Unless you are completely unplugged, you have probably heard a few politicians debating the idea of whether or not Russian hackers are to blame for the leaks of certain email communications. Regardless of who hacked who, it raises an important question.
Can the hackers steal my email?
Better yet, is my email safe?
As a therapist, client confidentiality is an obvious and fundamental concern. Does this mean that I need to stop communicating with my clients via email? We don’t want anything to compromise our clients’ confidentiality.
When people ask this question, it’s usually accompanied by assertions like, “But, I use a really good password!” or “I only log in on my work computer.” Doesn’t this make it safe?
We have to start with the idea that email itself isn’t that secure of a technology.
Email has been around for a long time. It was first developed about fifty years ago now (this is a strange sentence to write!). When it was developed, no one really gave a lot of attention to making it secure. We have been using it ever since and, even though we’ve tried to do things to increase security, the underlying structure was never designed to be secure.
Some people have tried to make secure email but every single attempt has hit some obstacles. If you think about the process of sending an email there are three main steps that a message has to go through.
The Sender composes a message and hits send > Mail Servers take that message and exchange it with one another in order to route it to the Recipient > The Recipient logs in and reads the message.
Seems simple, I know. You might first think that as long as the sender and receiver are using strong passwords for their login (bonus points for two-factor authentication) then the problem would seem to be solved. But that only protects email that isn’t going somewhere. When an email is sitting on your server behind a strong password (whether that’s your own corporate server or Gmail), it’s relatively safe. If someone can guess your password (or if it’s written on a post-it note on your desk), that’s bad. However, you can do you part by keeping your passwords strong and completely confidential.
It’s when email is “moving” that the problems really start to arise.
There are two types of “text” on the Internet. There is encrypted and unencrypted or clear text. When email was designed, there wasn’t a lot of need for encrypted text so the entire system uses text that is clear text. It’s not like you or I can simply read these emails. But, with the right software it is relatively trivial for hackers to simply record any email messages they want as they’re travelling between servers.
Because of this, when you’re sending email you should absolutely assume that your message is being captured and stored by someone.
At this point, you might be thinking, why not change the servers so they use encrypted data instead. Unfortunately, this really isn’t an option. There are millions of email servers and essentially they would all need to be changed at once. Otherwise, the system breaks down. We rely SO much on email that there’s no way to do this easily.
Another approach that people have tried has been to use an app that scrambles the message right before it leaves on its way to the other person. The problem here is that you and every other person that you send email to would not only need this app but also the key to decoding the scrambled text. It works but it adds some pretty complicated steps to the process. Unless you’re a power user and you’re communicating only with other power users, this probably isn’t going to work either. It’s just too much trouble.
Your clients are wonderful people but you’re probably thinking why does anyone care about what I have to say to them. You’re not entirely wrong for asking the question. Unless your client is a prominent public figure or someone with enough money to extort, the chances are that you’re never going to be the target of a major hacking operation.
But you know how when you talk to a client and you start to put pieces together from different parts of their lives? Let’s go back to assuming that every email you send is being recorded by monitored. Now let’s assume that you are sending an email to a client with their home address included. The client might also be sending information to a finance professional and may have included their Social Security Number, or something else. With enough information, hackers can assemble complete profiles of people and, as most often happens, use this information to steal an individual’s identity.
So, fear not. The Russians are not coming for your email in all likelihood.
But, also, don’t forget that sending email is the technological equivalent to leaving a love note for your partner on a billboard by the interstate.
First, and probably always, consult your legal advisor about all applicable laws and obligations that you have. It’s also a good idea to brush up on HIPAA implications and any requirements from the licensing and ethics boards in your jurisdiction. Secondly, remember that it is simply never a good idea to include personal details in email communication. And make sure that your clients understand that too. Some services offer a secure messaging center in their suite of tools. Those are far more secure because messages don’t actually have to leave an email server en route to someone else. If you file insurance claims, you most likely have already experienced these. You need to upload a document for a claim so you go to that insurance company’s secure website, upload the document, and log out. Sometime later, you might receive an email that a new message is waiting for you and you need to go back to that website and log-in again to see the message. Because the message never leaves that server, it can stay encrypted and there’s never an opportunity for someone to eavesdrop on the conversation.