Hello! I’m Roy of Person Centered Tech. We know that you want to focus on your clients, so we provide articles, tools, and continuing education on how to best serve clients in the digital world.

(Sign up for other free articles addressing topics such as: telemental health, HIPAA, and practical technology tools!)


Gum stuck to man's shoeI don’t do a lot of consulting for people who’ve experienced a “security breach” in their practices. But in the last year I’ve gotten 7 inquiries about security breaches from colleagues, and every single one was from someone whose email had been hacked into. So I’d like to make sure everyone knows the two things that can prevent the same from happening to them.

6 out of 7 of the hacked email accounts were Gmail accounts, which is at once unsurprising and strangely ironic (for reasons I’ll explain in a minute.) It’s not that Gmail has poor security – quite the opposite. It’s just very popular. And bad guys spend a lot of time trying to gather passwords for email accounts, including Gmail.

Two things could have been done that would have, with a good 95% certainty, prevented the breaches from happening. I’ll describe them in reverse order.

Email Safety Step 2) Two-Factor Authentication

What a clear and descriptive name, right?

It sounds much more intimidating than it is, really. It simply means that instead of using only your password to log in to your email, you use both your password and one other thing.

Imagine this: you sit down at your computer and go to your email. It asks for your password. You type it in. Then it says, “We’ve sent you a text message. Please type the code from that text message here.” You then receive a text message on your phone. It has a little code in it. You type that code into your computer. Now you’re logged in. Voila. I like to call this “The Two-Factor Dance.”

“But Roy?” You may ask, “how do they have my phone number??”

When you turned on two-factor authentication, you gave them your phone number. That’s part of why you have to go turn it on yourself, and it can’t just be switched on automatically on your behalf.

Google also offers a neat app for your smartphone that can let you skip the whole text message thing altogether. You just open the app, it gives you a temporary code, and you type it in to the computer. Done.

WATCH: Rob Demonstrate’s the App for Two-Factor Authentication (2min.)
or Watch the Whole Episode of Therapy Tech Here

And here’s the kicker: with Gmail, you don’t even have to type in this code every time you sit down to read email. You only have to do it once (or so) for each gadget you check email on. Once you’ve done the two-factor dance once, the device becomes “registered.” You may occasionally have to renew that registration by doing the two-factor dance again at some point in the future, but not very often.

This works because the vast majority of email hackery is done by getting ahold of people’s email passwords. Bad guys then use their own gadgets to log in to those hacked accounts. But with two-factor authentication turned on, stealing the password isn’t enough. The bad guys can’t register their devices and, thusly, can’t get into your email account. Their hackery is denied!

The reason it’s ironic that so many of those hacked email accounts were Gmail is that Gmail is one of the few popular email services that offer you the ability to use two-factor authentication. If everyone used the free and (relatively) easy service that Gmail and a few others offer, we would have a fraction of the email account breaches we have now.

In fact, security experts have opined in the past that for clinicians who are still waiting to do their Security Risk Analysis, it is important to do two things: 1) Set up two-factor authentication wherever you can and b) full-disk encrypt your computer.

“But Roy?” You may ask again, “what is this Security Risk Analysis thing you’re talking about?”

That’s a good question, anonymous reader. Thanks for the segue!

This free, informative article is brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure forms for your web page, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
(Disclosure: Roy now does a small amount of consulting for Hushmail to make their product better for mental health professionals.)

Email Safety Step 1) Security Risk Analysis

I don’t get excited when people ask me for help with security breaches, but afterwards, I’m always glad I was involved. Dealing with a security breach can be frightening, and I like being able to apply both my technical and counseling skills to help colleagues keep perspective and work through it. It’s rarely as bad as it seems while you’re in it.

During the post-mortem of these security breach consultations, I always mention two-factor authentication. And that raises the question: “How was I supposed to know that two-factor authentication is even a thing, and how was I supposed to anticipate needing it?”

The simple answer is, “Do a Security Risk Analysis.” That’s what it’s for. (It also happens to be required by HIPAA, of course.) A Security Risk Analysis is a process wherein you do a kind of “needs assessment” for security in your practice, and then come up with a plan for meeting those needs. Click Here for a free article that helps explain.

Email is a wonderful tool, and we can use email of all kinds with clients to accomplish great ends. So no one should feel discouraged from using it wisely in their practices. We also need to enter into using tools like email deliberately, and with competence for how to use it not just effectively, but also safely.

If you feel you need help doing that, we offer shockingly affordable, personalized support services for people just like you. Preview our support service here→

You can also read our other articles for hints like the one contained here. Happy emailing!

 

Puppy in Santa HatGet your ethics CE done this holiday season with our December Ethics CE Bundle!

Learn More


Person Centered Tech: we will demystify the legal and technical topics that are required of your profession and provide you with education and tools required to help make your business successful for you, and digitally safe for your clients. PCT is here to help you achieve your personal gold standard of client-centered care in privacy and security.


Person Centered Tech’s membership filters the noise of technology through education, customizable tools, expert consulting with direct answers and tried and tested recommendations to provide you with a clear, manageable pathway to provide excellence in care — all while you get your CE hours!


Get Our Articles and Free Resources by Email

green arrow pointing down Sign up to get authoritative articles in your Inbox, our whole collection of mental health private practice forms for tech ethics and HIPAA, consent forms for email and texting, 2 free CE hours, and much more!