For professional therapists, confidentiality is a big issue. Did you ever think you’d know as much as you do about shredders, locking file cabinets and white noise generators? With electronic communication with clients quickly becoming a norm for our profession, it’s time to add encryption to the list of things we know how to use.
“Encryption” is using a secret code to trade messages. It’s a collaboration towards making a communication private, even when it happens in public spaces. Encryption is a tool that you and your clients can use together to protect your mutual privacy, nurture trust and lower barriers to communication.
More rigorously stated, encryption is the process of taking a communication, such as a letter or phone call, and converting the content of the communication into something that is completely unreadable, and doing it in a way that only the intended recipient can decipher.
The idea of encryption is to allow private communication across non-private channels. If two people are in the same room together, they can whisper or trade notes directly — no need for encryption. But if I want to send a sensitive message across the Internet to a client, I need to make sure that the message is unreadable by any third parties that may get their hands on it, so my client and I use encryption.
What Does Encryption Look Like?
The following is a very simple key for a very simple form of encryption:
The above table describes a code for encrypting written messages. In the original message, whenever you see the letter “a,” you turn it into the number “1.” When you see a “b,” you turn it into a “2,” and so on. When the conversion is complete, your message has been turned into an unreadable mess of numbers.
If I sent the above encrypted message to you, and a third party intercepted it, they would just be looking at a senseless bunch of numbers. Unless they can break the code or find the key we used to make the message, they can’t read it — our privacy is safe.
The above code would not be secure enough to use in the modern age, of course. Modern encryption uses extremely complicated math that requires a computer to do. Fortunately, we don’t need to understand encryption math to understand how to use encryption in our practices.
Encryption Is a Collaborative Process
Like most things in our work, using encryption is a collaboration between the clinician and the client. For example, if you want to exchange clinical information by email, both of you need an encrypted email service.
Usually encryption is used between two or more parties. Each party knows how to decrypt (turn back into a readable message) messages that were encrypted (made into unreadable messages) by the other parties. Usually this means that all parties are using encryption-capable tools to talk to each other. This makes for the cardinal rule of encryption:
The Cardinal Rule of Encryption: All parties involved in trading encrypted information must actively collaborate in the encryption process.
This means that in order to encrypt communications with a client, both you and the client must be using a tool that supports the same encryption. A perfect example is email. Email is normally not encrypted, but you can get encrypted email by signing up for a Hushmail account. Hushmail is a service similar to Gmail or Yahoo!Mail. Unlike those services, however, it allows you to send and receive encrypted emails. The rub is that your clients have to also be engaged in the encryption process, so it’s not enough for you alone to have a Hushmail account. Your client must also have a Hushmail account or another email service that supports encryption.
Despite the cardinal rule, there is a case where only one person is involved in the encryption process: encrypting your own private data. An example of this is encrypting your computer’s hard drive. In this case, you are encrypting a communication with yourself — the data on your hard drive is there for you to refer to later.
Does “Encrypted” = “Secure”?
Often the word “secure” is used to mean “encrypted,” and this can be confusing. In fact, I often see people mix the words up. For example, I have seen several posts on the Web claiming, “Skype is not encrypted.” This statement is false. Skype always uses encryption. It leads me to wonder if the authors of these statements mean to say, “Skype is not secure.” (Skype’s appropriateness for clinical use is hotly debated at the time of writing — more on that later.)
Whether or not something is “secure” is a matter of judgement — we must evaluate if something is secure based on our standards of security. But encryption is a yes or no kind of thing: “Is this communication encrypted or not?”
If a given communication tool does use encryption, the important questions for clinicians are:
- Is the encryption strong enough for our purposes?
- Besides encryption, what are the presenting issues regarding appropriateness for clinical use?
For example, when evaluating a product that you use to communicate with clients over the Internet you may ask, “Does the vendor of this product keep logs of our communications and, if so, how do they protect those logs?”
These are the kinds of questions we ask when evaluating security.
There’s More To Study
Understanding encryption in a practical sense means understanding how it is used by various communications tools, service vendors, and the like. It’s useful to be able to answer questions like, “Are my email communications using encryption?” (Hint: they probably aren’t) and, “Does my cellular phone company encrypt my phone calls?” (Hint: they probably don’t.)
I’ll be writing more articles to describe the nitty gritty of how various communication methods use, or don’t use, encryption. Be sure to subscribe to our articles (there’s a form for that in the sidebar of the Person-Centered Tech website) to make sure you don’t miss them.
How are you using encryption in your practice? In what ways are you confused or confident about encryption? Feel free to leave a comment.