
Photo credit: Pixabay/JanBaby
by Gina Griffin, DSW, MSW, LCSW
It’s pretty difficult to argue against the fact that technology has helped us to revolutionize the ways in which we deliver effective healthcare. In the 1990s and early 2000s, healthcare providers began to rely heavily on electronic health records to provide better patient care (Evans, 2016). Child welfare and social services also have a long history of integrating client data in the form of data-driven decision-making and predictive analysis, among other types of functions (Child Welfare Information Gateway, 2024). And many therapists have begun to include telehealth services or to completely provide therapy online.
At the heart of these services is the collection of massive amounts of personally identifiable information, such as client names, Social Security numbers, and email addresses. Athough it’s difficult to assess an exact number, it’s likely that the amount of client data collected yearly can be counted in Terabytes (trillions of bytes) and Petabytes (quadrillions of bytes). Even though this data can make it much easier for providers to deliver tailored services to their clients, the collection and storage of such data places clients at risk. A large part of the problem is that so much data stored in so many places is too much of a temptation for criminal activity. Data breaches are on the rise and are reaching record highs. In 2023, the average cost of a data breach was $4.45 million dollars (Dergacheva and Taylor, 2024).
The types of attacks have become sophisticated and varied. Ransomware, in which criminals hold patient data hostage in return for money, has been prominent in the news (Zaharka and Potter, 2024). Social engineering is another common form of accessing private data. In this form, criminals rely on methods such as targeted email (phishing), following employees into areas that require security authorization (tailgating), and shoulder surfing (watching individuals as they enter sensitive information, such as passwords). These types of attacks are successful because they exploit human psychology (Colorado Department of Education, 2020). And to complicate matters, factors such as employee negligence and poor security protocols also place data at risk. All of these types of data breaches create serious consequences, such as loss of trust with clients and vendors, financial losses, and legal and regulatory penalties (Sharp, 2024).
So, what can we do as providers to protect our client information? It’s easy to understand that large and mid-size organizations have an obligation to provide safe client data collection. But even providers in small practices can and must follow appropriate steps to protect client data. Here are some suggestions to help you to do that (Status and Funicelli, 2024):
1. Use Strong Passwords and Authentication
Most of us know the drill by now and can generate strong passwords. Many internet browsers now offer built-in tools to help generate strong and unique passwords. We also know not to use the same passwords for multiple accounts. We should also use Multi-Factor Authentication whenever we can. This includes multiple steps to sign into an account, such as receiving a one-time passcode via your telephone, as well as using authenticators such as Duo to manage sign-in to sensitive accounts.
2. Secure Devices and Networks
For devices, it’s important to keep operating systems and software updated with the latest security patches. We should also install and use appropriate antivirus and malware software and keep those updated. Firewalls can help to control what has access to your computer. As far as networks are concerned, avoid using public wifi for sensitive work. One way that I’ve been able to make my own data safer when I’m traveling is to use a travel hotspot. There are quite a few on the market, and they can help you to avoid using questionable networks, such as hotel or airport wifi. You can also use VPNs (virtual private networks) to keep your connections encrypted.
3. Implement Secure Remote Access Protocols for Teletherapy Sessions
This means using HIPAA-compliant platforms, such as doxy.me, to provide client care. Ensure that the platform offers end-to-end encryption and strong security measures. Texts and emails can be protected by signing a BAA agreement with service providers such as iplum. A Business Associate Agreement (BAA) is a legally binding contract between a healthcare provider and a third party that protects Protected Health Information (PHI).
4. Encrypt All Sensitive Client Data, Both in Transit and at Rest
This ensures that data remains unreadable even if it is exposed. If you’re using cloud storage services, choose providers with strong security measures and strong encryption protocols. It’s also a good idea to purchase cyber insurance to protect you financially in the event that client data is exposed.
5. Use Secure Communication
Be cautious of phishing emails, and avoid clicking on suspicious links or opening attachments from unknown senders. Use encryption for sensitive email communications. Most secure accounts will require that you sign a BAA agreement with the provider.
6. Train Employees
Make sure that your staff are trained properly and regularly and that they understand concepts such as phishing scams, social engineering tactics, and the importance of data security. Also, make sure that you provide clear guidelines on acceptable internet usage at work and data handling practices. Staff should understand that low-tech breaches, such as leaving sensitive material in the copier tray or out on desktops, are easily avoidable with proper care.
7. Develop a Data Breach Response Plan
Create a comprehensive plan to deal with data breaches. Identify staff members who will handle aspects such as security and legal issues in case there is an event. And test the plan regularly, to be sure that it remains effective.
8. Comply With Regulations
Be sure to comply with HIPAA guidelines, which outline strict regulations for protecting patient health information. It’s also important to be familiar with state and federal laws related to data security and privacy. Create and maintain guidelines for time limits on storing and disposing of client data.
9. Stay Informed
Know about the latest cybersecurity threats and best practices by subscribing to security advisories and attending relevant training sessions.
Protecting client data is a critical responsibility for all social workers and mental health professionals. It takes a little extra work, but it’s an important part of client care in the twenty-first century.
References
Child Welfare Information Gateway. (2024). Data collection and analysis. https://www.childwelfare.gov/topics/data-systems-evaluation-and-technology/data-collection-and-analysis/?top=182
Colorado Department of Education. (2020). The psychology of social engineering: Why it works. https://www.cde.state.co.us/dataprivacyandsecurity/socialengineeringeducation#:~:text=Social%20Engineering%20Attacks%20typically%20involve,or%20employees%20into%20handing%20over
Dergacheva, A., & Taylor, J. R. (2024). Study finds average cost of data breaches continued to rise in 2023. https://www.morganlewis.com/blogs/sourcingatmorganlewis/2024/03/study-finds-average-cost-of-data-breaches-continued-to-rise-in-2023#:~:text=Reaching%20an%20all%2Dtime%20high,2022%2C%20when%20the%20average%20cost
Evans, R. S. (2016.) Electronic health records: Then, now, and in the future. Yearbook of Medical Informatics, 25, S48-S61. https://doi.org/10.15265/IYS-2016-s006
Sharp, A. (2024). How data breaches erode trust and what companies can do. https://securitybrief.com.au/story/how-data-breaches-erode-trust-and-what-companies-can-do#:~:text=It%20can%20prompt%20customers%20to,competitor%20whose%20reputation%20remains%20intact
Staus, C. H., & Funicelli, A. M. (2024). Making patient privacy and data security a priority in telehealth delivery. https://www.apaservices.org/practice/business/technology/tech-101/role-technology-telehealth
Zaharka, S., & Potter, A. (2024). From Royal to BlackSuit: Understanding the Tactics and Impact of a Sophisticated Ransomware Strain. https://darktrace.com/blog/from-royal-to-blacksuit-understanding-the-tactics-and-impact-of-a-sophisticated-ransomware-strain#:~:text=BlackSuit%20has%20demanded%20over%20USD,USD%2060%20million%20%5B4%5D
Dr. Gina Griffin, DSW, MSW, LCSW, is a Licensed Clinical Social Worker. In 2012, she completed her Master of Social Work at University of South Florida. And in 2021, she completed her DSW at the University of Southern California. She began to learn R Programming for data analysis in order to develop her research-related skills. She now teaches programming and data science skills through her website (A::ISWR) and free Saturday morning #swRk workshops.