messages in transit: Fortunately, most of the media and connections are SSL-encrypted, so this is not a concern with most chatbot platforms out there. An exception is SMS, which is unencrypted. Nevertheless, this is something to always check.
- Encryption of data at rest: The Conversation Management Engine should use an encrypted database to store the chat log.
- Use of external NLP services: If a chatbot platform relies on external libraries or services to analyze the user text, e.g., extract a date or a phone number, then this communication must be secured. A reasonable approach is to never send any personal identifying information (e.g., name or address) or any session information to such services, so they cannot associate messages with users. Another approach is to only use libraries inside the Conversation Management Engine, which do not communicate with outside entities.
- Logging and access rights: This is more relevant for HIPAA compliance, which requires that the chatbot platform logs all actions. It also requires that the chatbot platform follows strict policies on who is granted access to what data; in general employees should only be given access to sensitive data if they sign the right forms and have a real need to access this data.
How does Smartbot360™ achieve secure and private communication?
In addition to following state-of-the-art security and privacy policies, SmartBot360™ has developed proprietary technology to get around the "chat log stored on user device" and the "man-in-the-middle" problems with Facebook Messenger, SMS or other chat media.
This is important as these chat media allow reaching the customers where they are, notifying them (tricky or impossible with browser chatbots), and do not require installing a dedicated chat app (not having to install an app is a key advantage of using chatbots in the first place).
Specifically, a chatbot can start on Facebook Messenger or SMS, and when sensitive information must be exchanged, a secure link is sent to the user to seamlessly continue the chat securely. No registering or passwords are necessary, thus achieving a frictionless yet secure communication.
An agent using SmartBot360™ Management Dashboard™ can also manually switch a chat to a HIPAA-compliant chat with the press of a button, when sensitive information must be exchanged.