Do You Feel Secure?
By Sam McCracken
How did Clive Palmer get my phone number?
I don’t want to sound like one of those tinfoil hat types who say “I think there’s something going on” but I think there’s something going on.
Our lack of control of personal privacy is bordering on Orwellian. Personal data is the new commodity and the trade in our data eclipses the oil and gold rushes of the last couple of centuries. Apple and Microsoft have broken through the trillion-dollar ceiling and the rest aren’t far behind.
Tech journalist Kashmir Hill recently conducted an experiment where she tried to live without ‘the frightful five’. Over the course of five weeks, she blocked Amazon, Facebook, Google, Microsoft, and Apple. The outcome being that it is pretty much impossible to participate in a modern society without exposure to these giant companies. However, there are ways we can minimise our exposure – keep reading to find out how.
Okay, so what has all this got to do with massage therapy? Well, we have a responsibility to protect our patients’ privacy and the privacy of the information they share with us. Hacks and data breaches have become commonplace but the most worrying thing is how easily we give up our private information to online companies and, in the process, we may also betray our patients by divulging their private data as well.
What? How? Huh?
It was no surprise to see the public backlash when the government recently wanted to introduce centralised healthcare records. The public obviously value their data privacy and in particular, their health data. Our health data may be valued by us but it is also valued by those who trade in data.
In the US, there have been over 11.5 billion records breached since 2005 (244 million of which were health related records).1
In Australia, since February 2018, the healthcare sector suffered the most data breaches of any industry group.2
A third (33%) of all breaches in the last 12 months involved health information.
An example of how we can unwittingly divulge our patient’s private information is with our social media. When we tick that box to upload our contacts to help find our friends online, I wonder how many of us stop to consider that, without obtaining consent, we are allowing that social media platform to harvest the data of our friends, family and patients (assuming we have patient contact details on our phones or computer)? And that personal/private information ends up in a data server farm and is on-sold to third, fourth, fifth and who knows how many other parties?
By default, Windows has access to all your contacts. Most people take care to ensure they have antivirus software installed on their Windows PC – which is wise – but in some ways, Windows could itself be considered a virus.3 Windows telemetry is constantly uploading your data and if you store client/patient data on your PC, then that is also being uploaded.
If you want to know how much of your data has been mined by Google, download your data from your Google account. Don’t be surprised if your file is 150 gigabytes and takes 4 days to download. Ever wondered how Google knew to ask if you would like your flight booking details stored on your Google calendar? Depending on how you manage your appointment diary, Google may be trawling through your patient database as you read this.
I can’t talk about Facebook without it turning into a rant. If you only read the headlines, you soon get the picture with regards to unethical practices, data breaches and privacy invasion.
I could fill many pages on how tech giants mine our data but I think by now you understand what I’m talking about, and we should all be mindful that there really is something going on.
What Can I Do To Keep Data Safe?
While there’s no need to be paranoid to tinfoil hat levels, there are plenty of ways to keep data safe. Below are some suggestions for strengthening your data security.
- Linux is a safe reliable and secure operating system and doesn’t suffer from viruses like Windows. It’s also free. Find out more about installing Linux from Ubuntu or POP.
- Ensure your website is secure and use https encryption. This can be organised through your website’s host or here is a free version “Let’s Encrypt” from the Linux Foundation.
- Do not have mobile phones, tablets, laptops, webcams or any device that has a camera or a microphone in the treatment room.
- If you store client data in the cloud, realise that ‘the cloud’ is just someone else’s computer. Make sure it is end to end encrypted and as secure as possible. Massage therapists must comply with all government regulations regarding the storage of health records. The AMT Code of Practice includes information on securing client data and privacy.
- Use Protonmail instead of Gmail if you don’t have an email address related to your business. It’s free and encrypted.*
- Change the password on your router (the thing that connects your computer to the interwebs) from the default “admin” and ensure your router has up to date firmware and security patches. Consult your router’s user guide on how to update the firmware and how to change the default password. You can also contact your router company or internet service provider and have them talk you through the procedure.
- Use Firefox or Brave as your web browser instead of Chrome.
- Use the Duckduckgo search engine instead of Google.
- If you sell, give away or throw away any device that has contained private data, ensure that the hard drive has been thoroughly wiped or destroyed. This guide is US focused but some helpful hints nonetheless on how to remove data from your old hard drive.
- Encrypt the hard drive on your computer and ensure no one has access to its contents. Linux has easy to use encryption tools and POP, as mentioned above, has encryption on by default. If you must use Windows, be sure to use Windows PRO, it has an encryption tool that can be accessed in the settings under ‘security’.
- Use strong passwords. There are lots of online password generators that you can customise to create a strong password. No need to use your favourite kid’s name or the family pet any longer. Try this password generator or this one.
- Regularly check https://haveibeenpwned.com/ website to see if any of your passwords or accounts have been compromised.
- Use the free Bitwarden password manager to look after your passwords.
Stay safe, kids!
* Editor’s note: In May 2019, Protonmail were accused of voluntarily providing access to emails. They provided clarity. Read more here.
- Privacy Rights Clearinghouse.
- Office of the Australian Information Commissioner
- Microsoft Disregards User Choice and Privacy: A Deep Dive
- Healthcare data a growing target for hackers, cybersecurity experts warn
- Some health data collection is beneficial – Health Data Being Used to Train Artificial Intelligence
About the Author
Sam McCracken is a remedial massage therapist on Brisbane’s north side. Sam qualified in traditional Thai massage in 2006 from the world’s oldest massage school (Wat Po Traditional Medicine School) and with the benefit of over 30 years of daily Tai Chi practice, he believes he is on track to achieving his goal of becoming the world’s oldest massage therapist. Sam has a keen interest in modern understandings of traditional massage methods. He has studied many lineages of massage, mostly from Asian traditions.
Official AMT Information – Data Breaches – Your Obligations
Did you know that massage therapists are subject to the Notifiable Data Breaches (NDB) scheme? The scheme came into effect on 22 February 2018. It was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017.
The NDB includes an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner must also be notified of eligible data breaches.
You must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification. Notifications to the Commissioner should be lodged through the Notifiable Data Breach Form.