Best Practices in eTherapy
The Difference Between Security and Being Secure
Security in Online Counseling
There's some debate as to what constitutes a secure communication online when discussing clients and potentially identifying information about clients. Some argue that every communication between professionals should be "secure," spurred on by U.S. HIPAA regulations. The problem is, of course, what exactly constitutes "secure." Many people differentiate specific security techniques with true secureness of data, which is what HIPAA and other regulations attempt to achieve.
Security versus Being Secure
Security is generally what technology professionals use to describe a set of techniques or technologies that help make data less penetrable by people other than their intended recipient. Financial institutions use their own encrypted data network, for instance, to ensure the security of financial transactions (which, for the most part, does not run on the Internet).
However, security doesn't automatically buy you the state of being secured against threats and intrusions. Indeeded, many security experts argue that security technology often lulls people into a false sense of security without challenging common sense. An example that's often used today brings this difference into sharp focus.
Phishing for Data
A growing technique amongst credit card thieves over the past two years is to send out millions of random emails to individuals posing as a large financial institution, such as Citibank. They ask the recipient to click on a link in the email to fill out a Web form with pertinent (and usually sensitive) financial information (including a credit card number).
Security technology says, trust anything that looks and feels secure. For example, if it comes from what appears to be a legitimate Citibank email address and directs you to a seemingly secure and legitimate Citibank Web site, then it's secure and safe. After all, because of security, we look for SSL connections and the little locked icon on our browser to ensure the information we're about to send to the other website is secure.
The problem is that some of the best phishing schemes include even an SSL connection and will look completely legitimate. Looks can be deceiving, however, and even when an end user is counselled to look for the secure icon, it says nothing about how secure that person (or their data!) is. In fact, because we often train people on security versus being secure, we lull folks into a false sense of security.
How Security Pertains to Online Health Records
In online therapy or e-therapy, one-to-one counseling sessions are best secured by security technologies. However, don't think that is the end of your responsibility. Simply using an SSL connection or implementing some sort of more complex technological solution doesn't mean the data is automatically trusted and secure. You can still receive insecure or untrusted data from an SSL connection or white-listed email recipient. Technology simply isn't a substitute for human judgment.
In online case or peer-to-peer supervision, most of which is currently conducted via regular email, you should seek to keep all client identifying information to a minimum. With little security, email is certainly prone to man-in-the-middle attacks or simple social engineering or administrator vulnerabilities. Your best protection, short of forgoing 21st technology altogether, is to keep identifying information out of emails and out of non-secured communication methods.
Security Isn't Being Secure
More importantly, however, is understanding that simply implementing a security technology doesn't protect you from the same responsibilities of maintaining client confidentiality as using no security technology. Security technology isn't a substitute for using common sense and understanding the limitation that our current technologies offer. Just because you send a PGP-encrypted email doesn't mean it's not going to be auto-unencrypted by the client's email program and read by the client's daughter. PGP, SSL, and any other online security technology is worthless if you don't understand its limitations. More importantly, it is even less than worthless if you don't communicate and educate your clients about how it works, its limitations, and some of the limitations of online communications in geenral.
For more information about e-therapy, I suggest reading the other essays in the Best Practices in e-Therapy series.