Mental health professionals are busy people, working to help others with their problems. After spending the day listening to people, taking notes, and filing insurance claims, most mental health professionals do not have time to think about encryption and security. Many use their personal computers, tablets, or cell phones for business related purposes, resulting in private information often being present on these devices. What happens then, if someone hacks into these devices? Often, this means Client data could end up in a criminal’s hands, with the therapist being held responsible for the breach. A criminal would like mental health information for blackmail and extortion. If you are a mental health professional, I have a question for you: what steps have you taken to protect your Client’s electronic data?
How Can Data Be Breached?
For a computer that is unsecured, it would not take much for a criminal to access Client information. It could be as simple as an unsecured wireless network, where someone connecting to the network could access the hard drive. They could use a simple program to crack the password to your computer then copy the hard drive. Often weak passwords are used, which makes cracking into accounts an easy task. A hacker could steal Client data, unknown to the user.
Another means of stealing Client data could be through e-mail. Many hackers like to use computer viruses and worms to try to steal account information. These viruses are sent in e-mail messages. Once the user opens the e-mail and downloads the program, the computer is infected. Now, the hacker has access to the files, and all personal and Client information.
Sometimes, brute force methods are used to steal Client information. Physically stealing the computer, cell phone or tablet is a good way to obtain Client information. Once a criminal has the device, all they need to do is power it up and take out the hard drive, or crack the password. For a computer, a windows password would be useless if the hard drive was removed and placed inside another computer. Files will be accessible on the other computer, without needing to log into windows.
If Someone Steals Client Data, Is It My Fault?
If a hacker steals a hard drive, or use a worm to access Client data, how liable is the mental health professional? The answer is: it depends on the steps taken to secure Client information. If weak passwords are used, of the hard drive itself is not encrypted, or e-mails to Clients are not encrypted, then the mental health professional may be held liable for the breach. Most mental health professionals are under HIPAA, the Health Insurance Portability and Accountability Act, and are required to secure Client data. Under HIPAA, the mental health professional is responsible for the security and accessibility of Client data. Risk assessments need to be conducted to account for ways data could be breached.
For example, what would you do if you lost your cell phone, and Client data was on it? What if you kept a phone book with Client names, and you did not encrypt the phone and did not have a password to access it? If investigated by HIPAA, each violation costs $5,000. If 100 names are located on the phone, a fine of $500,000 may result. Also, your Licensing Board may undergo an investigation, and the Clients may sue you for the breach.
How Do I Protect Client Data?
The first thing I recommend is you begin securing your communication with Clients. Most mental health professionals use e-mail to communicate with Clients. Encrypting e-mail messages you send to your Clients will protect their data, and will be difficult for a hacker to obtain. Unfortunately, you will need to spend money to secure your e-mails. I use a program called Virtru, which allows me to encrypt e-mail messages to Clients. I can send attachments and messages and not worry about them being intercepted by a hacker. Virtru is around $60.00 for a single user per year, so the cost is reasonable. All e-mail messages I send to Clients are through Virtru. You would still use your regular e-mail address, with Virtru encrypting it. Clients would need to validate their identity through their e-mail provider to access the information. While I have noticed some Clients having problems accessing these messages, it works for most.
Eliminate Text Messages
Unless you plan to have your Clients use a special program on their phones to text you, I suggest not using text messages to communicate with Clients. Text messages are unsecured by default and are easy to intercept. You can receive text messages, but responding to them opens you up for a breach. I do not text Client’s and prefer to use encrypted e-mail or to call them on the phone. The risk is too high in my opinion.
Encrypt Your Computer’s Hard Drive
Encrypting your Computer’s Hard Drive is one of the most important steps you can take. Once your hard drive is encrypted, a password or a key file is required for access. Creating a 30-40 character password to unlock the hard drive will make it difficult for hackers to access. Even if they take the hard drive out of the computer, the password would be required for access. Without this password, it would take a hacker years to break into the hard drive. The program I use to encrypt my hard drives is called VeraCrypt and is available for free on Windows, Mac OS X, Linux and Raspberry Pi. I will write an article in the future on how to encrypt your hard drive via VeraCrypt. However, they have documentation to help in installation. It may take 6-12 hours to encrypt your hard drive, depending on the size of the hard drive. Encrypt all hard drives in all computers you use for business related purposes.
Encrypt Your Tablet and Cell Phone
Most Cell Phones and Tablets have the ability to encrypt. For Android phones and tablets, encryption is in the Security section of Settings. For iOS devices, encryption is in the Touch ID & Passcode section of Settings. For any device you encrypt, you will need to choose a secure password before you encrypt the device. Make the password at least 15 characters, something that you will know, but will not be easily guessed. Do not include your children’s name, pet names, or past addresses while making passwords. I use passphrases, such as: “The donkey ate the phone 729*” as passwords, as they are easier to remember and are difficult to crack. Make sure your phone or tablet is charged before you encrypt.
Gather Business Associate Agreements
For any software you use to access Client data, you need to obtain a Business Associate Agreement or BAA. A BAA states that the company has had training in how to access Client information. BAA’s are needed for HIPAA, and are required. If you are using a service to access Client information and do not have a BAA, you are in violation of HIPAA. A company that has a BAA has trained their staff in handling sensitive information, which means if there is a breach, it is this company’s responsibility to fix it. Without a BAA, it is your responsibility as the end user if a breach occurs. Having a BAA protects you from being liable if hacked. However, most business will not provide a BAA, as they do not want to take on the responsibility or training needed to access Client Information. Therefore, you can only use services that provide a BAA. You will need to discontinue using services that do not provide a BAA. Below is a list of services you need to check:
- Your E-Mail Provider
- Office Software (If using a Cloud-Based Service)
- Practice Management Software (Where you store Client notes, treatment plans, etc.).
- Cloud Backup Services
- Software used for Teletherapy
- Any messaging software used to contact Clients.
For the above list, I use the following, and have BAA’s with each:
- E-Mail Provider: Gmail (G-Suite).
- Practice Management Software: Theranest
- Could Backup Services: Google Drive (G-Suite).
- Teletherapy: SecureVideo
I suggest you research the above programs, and determine if they will work for you and your organization.
Once you have secured your e-mail, hard drives, and have BAA’s with all companies that handle Client data, make sure you complete a risk assessment and begin creating policies and procedures for your practice. These steps are lengthy and involved, but are required to be HIPAA compliant. For my practice, I purchased forms to help me in this process. If you are in Texas, go to the following link to check them out: HIPAA for Therapists. Prepare for it to take 3-6 months of work for your practice to become HIPAA compliant. Once it is, you will feel better knowing your Client’s information is safe. By taking steps to protect your Client’s electronic information, you have done much for the security and safety of your Client’s data.
Pinterest Pins Relating to Private Practice:
You can reach me at my website or call me directly at 832-559-3520 if you have any questions. Thank You!