A Few Words on Security

Technology is an amazing and wonderful thing. Stop for a minute and think about the fact that the computer (smartphone) you’re holding in the palm of your hand probably has more processing power, RAM, and storage than the eight pound laptop you had 10 years ago. I was just thinking the other day that my 20 month old son no longer needs the motor coordination to use a mouse in order to master the use of a computer – he can turn on an iPad and pick his app, at least when he can get one finger to the screen instead of his whole hand. The potential of these devices as the use of a tool in therapy is amazing.

However, think about the last time you or a colleague lost a smartphone or tablet – even for a minute. Then think about how much worse it would feel if there was any sort of client information accessible on that device. Always keep in mind that the combination of tiny, fragile computers, HIPAA, and ethics can make these devices a significant liability if they are not managed properly. Many of the apps I talk about here keep some sort of data on your device; most of them only allow you to manually wipe data. There are some otherwise secure ways to access client files on your phone or tablet if you are out of the office – but if any random person can access your phone, then you can be in significant trouble.

You’ll need to remember one rule: there is no electronic security that is ever 100% risk-free. Every day we see about a shopping site, or a bank, or a gaming company that gets hacked. It’s just a reality that we have to account for, and in an odd turn of events, both ethics and law understand that electronic security is never going to be an absolute thing. There are three things that you need to do in order to limit the dangers to confidentiality and privacy inherent in these devices:

1. Implement a device-level passcode of some sort. Apple products allow you to create a PIN that is required to access the device. Android products also let you use a PIN. Most Android products also have the ability to create a pattern-based passcode that even the FBI can’t crack. (UPDATE August 2012: Not anymore).
2. Disable auto-login on any software that can access data that is best kept private (yours or the client’s. It’s just good practice).
3. Make sure that clients are aware of the unique risks of lugging around data on their phone that they might want to keep private, and advise them of these security features. While paper homework that you give clients might be pretty safe, kids, friends, and partners regularly pick up someone else’s phone. (Keep in mind that a partner could become worried if a person suddenly puts a passcode on their phone, and be ready to defuse that).

A final important point: neither law or ethics codes have kept up with the fast pace of technology or the widespread use of insecure communication tools. SMS (text messaging) is a currently relevant example. If you are going to use SMS or similarly insecure methods to communicate with a client (like some really cool recent research in the medical and mental health fields), make sure that they are aware of the risks involved. Most likely, they’ll want to have these tools available to them anyway.

Advertisement