Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas  

Hello, and welcome to Episode 619: Public Wi-Fi: Is It Still a Security Risk? What Therapists Need to Know About Untrusted Networks

 

Liath Dalton  

This is a really important discussion, and one that got prompted by folks checking, and reasonably so, if the prohibition on connecting to untrusted networks still stands, because many folks have heard some version of “everything is encrypted on the internet now, so Wi-Fi isn’t really a problem anymore!” And unfortunately the Wi-Fi–or public Wi-Fi–not being a problem portion of that is not true. There is, right, a grain of truth in the statement that virtually all traffic to and from websites on the internet is encrypted now, right, Evan? That’s what the S in the HTTPS of a website URL or address denotes, right?

 

Evan Dumas  

Yeah, most of the sites are that way, not all sites, but most, yeah.

 

Liath Dalton  

And some browsers won’t even let you go–

 

Evan Dumas  

Exactly.

 

Liath Dalton  

–to a site that does not have the S, because it’s like this is dangerous, but really, what that is about is preventing snooping or eavesdropping, and so today we are going to talk instead about why connecting to untrusted networks is still a security concern. 

 

Evan Dumas  

Oh, definitely,

 

Liath Dalton  

Even though the issue isn’t so much eavesdropping anymore, and then really contextualize this in the context of basically applying a simple risk analysis lens. Because that if you apply the risk analysis lens and kind of formula that answer to the question of “is this an issue that merits having safeguards and policy and procedure to implement those safeguards warranted?” So we wanted to also speak to another kind of common misconception that we are increasingly hearing about recently. Sometimes. it’s therapists reeling that clients have sort of shared this perspective with them, but it also is something that therapists themselves have–or some have–absorbed, or are at least wondering about to a certain extent, which is basically a conflation of privacy and security, and feeling as though nothing is private anymore, so what’s the point. Kind of, right? 

 

Evan Dumas  

Yeah 

 

Liath Dalton  

So, Evan, what are the key distinctions between the premise of privacy questions versus security questions and considerations?

 

Evan Dumas  

Yeah, well, privacy can be summed up as a sort of, like: who can see what I’m doing, and how are things hidden, like, how is it being collected? Those are sort of privacy concerns–how is it being used? Security is a much broader concern of, like, who has access to things, who provides authorization to things, are things altered or stolen, or even held hostage. Like, security is more concerned with that level, not necessarily the privacy. It’s a nuanced difference, for sure. And that’s why a lot of people are like, you know what, same thing, whatever, privacy, security. But they are different. And I wanted to speak to one thing about that all or nothing thinking, of like, well, nothing is private, everything’s read by AI, whatnot; that throw the throw your head up in the air type–or throw your hands up in the air type experience that overwhelm is totally normal, and it just means that you don’t have the caloric capacity for nuance. So, black and white thinking is always a great sign that you’re stressed and need some self-care. And it also isn’t true. Anytime anyone asks us these questions, we always say no, it depends, and no, there is nuance into it. So we’re, we’re always happy to explain that to you.

 

Liath Dalton  

Exactly, which is why we thought that addressing this topic now, based on the current threat landscape, as well as what the readily available safeguards are was something that made it made sense, and would be supportive, because we want to speak to where nuance exists and where it merits practical application action, but also do so without getting into the weeds of the technical aspects of it that aren’t required, actually, to fully understand or be able to explain in order to prevent against, right? So as we said at the outset, the threat has changed in terms of what the biggest risks are from using public Wi-Fi, because it used to be primarily that someone could snoop on your internet traffic, but now the level of encryption that is present has dramatically reduced that concern, and that is really good news.

 

Evan Dumas  

Oh, yeah.

 

Liath Dalton  

But it doesn’t mean that the risk of public Wi-Fi has disappeared, because the bigger concern is not that someone can see what website you’re visiting or what you’re doing on that website, the issue is what can happen when you connect a trusted device to an untrusted network. So this really vital tool that you’ve taken steps to safeguard, because of how important it is, so your computer that is used to access client info and handle the highest sensitivity of protected health information is then being connected to an environment that contains threats. And if those threats are realized, those threats can be really consequential. So basically it’s not so much the network that we are trying to protect, it’s the device.

 

Evan Dumas  

Yeah.

 

Liath Dalton  

So Evan, what do we mean when we’re talking about an untrusted network, does it? Because I think it’s really important that we be clear on this. It doesn’t just mean one that doesn’t require a password to join.

 

Evan Dumas  

Oh yeah, an untrusted network is, you know, one that you haven’t set up yourself, of course, but the examples of these are coffee shop Wi-Fis, airports, hotels, conference rooms. Anybody can create a little network device that just says free McDonald’s Wi-Fi, even if it might not be actually legit free McDonald’s Wi-Fi. So, there’s no way of knowing when you connect to a Wi-Fi network that you don’t trust if it’s legitimate or not, if it’s–if it’s safe or not.

 

Liath Dalton  

Exactly, because you don’t know how it’s configured, who else is connected, as Evan said, whether it’s even legitimate, right? Because, especially in very public spaces, like an airport or hotel, or even around hospitals, it’s very easy to just put up another network and name it something very similar, and know that not everybody who is looking to connect to the legit network is going to know exactly what the legit network name is, and therefore might just hop on to it, right? So those things that we don’t know about public networks are what creates the risk. So let’s paint a more vivid picture here. Imagine you’re at a conference, and you open your laptop to connect to the hotel Wi-Fi, and then a page appears to ask you to sign in and verify some personal identity before your actual internet access is granted. Maybe it asks you to sign in with your Google account, or accept a security prompt, or even install an update to proceed. Everything about that looks and seems legitimate. We’re habituated to understanding those sorts of prompts to be part of the process when connecting to a public network, and so the issue there is that a lot of times folks will proceed without giving it a second thought. So this is one area of risk exposure, because that prompt can be fake, and that’s in fact the most frequent way that permitting connection to public Wi-Fi networks results in harm or bad guys getting access–isn’t so much that someone has you, you’re being connected to a public network to hack your computer, but that the initial sign on page is a great opportunity to gather credentials, identity information, or even prompt and install of software that can track keystrokes or be malware.

 

Evan Dumas  

Yeah, it’s another vector for scams.

 

Liath Dalton  

Yeah, right, another sort of flavor of social engineering, right?

 

Evan Dumas  

Yeah, that food might look delicious, but the cutlery is dirty.

 

Liath Dalton  

Great analogy. So, again, the Wi-Fi itself isn’t so much the concern generally, it’s the issue of the network creating opportunities for compromise, and what attackers primarily are interested in are credentials, and/or device compromise in order to obtain credentials. And the easiest way to compromise the system is always going to be not through breaking into it, but by convincing someone to open the door, and basically a public network can be a means of opening the door. We don’t want to open doors to our devices.

 

Evan Dumas  

No, no, no, we put them closed.

 

Liath Dalton  

Nope, keep them closed. So a little bit more about why this really matters for therapists who are entrusted with safeguarding high sensitivity client information; it is that if a device that is used to handle or access that information is compromised, the consequences of that compromise are not contained to that actual period of time in which the device was connected to that public network. And we’ve talked about this before, that a common approach to network security for folks is to understand on some level that there are threats about being connected to public networks–networks that aren’t controlled and verified to be secure–but there is a big holdover in the eavesdropping concern in terms of what figures most prominently in how we think about what that threat actually is. So folks will say, yeah, I most certainly do not connect to public Wi-Fi with my practice device to log into the EHR, or even check my practice email, but it’s a BYOD device, so I use it to connect to social media or do shopping or any other personal items that don’t seem to have the same sort of risk, right? It doesn’t seem like it’s related to protecting or not protecting client info. It seems like it’s somehow segmented because that’s not the information that you’re interacting with when you’re connected to that public network.

 

Evan Dumas  

Yeah. Again, just another confusion of privacy and security.

 

Liath Dalton  

Exactly. So, what what we are needing to manage is keeping the device protected, and it’s really important to understand that security is always going to be something that is layered and requires multiple components, because one of the other sort of questions that we get around how big of a threat is public Wi-Fi actually? Is well, I’ve got my device up to date, and I have antivirus and anti-malware on there, and from all my practice accounts use two-factor authentication. So, at that point, what does it really matter if someone tries to do something bad or not? And all of those things are protective. They do reduce the likelihood that connecting to a public network where there are attackers, or folks with bad intentions are present, is going to result in a device compromise. It reduces that risk, but it doesn’t eliminate it. And so that is where we get into what is the risk analysis lens? And how do we apply that? And if we do that, what is our answer? So, Evan, you are our risk analysis guru. What is kind of the formula in terms of likelihood and impact?

 

Evan Dumas  

Yeah, you know, it’s, it’s a look at both, you know? Like risks, the way we look at them are: you compare the chance of it happening with how bad it would be if it did happen. So you know, if it has a low chance of happening but a really high impact, that’s less of a risk than if it has a, you know, great chance and great impact. So you can use your risk analysis lens to, you know, compare the difference between, say, Grandma’s Wi-Fi versus “Super Free Wi-Fi Router at 711” and then you can use the impact difference of, like, okay, has my device been super securely hardened? Do I have a great antivirus, great malware? Am I trained up on scam preventions? Versus, oh, I haven’t done any of those things, I haven’t hardened it yet. Oh, yeah! Like, you know, you’re going to want to look at PHI exposure, financial harm, maliciousness of your network, reputational harm. Like you want to take into account all these impacts and likelihoods.

 

Liath Dalton  

Exactly, because it is not an issue of is this definitely going to happen or highly likely to happen? It’s really a question of if this is a foreseeable risk, are there reasonable safeguards available? 

 

Evan Dumas

Yeah. 

 

Liath Dalton

And like Evan said, when we’re calculating threat level, it’s both likelihood and impact, so even if something is low likelihood but high impact, that still means that it is something that requires reasonable and appropriate safeguards. That we don’t just say, “oh, well, it’s it’s low probability of occurring, so not going to take action.” And I want to be really clear, too, that while, if you have all those other measures, security measures, and layers of security in place that we just talked about, that the likelihood is significantly reduced, it is still not zero, so it is still considered by security experts to be a moderate threat. So again, when we multiply likelihood by impact, then it means that we still have a high impact outcome, which deserves attention. And thankfully we have readily available, in many instances, zero additional cost safeguards available to us.

 

Evan Dumas  

Yeah.

 

Liath Dalton  

So that means the safeguards are simple, burden is low, and it really does translate to meaningful risk reduction. Okay, what are those great, reasonable, and appropriate safeguards?

 

Evan Dumas  

Oh, yeah, yeah, you got, you got your hotspots and your VPNs. You may have seen VPNs all over the place now, because people are getting more and more concerned, and they’re trying to, you know, everyone have their own flavor of it.

 

Liath Dalton  

Exactly. So this is another point to have a little aside, which is that a VPN, or virtual private network, basically gives you an encrypted tunnel to whatever connection you are using. So even if it’s a dirty network, folks can’t leverage your connection to it to then access the device and use ports, open ports on your device to do bad things there, basically. And so the next question that usually comes up is, okay, well, what’s a good HIPAA compliant VPN to use? Well, you do not actually need a HIPAA business associate agreement with a straight VPN service provider, because they are not actually handling client information for you in any way that creates a HIPAA business associate relationship, so therefore no HIPAA business associate agreement is needed. And this is analogous to your internet service provider as well. It’s basically just the connection, but they aren’t seeing or storing the data on on your behalf. So they are not a business associate, so you don’t need a BAA. And the great sort of side effect of that reality is that in a group practice context where we have a clear prohibition on personal service use, when we’re talking about a service that qualifies as a business associate, there is not a requirement then when it comes to VPNs that it be a practice provided service. If someone has already has a VPN service, they can use that VPN without it breaking other policies and procedures of the practice related to keeping client info within the practice’s security circle, meaning systems that the practice controls and has access to. Is it a great thing to provide a VPN service to team members if they are frequently mobile and would have use for it? Yes, especially because it is a really economical system to provide, and then you know that folks have that functionality available, and that it’s from a high-quality VPN service. But it’s not an issue of it being a requirement that a VPN be provided by the practice, and that can be useful in a lot of circumstances, especially if it might just have one-off utility for someone while they’re traveling, but they aren’t frequent travelers. Now, Evan, can you talk about the beauties of hotspots? Because that doesn’t require a VPN service, and it’s just using a tool and functionality that you already have at your disposal.

 

Evan Dumas  

Oh, yeah, yeah, every smartphone comes with it. Even if your phone doesn’t have a data plan that supports it, you can always get one in case of an emergency. It’ll also work wirelessly. So, back in the day, you’d have to plug it into your phone. Now you can do it wirelessly, and it’s just like the close wireless connection from your phone to your computer. Wired’s a little bit faster. I like it, but you know, do what you want and. And it’s great, you always have it, and especially if you’re not doing data-heavy tasks like checking email and whatnot, very, very secure, very, very cheap.

 

Liath Dalton  

Exactly, and I want to emphasize something here as well, which is that these are beneficial safeguards to have in place, not just for client information, but also for your own or your team members’ protection for their own identity and financial information. We have really gotten into poor security habits as a, as a culture, right? And so it’s important to note that this is not just a HIPAA concern, it’s something that NIST–the National Institute of Standards and Technology, the sort of the folks who are basically the federal agency responsible for developing most of the cybersecurity frameworks and best practices used in government and healthcare, as well as a lot of private industry–NIST continues to treat public networks as untrusted environments where additional safeguards are required. And I want to say going back to this isn’t just about healthcare or work info or a HIPAA concern. Increasingly mainstream consumer publications like Forbes and Reader’s Digest and many others have published recent warnings about the risks of public Wi-Fi and how we are overly casual around connecting to whatever networks are available, so this isn’t something that is purely a HIPAA concern or just a risk-averse PCT takeaway as to how to manage potential threats, but there, there is consistency across the spectrum over how this this threat is is viewed and what are considered reasonable and appropriate safeguards, and what wonderful is that those are, as Evan just described, super accessible and easy to implement. Yeah, so the TLDR, which maybe we should have just put at the front–so I guess it’s not a TLDR, it is a in summation.

 

Evan Dumas  

No, they’re not safe.

 

Liath Dalton  

In summation, yes, public Wi-Fi is still a threat. It’s a different kind of threat, but an even more insidious threat, honestly. Because if the threat used to be more about just what you were doing at that time, that’s easier to sort of lock down, or at least wrap your mind around locking down and being able to conceptualize the threat and impact. So now it is different, and it is more about the device, and then the potential compromise can be anytime in the future, anything that that device connects to.

 

Evan Dumas  

Yeah.

 

Liath Dalton  

So we need to use safeguards that we have in place. It doesn’t mean every network that is public is is bad, it just means that because it can be, and we don’t have guarantees that we want to have every reasonable and appropriate layer of security that we can deployed to prevent bad stuff from happening. So there you go, in today’s episode of The More You Know! But hopefully it’s also helpful to security officers and group practice leaders who have been getting questions from your team about this sort of thing, and like, is this really still an issue? Is this a little bit of an overkill policy? And so we want you to be able to, with confidence, answer those questions and describe what the risks are, because we always want the measures to be reasonable and appropriate in security terms, but also reasonable and appropriate means something that we’re able to effectively communicate to the workforce members who have to follow those requirements. So we’ll put some additional resources in the show notes, as always, which will include a couple of those consumer-facing articles, in case those are helpful to share with team members if they query this, and then also a link to the PCT suite of resources, or information about them, which is our device security training instructional center and registration process, and then a remote workspace training and instructional tutorial center and registration process as well that are specifically designed to help group practices manage these needs in an efficient and streamlined and user friendly way. So check those out if these are things you are navigating in your practice, and you will talk to you folks next week!

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.