In March, COVID-19 forced us all to either start operating by telehealth or stop serving clients. The field adjusted quickly and admirably. However, there is now a need for clinicians to develop our basic skills – and legal-ethical compliance – around the security of our home-based telehealth offices.
Like any clinical workspace, home offices need to protect the privacy of client information while ensuring that records stay intact. Even for those who do not need to legally comply with HIPAA, its rules can provide a clear professional standard for cybersecurity.
How does HIPAA come in?
In my analysis, these are the HIPAA standards that require special attention when setting up a home-based telehealth office. I have phrased them in more easily accessible language than is used in the actual HIPAA rules.
* Security of Internet connections – “network security.”
* Awareness of current security issues which impact client privacy and safety.
* Clearly defined boundaries around physical workspaces.
* Clearly defined boundaries around access to devices and other equipment which handle client information.
Safety and WiFi
For most people, Internet access means WiFi. While most modern WiFi requires a password, that doesn’t cover the main concern.
When we connect a computer, smartphone, or other electronic gizmo to WiFi, we’re connecting it to a shared virtual space that other people also may be using. If the WiFi isn’t set up right, or a bad guy has compromised it, those other people can use the shared space to infect our devices.
There are two main options for covering this issue:
1. Secure your home WiFi. That means:
a. Setting up your WiFi router in a space which only closely trusted people can physically access.
b. Making sure the firmware is fully updated.
c. Creating two networks: one for the home and one for your practice. Most WiFi routers can create a “guest network,” so use that one for the home.
d. Making sure the security scheme on your practice network uses WPA2 with AES encryption.
e. Setting up all your devices to exclusively connect to this WiFi. When outside the range of your trusted WiFi, only use your smartphone’s cellular data as an Internet connection.
2. Use a VPN on all your devices.
Note that option No. 2 is significantly less complicated than option No. 1. That’s because a VPN service that’s properly set up will allow you to safely use pretty much any Internet connection.
Current security issues
According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the rise in people working from home also has created a substantial rise in “phishing” and similar scams. These scams are not just efforts to get money out of unwitting victims. They also are used to plant viruses onto devices, get access to your online systems or perform other acts of cybercrime.
For example, I have received dozens of text messages from people pretending to be from UPS or FedEx. The messages say I have a package on the way and include a link. Clicking the link would be the first step in falling for their scam.
Falling for a phishing scam can impact not just your finances, but also your clients’ privacy. The FCC has useful information as well as resources for reporting such scams at www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams.
Lastly, it is important to define clear boundaries in the space where you work, especially if you perform telehealth sessions there. Declare the space off limits to others in the house and enforce this boundary.
If you can’t make the space off limits to others 24/7, inform everyone when it is off limits and when it is not. Make the difference clear to everyone. When the space is in “open mode,” ensure that all documents are locked up and devices are logged out. If you have a device only used for work and it is small enough to lock in a cabinet or drawer, do so while the space is in “open mode.”
These are not the only cybersecurity guidelines you need to follow. They are, however, a solid start to ensure your home telehealth office meets the same standards as your conventional office.
Roy Huggins is a professional counselor and founder of Person Centered Tech (personcenteredtech.com). Roy was a web developer before graduate school and now teaches counseling ethics while leading Person Centered Tech’s training and consultation program. His email is firstname.lastname@example.org