Some people like to point out that encrypted email isn’t all it’s cracked up to be. “After all,” they warn, “as soon as someone has access to your username and password, it no longer matters whether your email is encrypted or not.” Well . . . yes. That’s an accurate statement. However, to use that line of reasoning would be like telling us not to bother locking our homes or cars. After all, as soon as someone gets access to your keys, those locks become useless.
Although we certainly COULD decide to throw caution to the wind, most of us see the value in at least taking reasonable precautions to protect our personal property. When it comes to client PHI (Protected Health Information) – whether it’s in email or in other types of documents – we’re mandated by HIPAA/HITECH to: 1) maintain written policies stating how we intend to keep PHI both private and secure and 2) to make sure we follow those policies.
The nice thing about the way the HIPAA laws are written is that the authors realize that each of us has our own unique situation. Our office setups are different (e.g., single practitioner, multi-practitioner, agency); we use different email clients (e.g., Outlook, Gmail, Yahoo, Hushmail, PSYBooks); we access it with different types of devices (e.g., computer, tablet, smartphone). Furthermore, technology changes so rapidly that the way we do our email this year may be totally different from what we do next year. This is why, rather than give us a strict set of rules we all have to follow, HIPAA wisely instructs us to write – and use – our own policies. In that spirit, this article will give you some general principals to use in developing your email safety plan.
Good email safety can be divided into two broad categories:
- Password Safety
- Computer/Device Safety
(For our purposes, the words “computer” or “device” are used interchangeably to refer to anything you might be using to access your email, e.g., a desktop or all-in-one computer, laptop, tablet or smartphone.)
In terms of Password Safety, the picture below pretty much sums up two of the most common problems:
In other words:
- Don’t make your password something easy to guess – such as 123456, “password”, names of pets or family members.
- Don’t leave your password in places others can easily see or discover.
Another good tip in the Password Safety category is:
- Change your password frequently.
I call this the “Keep’em guessing” precaution. Actually, if your password never gets compromised, this really isn’t necessary. However, it’s a small thing to do, and may foil some unauthorized access attempts if it has.
For Computer/Device Safety, the suggestions below will go a long way in securing your email as well as any other client PHI you access on your device:
- Don’t store any client emails or other PHI on your computer/device.
- Don’t leave your screen accessible for others to see.
- Don’t store your username and/or password in your browser.
- Clear your browser history frequently.
We’ll discuss each separately:
Don’t Store Client Emails or Other PHI on Your Computer/Device
Coupled with password safety, this may be the #1 thing you can do to keep your devices secure. The good news here is that most of us – whether we realize it or not – are using web-based email programs these days, which pretty much takes care of this issue for you. Web-based email is NOT stored on your computer. Instead, your browser (e.g., Chrome, Firefox, Edge, Safari, IE) is used to access your email program (e.g., PSYBooks, Gmail, Hushmail, Outlook.com, Yahoo, Comcast) on the Web. The good news here is that once you log out of your browser, your email doesn’t remain on your computer. The exception is if you download attachments or save specific emails to some type of file. Those ARE stored on your computer or other device unless you saved them to a cloud-based storage system. Downloading them to your computer could leave you open for a PHI breach, should your device ever be lost or stolen.
If you are using a desktop application for your email (e.g., the original Outlook as opposed to the one you access through Outlook.com), it’s a whole different issue. With desktop apps, EVERYTHING is stored on your computer. This means that, unless you use encryption software to encrypt your entire device, anyone who gets their hands on your device automatically has access to your email.
Don’t Leave Your Screen Accessible for Others to See
If you want to be squeaky-clean here, you could shut down your computer each time you leave you office. However, that’s hard on computers and, in most cases, isn’t warranted. Other options are to simply log out of your email program or, in the case of web-based email, close your email program’s tab in your browser. If you’re not going to be gone long – turning off your monitor or locking your office door (assuming your screen can’t be seen through any office windows) might be other alternatives.
Don’t Store Your Username and/or Password in Your Browser
Browsers and other programs try to be helpful by asking us if we want them to remember our username and/or password. Depending on the site you’re visiting, it might be just fine to say yes and it CAN be a helpful feature. However, never, ever, EVER agree to that when client data is involved – which includes the email system you use with your clients. The reason is simple: if your browser has this information saved for you, a potential bad guy doesn’t even have to try to guess your password or hack into your system. You’re handing it to them on a silver platter and they can log in as easily as you can. And, as was mentioned in the opening paragraph of this article, the strongest encryption in the world can’t protect against someone who has access to your password.
Clear Your Browser History Frequently
This is another advantage of web-based email. Each browser has a way that you can clear your web-browsing history – often referred to as your “cache”. The advantage of doing this is that if someone gains access to your computer right after you cleared your cache, they’re not going to know which program you use for your email, much less how to get into it. How often you do this is up to you, although clearing your cache is also part of good computer care in general. You’ll be able to browse much faster with a recently cleared cache.
Remember, safe email consists of the following:
- Data in motion encryption
- Data at rest encryption
- Safe email habits
When you use PSYBooks’ encrypted email, the first two are taken care of for you. Hopefully, this article will help you with your part of the equation, i.e., safe email habits.