Four Tips for Maintaining a Secure Practice
By Mark Goldenson
Although encryption is not a new innovation, it is still a new concept for many people in the helping professions. When mental health providers start an online practice, a common initial concern is security. The ease of sending electronic data worldwide also makes it easier to intercept. Fortunately with simple best practices, electronic data can be secured even better than paper. Here are four tips toward maintaining a secure practice:
1. Use encryption
Encryption converts readable text into unreadable text. This is done via algorithms with alphabet soup names like SSL, RSA, and AES.
Sensitive internet messages should be sent with at least 128-bit SSL encryption. Such encryption would take longer than the age of the universe to break with brute force guessing. You can tell a service uses SSL encryption when the URL in your browser begins with https:// when logging into your account.
Unless your email recipients have setup encryption themselves, they should be required to log in to a secure site to read your messages. It is fine if a service notifies others of new messages via insecure email as long as recipients must log in to a secure site to read the full message. This is how Kaiser Permanente notifies members of doctor messages or lab results
2. Use strong but memorable passwords
Strong passwords are at least eight characters, include at least one number, symbol, or capital letter, and avoid the names of loved ones or dictionary words. When Twitter was recently hacked, the admin password was “happiness”, producing a very unhappy security breach.
However, a password should also be memorable. Otherwise you may be tempted to write it down or spend more time recovering your password than typing it. One way to remember your password is to use letters from a mnemonic phrase that includes the name of the site.
For example, “GmMaEmFu” comes from “Gmail Makes Email Fun”. This password would be unique to Gmail so even if someone learned your Gmail password, passwords created this way for other sites should be safe.
3. Don’t save your password in your browser
Many web browsers try to make your life easier by saving the passwords you type. Do not do this for any secure site. Otherwise a hacker only needs to gain physical access to your computer, which is a reason to…
4. Password lock your computer
When I worked at PayPal, a few people left their desk with an unlocked computer, letting anyone nearby gain access. To discourage this, security-minded employees would hunt for unlocked computers and send embarrassing messages from them to the entire company. When I once saw a colleague’s computer unlocked with Outlook open, I sneakily sent a company-wide email announcing he would attend work the next day naked. He quickly learned to lock his computer.
Remember that no system is perfectly secure. Even the Pentagon has been breached and certainly doctors’ offices have, famously including the psychiatrist’s office of Daniel Ellsberg, leaker of the Pentagon Papers. Laws like HIPAA and the HITECH Act just expect reasonable security.
A good definition of security is when the cost of accessing information exceeds the information’s value. With tips like the above, you can help ensure hackers will spend their time elsewhere.
Mark Goldenson is CEO of Breakthrough.com, a free virtual office for online counseling.
This article first appeared in the September 2010 Premier issue of TILT Magazine ~ Therapeutic Innovations in Light of Technology a bi-monthly magazine published by the Online Therapy Institute.
Link to original publication: http://issuu.com/onlinetherapyinstitute/docs/premier/46
SUBSCRIBE to TILT Magazine ~ Therapeutic Innovations in Light of Technology