Software Solutions for Mental Health Practice Encryption and Security, Page 2

As a mental health professional, you will have certain obligations — some legal, some ethical — regarding confidentiality and the security of materials related to your practice. The first part of this article offers some brief notes on the types of encryption solutions available, while the second part explores their advantages and disadvantages and offers specific software suggestions. A companion article comments on some ethical issues relating to encryption.

Advantages and Disadvantages of These Two Types of Encryption Software

In my view, web-based services offer three primary advantages:

  • Portability (you can access websites from anywhere)
  • Low cost (many are ad-supported)
  • Key transparency (technophobes in particular will appreciate that keys are usually handled in the background)

Their disadvantages include:

  • Reliance upon someone else’s server and continued commercial existence
  • Underpowered email environment, relative to a local client (in terms of organization, search functions, advanced editing, etc.)
  • Lack of any local backup (unless using a local client plugin)
  • Slow
  • Public and private keys held by the same entity

In my view, the second two disadvantages above make web-based encryption almost completely unsuitable for practitioners who do any significant volume of online work. If you only send brief messages, and if you only send and receive comparatively few of them, and if you are not worried about making backups or archiving your emails, then web-based systems may hold some attraction. On the other hand, if you handle longer client messages, or if you send and receive very many of them, or if you want backups or archives, I don’t imagine web-based services would be particulary useful to you.

Talk to a Psychiatrist or Therapist Online

In addition, the first disadvantage above will make web-based systems less attractive to users concerned about the longer-term security of their data, while technically inclined users may not be prepared to accept the last disadvantage in the list: allowing a third party to hold not only their data, but also both their private and public keys. Doing so effectively reduces the security of the entire system down to the security of the service’s key handling.

In my view, the advantages of local client encryption include:

  • Full local email client capabilities
  • Full local backup and archiving
  • Independence from third-party servers
  • Fast
  • Personal key handling
  • Open standards mean multiple suppliers

Their disadvantages include:

  • Cost for commercial versions
  • Configuration for GPL versions
  • DIY key management and the resulting lack of portability (decrypting email requires your keys)

The references to cost above concern the differences between available versions of OpenPGP, which is one popular encryption standard described below. I have included something about key management as both an advantage and a disadvantage of local client encryption: managing your own keys may provide greater security for those keys, but it also means you have to do it yourself!

Specific Software Suggestions

PGP

PGP client software

I personally prefer local client encryption, and I use a package called PGP. This is one particular commercial implementation of what has come to be called the OpenPGP standard. PGP, which stands for ‘Pretty Good Privacy’, was created by a real pioneer by the name of Philip R. Zimmermann, who designed it originally as a human rights tool and released it as free software in 1991. I began using PGP around 1993 and personally consider it one of the best encryption clients available. The OpenPGP standard itself is widely considered to be the ‘gold standard’ for this type of encryption technology.

PGP is a public key encryption system, which means that users can communicate securely with one another after publicly exchanging keys — where ‘public’ means that anyone can see the keys, and the security of the two users’ communication won’t be compromised. This works because each user has two keys, a private one and a public one, and while one is used for encrypting, the other is needed for decrypting. So, when I give you my public key, and you use that key to encrypt a message for me, I then need my corresponding private key to read it.

For this reason, public key cryptography is called ‘asymmetric’: one key does one job, and a separate key does another job. This contrasts with ‘symmetric’ encryption, in which the same key is used for both jobs. Symmetric systems, such as that which you might use to encrypt a file on your hard drive, are not suitable for securing communications with other people unless you have a secure means of exchanging keys in advance. (I.e., you cannot simply email someone the key they are going to need to read future messages! But you can simply email someone the public key they are going to need to encrypt messages back to you.)

The specific PGP package I use also offers the capability of creating encrypted disk images (using ordinary symmetric encryption), which can be used to hold other data in a transparently encrypted way. I.e., the image behaves like any other disk, except that files are encrypted and decrypted transparently, on-the-fly. In my own case, however, I rely intead on a built-in function of Mac OS X to create encrypted disk images.

Hushmail

Hushmail web-based encryption

Using PGP gives me the freedom to use my own normal email client, yet because at least one of the web-based email encryption services — Hushmail — interoperates with PGP, my clients do not necessarily have to buy the PGP package. My clients can use Hushmail, while I use PGP, and in theory everything works fine.

I say ‘in theory’ because although Hushmail claims full interoperability with OpenPGP, in practice they do not deliver full key management services to Macintosh clients. Being a web-based service, Hushmail runs its own keyserver to keep hold of its users keys, and when a PGP user wants to receive secure messages from a Hushmail user, the PGP user must upload their public key to the Hushmail server. The last time I tried this, it was flatly impossible — due to bugs in code on the Hushmail server — and I had to resort to using a Windows PC to upload my key. I have contacted Hushmail twice about this, and while they acknowledge there is a bug, it still had not been fixed the last time I checked, after around half a year had elapsed since my first bug report.

Clients can use Hushmail for free, and as mentioned above, they do not have to worry about handling keys.

An alternative web-based encryption service is SAFe-mail, which also operates using public key technology. I do not personally favour it, however, due to their lesser support for open standards and their insistence on completely controlling both email addresses and digital certificates.

Alternatives to commercial versions of PGP include GPG, which stands for ‘GNU Privacy Guard’, and which can be used for free under the GNU Public License. GPG works on all the main operating systems, and several companion packages are available for performing specific functions with GPG; on Mac OS X, the core encryption engine is available as MacGPG, while GPGMail works with MacGPG to integrate encryption services into the built-in Mac OS X Mail client. Other script packages are available to integrate encryption into other mail clients such as Eudora, Entourage and Mailsmith.

GPG options for Windows and Linux operating systems are similarly abundant.

All GPG packages are fully compliant with OpenPGP standards and therefore enjoy all the same advantages as PGP in terms of communicating securely across different systems and through services such as Hushmail.

All clinical material on this site is peer reviewed by one or more clinical psychologists or other qualified mental health professionals. This specific article was originally published by on and was last reviewed or updated by Dr Greg Mulhauser, Managing Editor on .

Overseen by an international advisory board of distinguished academic faculty and mental health professionals with decades of clinical and research experience in the US, UK and Europe, CounsellingResource.com provides peer-reviewed mental health information you can trust. Our material is not intended as a substitute for direct consultation with a qualified mental health professional. CounsellingResource.com is accredited by the Health on the Net Foundation.

Copyright © 2002-2024. All Rights Reserved.