Running head: GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 1



Similar documents
Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Data Protection Act Bring your own device (BYOD)

NSA Surveillance, National Security and Privacy

Jeff M. Bauman, Psy.D. P.A. and Associates FLORIDA-HIPAA PRIVACY NOTICE FORM

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Federal Bureau of Prisons

DiamondStream Data Security Policy Summary

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

Research Information Security Guideline

Privacy Policy Version 1.0, 1 st of May 2016

Microsoft s cybersecurity commitment

ETHICAL ELECTRIC PRIVACY POLICY. Last Revised: December 15, 2015

POLICIES AND REGULATIONS Policy #78

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Data Processing Agreement for Oracle Cloud Services

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Office Policies, Informed Consent for Treatment, and Protecting the Privacy of Your Health Record

Android Developer Applications

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

Matrix Technical Support Mailer - 72 Procedure for Image Upload through Server in SATATYA DVR,NVR & HVR

Kiran Mishra, Ph.D. Licensed Clinical Psychologist. Sugar Land, TX (832) TEXAS NOTICE FORM

Montclair State University. HIPAA Security Policy

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Paxata Security Overview

This notice describes how psychological and medical information about you may be used and disclosed and how you can get access to this information.

COURTNEE A. PELTON, PSY.D.

I ve been breached! Now what?

DATA AND PAYMENT SECURITY PART 1

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Understanding Psychological Assessment and Informed Consent

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

HIPAA Notice of Privacy Practices HAND & MICROSURGERY ASSOCIATES, INC.

Cloud Computing TODAY S TOPICS WHAT IS CLOUD COMPUTING? ICAC Webinar Cloud Computing September 4, What Cloud Computing is and How it Works

Xerox Mobile Print Cloud

PSYCHOTHERAPY CONTRACT

WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

Notice of Privacy Practices

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

Department of the Interior Privacy Impact Assessment

ELECTRONIC COMMUNICATION & INFORMATION SYSTEMS POLICY

Network Security Policy

Counseling Intake Form (Each person attending therapy should complete a form)

Betsy Mencher, Ph.D. Licensed Clinical Psychologist 1350 Connecticut Avenue, NW Suite 602 Washington, DC 20036

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

The Anti-Corruption Compliance Platform

Data Breach and Senior Living Communities May 29, 2015

Policy # Related Policies: Computer, Electronic Communications, and Internet Usage Policy

The Bishop s Stortford High School Internet Use and Data Security Policy

What is the Cloud? Computer Basics Web Apps and the Cloud. Page 1

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

STANDARDS FOR TECHNOLOGY USE IN SOCIAL WORK PRACTICE

Online Banking Customer Awareness and Education Program

Privacy Policy. Peeptrade LLC ( Company or We ) respect your privacy and are committed to protecting it through our compliance with this policy.

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

PINAL COUNTY POLICY AND PROCEDURE 2.50 ELECTRONIC MAIL AND SCHEDULING SYSTEM

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

Information Security It s Everyone s Responsibility

Frequently Asked Questions. Frequently Asked Questions SSLPost Page 1 of 31 support@sslpost.com

THE BLUENOSE SECURITY FRAMEWORK

HIPAA Security Training Manual

Android App User Guide

Adding Stronger Authentication to your Portal and Cloud Apps

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

PRIVACY POLICY. Introduction

BRING YOUR OWN DEVICE

Jerry M. Ruhl Ph.D. Clinical Psychologist (Texas #34359) 5200 Montrose Blvd. Houston, TX 77006

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

The Ministry of Information & Communication Technology MICT

MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing

Computer Security at Columbia College. Barak Zahavy April 2010

Specific observations and recommendations that were discussed with campus management are presented in detail below.

NotifyMDM Device Application User Guide Installation and Configuration for Windows Mobile 6 Devices

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS

Transcription:

Running head: GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 1 Governmental surveillance threatens client privacy Samuel D. Lustgarten The University of Iowa Author Note Samuel D. Lustgarten, Counseling Psychology, Department of Psychological and Quantitative Foundations, The University of Iowa. Corresponding Author: Samuel D. Lustgarten, Counseling Psychology, Department of Psychological and Quantitative Foundations, The University of Iowa, 361 Lindquist Center, Iowa City, Iowa, 52242-1529, USA. E-mail: Samuel-Lustgarten@uiowa.edu

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 2 Lee. Acknowledgements: Dr. Elizabeth Altmaier, Dr. Stewart Ehly, Daniel Elchert, and Micah

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 3 Governmental surveillance threatens client privacy Over the last two decades, the field of psychology has appreciated from technological progress. Practitioners are using text messaging (Norcross, Pfund, & Prochaska, 2013) and email (Shapiro & Schulman, 1996) for extended client care. Colbow (2013) found that psychologists and helpers are showing growing interest in telemental health therapy (remote therapy), which necessitate teleconferencing programs (i.e., Skype or Google Hangouts). Each program and technology has consequences for client privacy and confidentiality. To manage risk associated with maintaining digital records and communication with clients, the American Psychological Association (APA) issued two documents: the Ethical Principles of Psychologists and Code of Conduct (2010; hereafter referred to as, Ethics Code ) and Record Keeping Guidelines (2007). These documents place responsibility for confidential record management with psychologists. Unfortunately, the ability for psychologists to maintain privacy and confidentiality in the twenty-first century is threatened. The evolution of technology combined with governmental surveillance and policy has led to vulnerabilities in digital maintenance of client records. This article reviews the current governmental threats to privacy and provides 5 best practices for securing information. The NSA, Cloud Storage, and Electronic Communications Various national agencies conduct surveillance in the service of state interests. Relevant to the current article is the National Security Agency (NSA; 2011), which is primarily tasked

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 4 with collecting signals intelligence (from foreign sources). Until recently, it was believed that domestic surveillance was considered unlawful. In June 2013, Glenn Greenwald took possession of top-secret documents from governmental whistleblower, Edward Snowden (Greenwald, 2014). The articles, known as The NSA Files, catalogued covert surveillance operations that extended into the U.S. (Greenwald, 2013). With the help of Snowden and other journalists, Greenwald (2013) first published evidence that the NSA was demanding and receiving records of millions of Verizon customers daily. One program MUSCULAR allowed NSA analysts to access cloud storage networks of companies such as Google and Yahoo (Gellman & Soltani, 2013). This enabled the NSA to download and retrieve private information of U.S. citizens using cloud-based services (i.e., Gmail, Google Drive, and Yahoo Mail). It is possible the NSA could have retrieved private health information (PHI), notes, and work logs. If a provider and client emailed back and forth, the NSA could have accessed this information. These policies hinder psychologists ability to uphold the APA Ethics Code (2010), which states, Psychologists have a primary obligation and take reasonable precautions to protect confidential information obtained through or stores in any medium. Top-secret programs are only one type of governmental threat to privacy. The Stored Communications Act of 1986 (18 U.S. Code 2703) allows the federal government to access cloud-based email when left on servers over 180 days. When the Act was signed, the popular method for email was to download messages to local computers removing it from servers. Now, people tend to archive messages, rather than downloading or deleting (Google, 2014). With

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 5 corporations providing high-capacity cloud services, communications with clients that are saved, archived, and/or left on servers are vulnerable to government data requests. Governmental surveillance and access to communications is easier at public institutions. Anyone can make Freedom of Information Act requests (FOIA; 5 U.S. Code 552), and ask for the emails of faculty and staff. For instance, while communications between practitioners and clients is considered privileged information, emails between other practitioners and in indirect support of clients may not be protected (University of Iowa, 2013). Lastly, mental health providers have a duty to explain to clients about requests for confidential information (ethics code citation). The Federal Bureau of Investigation (FBI) may have the authority to issue National Security Letters (NSLs) to request client records (18 U.S. Code 2709). NSLs may necessitate that the recipient not notify persons involved, thus limiting the ability for practitioners to share about investigations affecting clients. Best Practices for Client Confidentiality The APA Ethics Code (2010) suggests that failure to maintain confidentiality and related ethical standards may result in legal consequences (Benefield, Ashkanazi, & Rozensky, 2006; Glosoff, Herlihy, Herlihy, & Spence, 1997). While the APA (2007; 2010) provides standards and guidelines for the use of data, best practices are absent. Despite the aforementioned threats to client privacy and confidentiality, there are methods to manage risk of unintended disclosures. The following section outlines 5 best practices for maintaining client confidentiality. 1. Create a threat model Practitioners should anticipate security threats. While challenging to predict every concern, practitioners can develop threat models (Barrows & Clayton, 1996; Lee, 2013).

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 6 Threat models consider client populations (i.e., low, moderate, and high risk). By grouping clients into different risk categories, practitioners can create greater protections when necessary (i.e., LGBT-identified clients, dissidents, politicians, and celebrities). Practitioners threat models should be inversely related to risk: high-risk populations met with lower-tech mediums. 2. Encrypt everything Practitioners should research encryption software to protect welfare. The APA Practice Organization (2014) catalogued three different types of options for client records: full-disk, virtual-disk, and file encryption. Full-disk encryption provides protection for the entire file system, and prevents organizations from files. If providers are interested in backing up and storing client records on HIPAA-compliant cloud-storage servers, files should be encrypted prior to uploading via virtual-disk encryption. Micah Lee (personal communication, September 28, 2014), technologist for The Intercept, provided four suggestions: disk encryption, firewalls, strong passwords (unique per account), and cryptology in communication (i.e., encrypted text messages). 3. Turn on two-factor authentication Cloud-based websites usually require usernames and passwords. Government agencies need additional information to circumvent this process. One method of further account security is two-factor authentication. This feature utilizes time-based tokens that change every 30 seconds. When activated, two-factor authentication is required after correctly providing username and password credentials. If a password were stolen, the encrypted token would still be necessary. 4. Buy an air-gapped computer

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 7 The Electronic Frontier Foundation (EFF; 2014) suggests that with more sensitive information, an air-gapped computer should be used. Air-gapped computers have all Internet capabilities disabled or forcibly removed. The NSA (2010) recommends that Mac users have an Apple-certified technician remove wireless cards. For high-risk clients, notes and information would be maintained, but need to be moved via external device (i.e., USB flash drive). 5. Modify informed consent process The APA Ethics Code (2010) asks that informed consent be given at the outset of treatment. If client and practitioners express an interest in digital technologies to enhance treatment, informed consent should properly explain, justify, and present risks to communication methods (Devereaux & Gottlieb, 2012). If clients express concern during informed consent, and in the interest of autonomy and privacy, practitioners should consider more basic methods (i.e., pen and paper). Conclusion Clients (Rubanowitz, 1987; VandeCreek, Miars, & Herzog, 1987) and psychologists have agreed that confidentiality is imperative for provision of care (Donner, VandeCreek, Gonsiorek, & Fisher, 2008; Fisher, 2008; Glosoff et al., 1997). Additionally, the U.S. Supreme Court reasserted psychotherapeutic privilege for client confidentiality in the 1996 case, Jaffee v. Redmond. Despite this historical precedence, government policies have threatened privacy. Each technological innovation provides greater flexibility and accessibility for care. Unfortunately, as Baker and Bufka (2011) suggest, psychologists are engaging with technologies that have legal and ethical ramifications for clients, research participants, and third-party providers. While the APA has created guidelines and standards for interacting with technology,

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 8 there are risks to certain communication and storage mediums, especially when using cloudbased providers. Now more than ever, practitioners should be circumspect to new technologies related to the communication and storage of client data. By adopting the best practices listed within this article, practitioners will be taking a stand for client and human rights.

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 9 References American Psychological Association. (2007). Record keeping guidelines. The American Psychologist, 62, 993-1004. doi: 10.1037/0003-066X.62.9.993 American Psychological Association. (2010). Ethical principles of psychologists and code of conduct. Washington, DC: Author. Retrieved from http://www.apa.org/ethics/code/ principles.pdf APA Practice Organization. (2014). ABCs and 123s of encryption. Good Practice, Spring/ Summer. Baker, D. C., & Bufka, L. F. (2011). Preparing for the telehealth world: Navigating legal, regulatory, reimbursement, and ethical issues in an electronic age. Professional Psychology: Research and Practice, 42, 405-411. doi: 10.1037/a0025037 Barrows, R. C., & Clayton, P. D. (1996). Privacy, confidentiality, and electronic medical records. Journal of the American Medical Informatics Association, 3, 139-148. doi: 10.1136/jamia.1996.96236282 Benefield, H., Ashkanazi, G., Rozensky, R. H. (2006). Communication and records: HIPPA issues when working in health care settings. Professional Psychology: Research and Practice, 37, 273-277. doi: 10.1037/0735-7028.37.3.273 Colbow, A. J. (2013). Looking to the future: Integrating telemental health therapy into psychologist training. Training and Education in Professional Psychology, 7, 155-165. doi: 10.1037/a0033454 Counterintelligence access to telephone toll and transactional records. 18 U.S. Code 2709.

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 10 Devereaux, R. L., & Gottlieb, M. C. (2012). Record keeping in the cloud: Ethical considerations. Professional Psychology: Research and Practice, 43, 627-632. doi: 10.1037/a0028268 Donner, M. B., VandeCreek, L., Gonsiorek, J. C., & Fisher, C. B. (2008). Balancing confidentiality: Protecting privacy and protecting the public. Professional Psychology: Research and Practice, 39, 369-376. doi: 10.1037/0735-7028.39.3.369 Electronic Frontier Foundation. (2014). Keeping Your Data Safe. Retrieved from https:// ssd.eff.org/en/module/keeping-your-data-safe Freedom of Information Act of 1966, 5 U.S. Code 552. Gellman, B., & Soltani, A. (2013). NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden says. The Washington Post. Retrieved from http:// www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo google-datacenters-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166 11e3-8b74- d89d714ca4dd_story.html Glosoff, H. L., Herlihy, S. B., Herlihy, B., & Spence, E. B. (1997). Privileged communication in the psychologist-client relationship. Professional Psychology: Research and Practice, 28, 573-581. doi: 10.1002/j.1556-6676.2000.tb01929.x Google. (2014a). Archive messages. Retrieved from https://support.google.com/mail/answer/ 6576?hl=en Greenwald, G. (2013). NSA collecting phone records of millions of Verizon customers daily. The Guardian. Retrieved from http://www.theguardian.com/world/2013/jun/06/ nsa phone-records-verizon-court-order

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 11 Greenwald, G. (2014). No place to hide: Edward Snowden, the NSA, and the U.S. surveillance state. New York, NY: Penguin Group. Jaffee v. Redmond, 518 U.S. 1 (1996). Lee, M. (2013). Encryption works: How to protect your privacy in the age of NSA surveillance. Freedom of the Press Foundation. Retrieved from https://freedom.press/sites/ default/files/encryption_works.pdf National Security Agency. (2010). Hardening tips for Mac OS X 10.6 Snow Leopard. Retrieved from https://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf National Security Agency. (2011). Mission. Retrieved from https://www.nsa.gov/about/mission/ index.shtml Norcross, J. C., Pfund, R. A., & Prochaska, J. O. (2013). Psychotherapy in 2022: A Delphi Poll on its future. Professional Psychology: Research and Practice, 44, 363-370. doi: 10.1037/a0034633 Rubanowitz, D. E. (1987). Public attitudes toward psychotherapy-client confidentiality. Professional Psychology: Research and Practice, 18, 613-618. doi: 10.1037/0735 7028.18.6.613 Shapiro, D. E., & Schulman, C. E. (1996). Ethical and legal issues in e-mail therapy. Ethics & Behavior, 6, 107-124. doi: 10.1207/s15327019eb0602_3 Stored Communications Act of 1986, 18 U.S. Code 2703. University of Iowa. (2013). Chapter 19: Acceptable use of information technology resources. Retrieved from http://www.uiowa.edu/~our/opmanual/ii/19.htm

GOVERNMENTAL SURVEILLANCE CLIENT PRIVACY 12 VandeCreek, L., Miars, R. D., & Herzog, C. E. (1987). Client anticipations and preferences for confidentiality of records. Journal of Counseling Psychology, 34, 62-67. doi: 10.1037/0022-0167.34.1.62

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information