Software Solutions for Mental Health Practice Encryption and Security, Page 1

As a mental health professional, you will have certain obligations — some legal, some ethical — regarding confidentiality and the security of materials related to your practice. The first part of this article offers some brief notes on the types of encryption solutions available, while the second part explores their advantages and disadvantages and offers specific software suggestions. A companion article comments on some ethical issues relating to encryption.

What Are You Protecting?

There are at least three different types of data you might be wanting to protect:

  • Data such as emails with clients, while in transit across the internet
  • Data such as form fields or chat messages, while in transit between a user’s browser and your webserver
  • Data such as files sitting on your hard drive

This article will focus primarily on emails and touch only briefly on encrypting data on your hard drive; a separate article covers SSL for protecting data in transit between browser and server.

A Side Note on Encryption Strength

These days, most encryption packages provide what is often called ‘strong encryption’. This generally refers to 128-bit or stronger encryption, as opposed to 40-bit or 56-bit. (The bit size refers to the size of the ‘key’ which is used to encrypt and decrypt data.) Given the widespread availability of strong encryption, and the speed of modern computers, I can’t think of any reason to use weaker encryption.

For practical purposes, strong encryption is unbreakable: barring significant breakthroughs in quantum computation or other world-changing alterations to the foundations of how computers work, the mere regular advances of computing speed will not enable strong encryption to be broken within your lifetime.

One side note: the key sizes of public key encryption systems are often 2048-bit, 4096-bit or even more. This key size refers to something completely different than the 128-bit size of a symmetric encryption system, even though you may occasionally encounter people mentioning their public key size as if it referred to the same thing. (Maybe they want to impress you?!) The fact of the matter is that public key encryption systems typically use a large public key together with a pseudorandom number to generate a one-time ‘session key’ which is in turn used to encrypt data with ordinary symmetric encryption, usually with 128-bit or 256-bit strength.

Web-Based vs. Local Client

When it comes to protecting emails via encryption, at least two general software approaches are available to you: web-based and local client.

With web-based encryption, you will actually write and read your emails while they sit on a server — this might be your own server, if you set up the system yourself or (more commonly) the server of a third party providing the email service. The job of encrypting the messages will also be done by someone else, rather than occurring on your own computer.

Try Online Counseling: Get Personally Matched

(Note: I frequently find people referring to ordinary web-based email as being ‘secure’, when they actually mean only that access to the web interface is restricted using passwords. It would be much more accurate to call these systems ‘password protected’, since there is nothing secure about the way data is actually held in the system; i.e., if it is not encrypted, then the data itself is not held securely.)

With encryption using a local client, you will read and write emails using software that is installed on your own computer, and just before sending, your messages will be encrypted. Likewise, replies will arrive back at your computer in encrypted form, and it will be your computer which does the job of decrypting them.

Some web-based encrypted email services now provide plug-ins for popular email clients, meaning that they offer the option of both methods of working: you still rely upon their server to handle your email, and you rely on them to provide the plugin, but you can still use your familiar local email client to send and receive via their server.

All clinical material on this site is peer reviewed by one or more clinical psychologists or other qualified mental health professionals. This specific article was originally published by on and was last reviewed or updated by Dr Greg Mulhauser, Managing Editor on .

Overseen by an international advisory board of distinguished academic faculty and mental health professionals with decades of clinical and research experience in the US, UK and Europe, provides peer-reviewed mental health information you can trust. Our material is not intended as a substitute for direct consultation with a qualified mental health professional. is accredited by the Health on the Net Foundation.

Copyright © 2002-2023. All Rights Reserved.