More Than Just a Free Newsletter
Become a Tame Your Practice member for FREE and receive our newsletter, special offers, and exclusive members-only content.
Best Practices for Data Security
originally published in Counseling Today.
One need only read the harrowing tale of the destruction of Mat Honan’s digital life to understand the importance of securing our personal data. It only took an hour for hackers to penetrate all of Mat’s important online accounts. In addition to broadcasting racist and homophobic slurs from his Twitter account, the hackers remotely wiped all data from his iPhone, iPad and MacBook, including more than a year’s worth of photos of his daughter.
Although this episode exposed flaws in the technical support security of Apple and Amazon, Mat also recognized mistakes he had made. Specifically, Mat had “daisy-chained” his accounts together and wasn’t using multi-factor authentication. There is great convenience for users who connect their Google account to their Facebook account to their Twitter account and so on, all through one password. But the danger is that once someone has access to one of these accounts, they may have access to them all.
Mat’s story, as well as past breaches at stores like Target, remind us of how important it is for all of us to possess a baseline understanding of best practices regarding data security. In addition to the ethical and legal responsibilities we have to protect our clients’ information, it is also important that we protect ourselves and our identities. What follows is a guide to basic best practices we can follow to ensure the security of personal and client data.
Security in our field must include some mention of the Health Insurance Portability and Accountability Act (HIPAA). Because HIPAA requires covered entities to have security policies and procedures, I would encourage you to document your version of best practices for your organization. The complete requirements for HIPAA compliance are too lengthy to go into here, however.
Security starts (but doesn’t end) with strong passwords. Whenever possible, passwords should:
- Be at least eight characters long (the longer, the better)
- Contain at least one capital letter and one lower case letter
- Contain at least one number
- Contain at least one special character (!, $, %, etc.)
- As an alternative to the previous three recommendations, use a passphrase (see below)
- Be changed at regular intervals
There are also some “don’ts” when it comes to passwords, including:
- Do not use a single common word found in a dictionary.
- Do not use names of family members, pets or anyone you know.
- Do not use strings of numbers or characters (for example, “1234” or “ghijk”).
- Do not use any information about yourself that is easily obtainable (birth date, hometown, etc.)
- Do not use the same password for multiple services, especially the most sensitive ones (for example, financial institutions, electronic health records and so on).
- Do not share your passwords with others.
- Do not write your passwords on Post-its or save them in a plain text document or spreadsheet on your computer.
The list of don’ts can be extensive. However, if you are already following all of the “do’s,” you’re unlikely to violate any of the don’ts. You also won’t end up using any of the “top-ranking” worst passwords. Past examples have included password, monkey, letmein and ashley.
Here are some additional tips for creating strong passwords.
- Think of an uncommon phrase that you can easily remember. Use the first letter or two from each word in the phrase to create your password. “Help meet the basic human needs of all people” becomes “Hmtbhnoap”
- Make passwords more difficult to guess by changing letters to numbers or special characters. Using the above example, change the password to “HmtBn04p!”
- Alternatively, use a string of four or more unrelated words (passphrase) such as umbrellaFerraribongosCognition.
Now that you are creating unique strong passwords for each service or website, how will you possibly remember them all?
A password manager is a tool that will remember your passwords for you. You simply need to remember a single password to access them all. Some password managers are software that is installed on your computer. Others are web-based, allowing you to access them through any web browser. Typically, a web-based password manager will encrypt your passwords on your computer and then upload them to the vendor’s website for safekeeping. The vendor (and, therefore, potential hacker) never has access to your unencrypted passwords. I’m a fan of LastPass (lastpass.com), but other quality alternatives are available. Some features to look for in a password manager include the ability to:
- Generate and save secure passwords (thus saving you all the trouble we covered in the prior section)
- Automatically enter username/password combinations into websites
- Use the service on multiple brands of web browsers (Chrome, Safari, Internet Explorer and so on)
- Automatically complete web forms so you won’t have to type your name and address repeatedly
- Use a screen keyboard to enter your password, which prevents key loggers from capturing your password
- Create separate identities within your account, which allows you to store usernames and passwords associated with work separately from your personal information
- Access your accounts and passwords through your mobile device
- Use multifactor authentication
This last feature is key. Because you will be protecting all of your other passwords with a single master password, it is important that you have an additional line of defense.
As its name indicates, multi-factor authentication (sometimes called dual-factor authentication) requires the entry of at least two pieces of information to access secure data or accounts. It’s the digital equivalent of producing two forms of identification in order to obtain your driver’s license or passport. When using multifactor authentication, your level of security is greatly amplified. Even if someone were to obtain your password(s), they would need another piece of information or equipment to access any of your accounts.
Multi-factor authentication can be as complex as thumbprints and retinal scans, or as simple as a second password or randomly generated code. The most common forms are physical devices and secondary codes generated by a companion app. Physical devices include objects such as a YubiKey (bit.ly/10ZQfTr) or thumbprint reader. It is also possible to turn any USB flash drive into a secondary physical security factor. These devices typically will attach to your computer and provide an additional way to prove your identity. Companion apps such as Google Authenticator install on your mobile phone and periodically generate a unique code. This code would need to be entered, in addition to your password, to gain access. Without also having these physical devices or code generators, someone with your password would not be able to access your account(s).
Multi-factor authentication is especially important when utilizing a password manager, but it can also be used with individual accounts. This is strongly recommended when logging into services such as Google and Apple that provide you access to multiple accounts with a single username/password combination. Although multifactor authentication may take a bit of time to set up, and a brief moment of extra time when logging in, I strongly recommend its use for anyone wanting to protect sensitive personal or clinical data. The trade-off is well worth it, considering you will now have strong security without having to generate and remember strong passwords yourself.
Chances are you have a lot of sensitive personal data on your computing devices. Data that, in the wrong hands, could lead to identity theft. Some counselors also keep sensitive client data on their computers. Although passwords and multifactor authentication provide an excellent level of security related to Internet sites and applications, we can benefit from one additional measure on our computers. When it comes to protecting the data stored on the hard drives of a computer, encryption is the strongest measure currently available.
Encryption is a complex process. For our needs here, suffice it to say that encryption is a method of scrambling and encoding data so that only someone with the “decoder,” or encryption key, can unscramble it. Anyone else accessing the data would see only gibberish.
Tools are available for encrypting individual files and folders, but I recommend full disk encryption. In addition to being much more difficult to bypass, full disk encryption is required for covered entities to be exempt from HIPAA’s breach notification rule. You may recall that under this rule, the covered entity is required to notify the Department of Health and Human Services, all affected clients and, potentially, the media if there is a suspected or known breach of protected health information. This means that should your computer be stolen or accessed by an unauthorized individual, you would be subject to this rule. If you are using qualified encryption methods, however, you are exempt from this requirement. The assumption is that because the entire disk is encrypted, unauthorized individuals wouldn’t be able to read any of the data.
Users of the pro or ultimate versions of Windows 8 and some versions of Windows 7 have built in encryption capability through a program called BitLocker. Some versions of Mac OS feature a similar program called FileVault. If you don’t fit in either of these scenarios, you might consider using a third party encryption program. And let’s not forget those mobile devices. The latest versions of both iOS and Android have the built-in ability to encrypt the devices contents. Whatever method you choose, be sure to document it in your HIPAA security policies and procedures (required of Covered Entities).
Stay up to date
The last piece of best practice advice for data security is to stay up to date. As computing power continues to increase, so will the abilities of hackers to crack current passwords and security measures. It is important to regularly revisit your procedures and currently available technology and best practices to ensure your personal and client data remain secure. And, of course, become a free member of Tame Your Practice for news updates and access to exclusive content and offers from our partners.
Similar articles you might be interested in!
Tame Your Practice membership is free and provides therapists access to exclusive content, discounts, and deals from partners!
Recommendations for technology, web sites, secure email, phone, credit card processing, therapy tools/interventions, podcasts, and much more!
In addition to using strong-passwords, and a password manager (I use LastPass), I strongly encourage everyone to use Multi-Factor Authentication (now, more commonly referred to as Two-Factor Authentication or 2FA) whenever possible.
About the Author
Rob has been covering technology and business news for mental health professionals since 2011. His extensive experience in IT, business, and private practice allow him to synthesize information in a friendly, digestible manner. He also enjoys time with his family, ultimate frisbee, and board gaming.