I don’t do a lot of consulting for people who’ve experienced a “security breach” in their practices. But in the last year I’ve gotten 7 inquiries about security breaches from colleagues, and every single one was from someone whose email had been hacked into. So I’d like to make sure everyone knows the two things that can prevent the same from happening to them.

6 out of 7 of the hacked email accounts were Gmail accounts, which is at once unsurprising and strangely ironic (for reasons I’ll explain in a minute.) It’s not that Gmail has poor security – quite the opposite. It’s just very popular. And bad guys spend a lot of time trying to gather passwords for email accounts, including Gmail.

Two things could have been done that would have, with a good 95% certainty, prevented the breaches from happening. I’ll describe them in reverse order.

Email Safety Step 2) Two-Factor Authentication

What a clear and descriptive name, right?

It sounds much more intimidating than it is, really. It simply means that instead of using only your password to log in to your email, you use both your password and one other thing.

Imagine this: you sit down at your computer and go to your email. It asks for your password. You type it in. Then it says, “We’ve sent you a text message. Please type the code from that text message here.” You then receive a text message on your phone. It has a little code in it. You type that code into your computer. Now you’re logged in. Voila. I like to call this “The Two-Factor Dance.”

“But Roy?” You may ask, “how do they have my phone number??”

When you turned on two-factor authentication, you gave them your phone number. That’s part of why you have to go turn it on yourself, and it can’t just be switched on automatically on your behalf.

Google also offers a neat app for your smartphone that can let you skip the whole text message thing altogether. You just open the app, it gives you a temporary code, and you type it in to the computer. Done.

WATCH: Rob Demonstrate’s the App for Two-Factor Authentication (2min.)
or Watch the Whole Episode of Therapy Tech Here

And here’s the kicker: with Gmail, you don’t even have to type in this code every time you sit down to read email. You only have to do it once (or so) for each gadget you check email on. Once you’ve done the two-factor dance once, the device becomes “registered.” You may occasionally have to renew that registration by doing the two-factor dance again at some point in the future, but not very often.

This works because the vast majority of email hackery is done by getting ahold of people’s email passwords. Bad guys then use their own gadgets to log in to those hacked accounts. But with two-factor authentication turned on, stealing the password isn’t enough. The bad guys can’t register their devices and, thusly, can’t get into your email account. Their hackery is denied!

The reason it’s ironic that so many of those hacked email accounts were Gmail is that Gmail is one of the few popular email services that offer you the ability to use two-factor authentication. If everyone used the free and (relatively) easy service that Gmail and a few others offer, we would have a fraction of the email account breaches we have now.

• Google’s page on Two-Factor
• Rob Reinhardt’s article on Two-Factor

In fact, security experts have opined in the past that for clinicians who are still waiting to do their Security Risk Analysis, it is important to do two things: 1) Set up two-factor authentication wherever you can and b) full-disk encrypt your computer.

• Read our article about full-disk encrypting your computer here

“But Roy?” You may ask again, “what is this Security Risk Analysis thing you’re talking about?”

That’s a good question, anonymous reader. Thanks for the segue!

Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.

Email Safety Step 1) Security Risk Analysis

I don’t get excited when people ask me for help with security breaches, but afterwards, I’m always glad I was involved. Dealing with a security breach can be frightening, and I like being able to apply both my technical and counseling skills to help colleagues keep perspective and work through it. It’s rarely as bad as it seems while you’re in it.

During the post-mortem of these security breach consultations, I always mention two-factor authentication. And that raises the question: “How was I supposed to know that two-factor authentication is even a thing, and how was I supposed to anticipate needing it?”

The simple answer is, “Do a Security Risk Analysis.” That’s what it’s for. (It also happens to be required by HIPAA, of course.) A Security Risk Analysis is a process wherein you do a kind of “needs assessment” for security in your practice, and then come up with a plan for meeting those needs. Click Here for a free article that helps explain.

Email is a wonderful tool, and we can use email of all kinds with clients to accomplish great ends. So no one should feel discouraged from using it wisely in their practices. We also need to enter into using tools like email deliberately, and with competence for how to use it not just effectively, but also safely.

If you feel you need help doing that, we offer shockingly affordable, personalized support services for people just like you. Preview our support service here→

You can also read our other articles for hints like the one contained here. Happy emailing!