My purpose here is to provide some accessible and jargon-free advice for conducting secure online therapy.
Between the various members of the Bilateral Base team we have decades of experience working with online technologies across healthcare, customer loyalty programs, banking, financial services and ecommerce, so we felt like we could offer some help and insights that may be useful to you and your clients.
I want to allay your concerns, while also offering some reminders on how to avoid bad security habits. I want to unpack emotive terms like ‘getting hacked’ so that they’re better understood and less scary. I want to leave with you the knowledge that the vast majority of online security issues are made possible by basic human error and that the steps to prevent them are similarly simple and achievable for you and your clients.
This post is for all therapists working online, not just for users of our online platform for EMDR therapy, Bilateral Base. If you’re a Bilateral Base user or interested in how we manage security for our therapists then please look at our post on Security Features of Bilateral Base.
What Does ‘Getting Hacked’ Actually Mean?
It’s a sinister sounding word, but all it means is that someone has gained access to a system or some information that was not intended for them. It’s also a word that likely conjures up images of highly skilled criminals using expensive powerful computers to overcome your security measures. In reality and in the sort of areas we’re thinking about as therapists this is not the case. Pretty much all hacking that you have read about is more akin to a petty criminal walking along a street full of parked cars looking for the one that the owner forgot to lock or the owner left the key behind one of the wheels – it’s low-tech, opportunistic and easily avoided with some basic precautions.
How Safe Are Online Calls?
The surge in remote working over the past few years has resulted in greatly increased awareness and scrutiny of safe online practices and the situation is improving all the time.
It’s every video conferencing service’s worst nightmare to find stories about a security breach of their service plastered all over the internet and this has acted as a great incentive for services to build stronger security features into their software.
What Security Features To Look For In Your Video Service (And What They Mean)
Balancing Security and Usability
Something you won’t see written about much by video conferencing services but that I think it’s important you have a bit of an appreciation of, is that designers of video services are always having to find a balance between making things secure but also usable enough that most people can easily get up and running for their sessions.
Each additional layer of security will often act as some sort of barrier between therapist and client being able to easily connect with each other and there’s no point in having the world’s strongest security if none of your clients can actually get themselves set up on a call with you.
So there’s a balance to be struck around the sensitivity or value of the information being protected and ensuring that the tool can actually fulfill its purpose for users who may have very little experience or knowledge of using a computer/device.
How Do Your Clients Join A Call
Most of what you will have read about video calls ‘getting hacked’ comes about because someone was able to enter a session by getting hold of or guessing the access code for a meeting. Zoom used to have a method for accessing sessions that just required entering a short numerical number. This meant that with enough tries it was possible to hit upon a valid meeting code. Zoom has since strengthened its security in this area after this happened.
Session Invites/Links – these are a popular and pretty secure way of giving your clients access to their sessions. If you look at the link you share with a client, it will contain a ‘key’ which is like a very strong password and so can’t be guessed easily. The main thing here is to make sure that the link is only sent to the person who you want to have access, and that each of your clients is given a separate link to use.
How Much Information Does The Video Service Want From You?
One of the simplest ways to keep information safe, is to limit the number of online locations it is stored. When using a video service, you’ll nearly always need to enter your email address when you sign up. But beyond this you should think about what information is really necessary to have on an online service and are the security measures appropriate for this information. For example, If you’re entering client personal information like email addresses or client notes then you should see an appropriate level of security available like Multi-factor Authentication (see below).
What Is Multi-Factor Authentication?
This is a security feature that requires you to prove that you are who you say you are in more than 1 way before being given access to something. Some examples of this for logging into an account are:
Enter password AND answer a security question
Enter password AND receive a passcode via text message on your phone
This feature offers far better security than just a password and you should use this if available and it is definitely a good idea if your video service has details about your clients like email address and session notes.
What is End-To-End Encryption
This basically means that when you’re on a video call and it is being passed between your and your client’s computer, if anyone tries to intercept the call, it will be jumbled up to make the data meaningless, so that it can’t be opened, played or listened to. Only someone who has a special key can unjumble the message at the other end so that it makes sense. This type of encryption should be available for one-to-one calls where the call travels directly between your computer and your client’s computer and should not need to pass through the provider’s server.
Does The Video Service Keep Itself Up To Date?
You may have noticed in recent years that your computer or device can get very persistent if you don’t install the latest software updates. While this can be annoying, it’s done for a good reason as without this too many users keep putting off doing these upgrades which often contain important fixes to close new security issues that have been found.
Web-based Video Services
Video services that you access through a web browser have the advantage that you will always be using the most up to date version. These services also don’t require any software to be installed on your or your client’s device.
Some services ask you to install software on your computer and then keep this up to date. One example of this is Zoom which, while it does have a web browser version, it will strongly suggest that you install its software. Until recently Zoom did not automatically keep itself up to date, so many users are not using the latest most secure version. Zoom has recently tried to address this with an update that does include an option to let Zoom automatically update itself. However, you need to be on a fairly up to date version to have this option. If you are using Zoom with your clients then you should ensure you are on the latest version and then agree to let Zoom automatically update itself going forwards.
What Should You And Your Clients Be Doing To Make Online Sessions Secure?
Keep Your Computer Operating System Up To Date
If you are using a Windows PC then you will find that it now keeps itself up to date unless you specifically want to stop this. For pretty much everyone reading this I would say let it do its thing and keep you up to date.
For Mac users, you will get reminders to update, but at present Apple does not do automatic updates. On Bilateral Base we can see lots of instances of Mac users who have not updated their operating systems for 2+ years. All Mac users should take a moment and update to the latest version and keep yourself secure. There was a time when Macs were thought to be relatively safe from viruses and malware. The reason for this was that there were so many more Windows computers in the world that this was a more lucrative target for online criminals. With the popularity of Apple products this is much less true than it used to be so please don’t think you’re immune.
Keep Your Browser Up To Date
Keeping your browser up to date is also a key pillar of online safety and is one of your main lines of defense against online threats. Browser technology is also constantly improving so you may also find that you get better quality and more stable connections as well as being able to access features that rely on modern browser technologies
Chrome/Edge/Firefox – These browsers will keep you up to date automatically, however they can only update themselves if you shut them down and open them again, this is when they will update themselves, so on Bilateral Base we do still see users on sometimes old versions of these browsers and this is generally because they never close them and so they don’t ever have a chance to update. While modern computers can keep ticking along without being restarted. I never fail to be surprised at how often an issue a user reports with their device can be solved with a quick restart. So my advice is restart your computer once a week to keep everything running optimally and to give your browser a chance to update.
Safari – Safari on Mac is part of the OSX operating system and so will only update if you update your operating system, so see above as to why this is a good idea and you’ll get the latest browser at the same time!
I can’t emphasise this enough – please don’t use the same password across multiple accounts on the web. If just one website that you’re a member of ‘gets hacked’ and has access to your username and password, then the hacker will then be able to just try your login details automatically on thousands of different websites and see which ones it works on.
Three Word Passwords
The three word password method has come about in response to everyone being asked for very complicated passwords for accounts and then using the same one for all accounts. A password that is made up of three words is not a perfect solution but its quite user friendly and much better than using passwords on multiple accounts – See Three Word Passwords
Use A Password Manager
This is the gold standard for responsible password management. Every website you use can have a unique and very secure password that you don’t have to remember – See Password Managers
Ok enough from me for now. We’ve put this together quickly as a result of what we’ve seen being discussed in forums to hopefully give you a bit more information and hopefully answer some of your burning questions and concerns.
I hope you’re finishing this feeling a bit more empowered and confident in your ability to keep you and your clients safe during online therapy with some simple steps and precautions.
- Use an online video service that offers appropriate security features for your activities. General purpose services are all pretty good now and you also have the option to look at therapy specific options that may be more focused on the specific needs and concerns of therapists.
- Take care when sending session invites/links to your clients. Make sure they only get sent to that client
- Keep your computer operating system and web browser up to date
- Set strong passwords and don’t use them on multiple accounts.
If you have unanswered questions then please contact us and we’ll be happy to help further and add more to this post. Also, if anyone would find it helpful we’d be happy to run a live video Q&A with a group of us from Bilateral Base so you can get you questions answered live and face-to-face. If this would be something you would find helpful then let us know and we’d be happy to set this up
Best wishes and stay safe online.
(Product Manager at Bilateral Base)