Security of Clinical Records on Computers:
Viruses, Firewalls, & the
November 30, 2001
There was another instance a few days ago in which a "virus" posted files from a psychologist's computer to another APA list, although the psychologist was using one of the most popular anti-virus programs. In light of the unfortunate consequences that can result when files--especially those containing counseling, forensic, or other confidential data--are widely circulated on the internet, I thought the following might be helpful.
Those who create malicious code are finding more effective ways to circumvent both anti-virus programs and firewalls, to ensure that attachments need not be opened in order to infect the computer, and to search out the most damaging information (e.g., files containing words like "confidential," "private," "privileged," "clinical," or "password") to send out to selected addresses in the computer's memory, to send out to addresses already contained in the malicious code, and/or to post on anonymous web sites.
One of the problems is that many of the new viruses, worms, Trojan horses, and all sorts of other malicious forces that can enter a computer via email, browsing the web, a hacker, etc., don't "do their stuff" right away. They can "hide" in an almost infinite number of ways in the computer, going undetected for a period of time. Many have amazing stealth modes and engage in complex functions to avoid detection by anti-virus programs and other security software. (Even standard terms like virus, worm, Trojan horse, etc., are becoming dated and don't fit well some of the quickly evolving ways that a computer's security is compromised.
Rather than viewing any program (e.g., anti-virus, software firewall) as an absolute protection, it seems to make sense to view each step as making a computer more safe. All that can be done if the computer is connected to the internet is reduce--not eliminate--the risk. This can be a critical issue when clinical, forensic, and other sensitive data are handled in electronic form.
The more levels of significant protection, the better. It may, e.g., make sense to keep sensitive data in encrypted form on a removable medium (e.g., floppy, zip of jaz disk), rather than on the hard drive, and to keep the medium stored safely in a secure area. Using anti-virus programs with frequently updated virus definitions, installing an appropriate firewall, keeping sensitive data on floppies, disconnecting the computer when it is not in use, using sophisticated password systems and encryption, and similar steps may help prevent sensitive data from being compromised.
An easy way--if it is affordable--to provide significant protection to confidential data is to use a separate computer to keep sensitive material. Because word-processing and related programs use *relatively* little memory, a very old or a cheap second-hand computer can be used (with all material backed-up). The main criterion is that this computer never be hooked up to anything else (e.g., not part of a network, no phone line, no cable or dsl modem, no Airport)--just a stand-alone desktop, laptop, or notebook. If used *only* for clinical data and deprived of any wired or wireless link outside itself, it will lack the means to distribute the confidential information.
Those who practice in clinics, etc., in which large numbers of computers are networked together face additional challenges. University centers that provide psychological services, supervised training, etc., face this issue. One step taken by the MSU Counseling Center (which updates its virus definitions daily) is to prohibit any use of Outlook (e.g., Outlook Express) because of the significant vulnerabilities of that program.
One way I've come to think of this challenge is in terms of the Golden Rule: If a therapist, attorney, physician, or other professional were keeping a lot of highly sensitive information about me in their computer, what level of protection would I want to in place to prevent that material from being sent to selected individuals or lists in the professional's electronic address book, posted on the web, etc.?
In closing, I hope everyone had a happy Thanksgiving. So much--from the trivial to the overwhelming--to be thankful for while keeping in our hearts those who today are in great pain, need, or discouragement.