If you work in healthcare, you know the value of mitigating risk. You’ve probably told your patients and clients, “An ounce of prevention is worth a pound of cure.” When it comes to your field, you know and can recommend the most effective preventative measures to protect your patients’ health.
Whether or not you work in politically sensitive fields, the rise in targeted harassment and violence against healthcare workers may have you wondering what, if any, preventative measures you can take to protect your privacy and stay safer online.
From one expert to another: Our field of expertise is digital safety. Here are the preventative steps we recommend you take to keep yourself, your family, and your loved ones safer online.
If you’re the targeted of harassment, one of the classic ways it can escalate is through hacking and account takeovers. Attackers might use your accounts to impersonate you so they can spread misinformation, cause you financial harm, or stalk you.
You can prevent hacking and account takeovers by using strong, unique passwords, a password manager, and 2-Factor Authentication.
As you think about securing your accounts, ask yourself what your most important accounts are. For us, that’s our main email and social media accounts, accounts we use to log in to other accounts with (such as Google, Facebook, or Apple ID), our work accounts, and accounts related to our financials.
The #1 way hackers gain access to accounts is through credential stuffing: they find your username and password in an old data breach and check to see if you’re using the same password in other places. If you always use the same password, the attacker will have access to any of your accounts that they can find.
That’s why it’s important to make passwords that are both difficult to guess AND unique for each site or app. Don’t include keywords that an attacker can look up about you, such as your birthday, your first car, or the name of your first pet, and don’t use a system that could be reverse engineered by someone who got a hold of a few of your passwords. Instead, make your passwords a random mix of at least 8-20 uppercase letters, lowercase letters, numbers, and symbols. Another option is to use a passphrase of a few random words.
You might be thinking, “How will I ever remember even a few passwords like that?” which brings us to...
If you use a password manager, you’ll only have to remember one password or passphrase. Password managers are software that securely store your passwords so you don’t have to remember them.
You might already use the built-in password manager in Google Chrome or the iCloud Keychain. Those are both fine, but we like 1Password (subscription based) and Bitwarden (free) best. You can install either as a browser extension, a desktop app, or a phone app so you’ll always have your passwords handy.
Whichever password manager you choose, make sure the passwords you’re putting into it are strong and unique.
If the worst happens and an attacker gets a hold of your password, 2-Factor Authentication (2FA) is a final line of defense against hacking. If you’ve ever gotten a text or an email with a code you had to enter in order to log in to an account, you’ve used 2FA. The codes for 2FA expire quickly, making them difficult for an attacker to obtain while they’re useful.
We recommend using a mobile authentication app or a hardware key for 2FA over text messages, although SMS-based 2FA is better than nothing if that’s the only option. The mobile app we recommend, Authy, is free. Hardware security keys such as Yubikeys can be expensive, although there are more affordable models. You can see what methods of 2FA are supported for any site or app using 2FA Directory.
The scariest part of being targeted by online harassment is the possibility that the harassment will escalate to other avenues, or even violence. Doxxing attacks are when your personal information, such as your home address, phone number, or email address, is published without your consent. Doxxers might encourage others to use the information they publish to escalate the harassment.
Doxxers primarily find your personal information through shady “people search” websites that sell access to your information. Yael Grauer maintains a list of data brokers with instructions on how to get your information taken down. Manually opting out is tedious and time consuming, so if you’re feeling overworked and short on time (and what healthcare worker isn’t right now), consider signing up for a paid, automated opt-out service such as Optery, Kanary, or DeleteMe.
Depending on where you live, your licensing board or state registry might publish your information in a publicly accessible database such as the IDPH’s Health Care Worker Registry. The IDPH doesn’t publish contact information, but other other databases do. If you can’t have your sensitive information taken down, use your work address and work phone number. If you don’t have a work address or work phone number, we highly recommend that you get a mailbox and a dedicated phone number, such as a VOIP line, for business use.
If you’re in private practice or consulting, you’ve probably registered your own business. Business filings are public record, so if you’ve used your personal contact information to file, it may be publicly available. We recommend changing your business’s information to a mailbox. You’ll usually need to contact your state’s Secretary of State office to get it changed.
You might be surprised to learn that many messaging services are insecure. If you have sensitive conversations over SMS, Twitter DMs, Facebook Messenger, or Instagram DMs, you should be aware that the privacy of those conversations isn’t guaranteed; the companies whose platforms you use can look at the message contents, or be compelled to share them by governments.
You probably already use a secure, HIPAA compliant messaging service to protect your patients at work. For personal use, we recommend that you use secure message apps all the time, and especially to discuss sensitive topics.
Our favorite messaging app is Signal. It, and our other recommendations in this section, feature technology known as end-to-end encryption, which means that the company or organization running the messaging service cannot themselves read your messages at a technical level. For particularly sensitive conversations we recommend turning on Signal’s disappearing messages feature and setting a short retention period, like a week or a day. If the conversation is less sensitive (meaning subpoenas are less of a concern) iMessage is a good option. WhatsApp and Facebook Secret Conversations will work in a pinch, but their parent company Meta isn’t very transparent about their privacy practices, so we don’t recommend them.
We want you to feel empowered to stay online even in the face of online harassment. But if you’re worried about harassment, it pays to be mindful about how you use social media and what you share. Here are a few tips specific for healthcare workers:
As a healthcare worker, you’ve dedicated your life to making sure that others have the care that they need. You’re probably used to prioritizing the welfare of others over your own. But when you’re facing the threat of online harassment, self care becomes even more critical. The goals of online harassment are to exhaust, isolate, and terrify you. By resting and recharging, you are frustrating and resisting the people who would attack you.
So eat regularly. Rewatch your favorite show. Snuggle a cat. Make a cup of tea. If you exercise, stick to your exercise routine. Get a good night’s sleep. Whatever it is you do to take care of yourself, make sure to do it.
We can’t change how the healthcare system is structured and how it treats you, but we’re working to support you with our expertise. From the bottom of our hearts: You matter. Thank you for doing the work that you do.
Are you a healthcare worker looking for a hands-on evaluation of your security and digital footprint or just interested in learning more? Contact us.