Mental health practitioners have a legal and ethical duty to protect their clients’ privacy. Cybersecurity attacks can expose clients to financial harm, fraud, and even physical danger when threat actors seek access to confidential data.
Far too many therapists think their businesses are too small to warrant the attention of cybercriminals, but 58% of cyber-attacks in 2017 targeted small businesses. These attacks can be devastating. Sixty percent of small businesses go out of business within 6 months of an attack. You may face steep penalties, lawsuits, and licensing board complaints from clients. If your security practices are severely or knowingly negligent, you could even face criminal charges.
Strengthening your digital security is a matter of following simple discipline. Here are a few good cybersecurity practices that therapists should adopt.
1. ENSURE YOU CAN ALWAYS ACCESS RECORDS – HOST THEM ON A SECURE CLOUD
Data stored on your computer is unsafe because you may lose these records in a technical glitch, and third parties may access them if they gain control of your computer. Instead, back up client files to a secure cloud storage space.
2. BE MINDFUL OF EMAIL PHISHING SCAMS
Threat actors take advantage of people who are rushed or inattentive. Email scams are abundant, but you can avoid most of them with the following steps:
- Do not run a program on your computer if you do not know what it does.
- Do not download or open attachments from unknown senders.
- Never give sensitive information, such as passwords or account access, to senders who request this information via email.
3. ENCRYPT SENSITIVE DATA
HIPAA cybersecurity rules mandate that clinicians must encrypt sensitive client data. When you digitally store patient information, ensure their records are encrypted. Similarly, ensure you communicate with clients only across secure, encrypted channels. If you offer telemental health services, ensure you do so only across an encrypted channel and never on an unsecured network.
4. SECURE YOUR DEVICES
Ensure the safety of your devices such as mobile phones and laptops. If someone gains access to your devices, they can steal private information with little or no technical expertise. These strategies can mitigate the risk:
- Lock your phone and laptop with passwords.
- Install an auto-wipe feature that allows you to wipe all data from your phone or laptop if someone steals these devices.
- Adopt Multi-factor Authentication (MFA)
5. BE CAREFUL WITH TELEMENTAL HEALTH
Telemental Health is a great tool that can make therapy more accessible and expand a therapist’s reach. At the same time, it can be vulnerable to hacking if not implemented correctly. Offering therapy through an insecure channel could give criminals access to your client’s entire therapy session. Reduce the risks of telemental health by:
- Never offering telemental health from a public location.
- Using only secure, encrypted telemental health providers.
- Educating clients about security issues, such as the risk that third parties might overhear their therapy session or access treatment data if they attend therapy via a public network.
6. CAREFULLY MANAGE YOUR PASSWORDS
Most people use weak passwords and rarely change them. This puts your practice and your clients at risk. These tips can strengthen your passwords and lock up your data:
- Choose long, complex passwords.
- Change your passwords regularly—ideally every month.
- Use different passwords on different websites.
- A secure password log can be used if you need help remembering your passwords.
- Avoid entering passwords on public computers.
- Do not store passwords on your computer or phone.
7. ASSIGN USER-SPECIFIC PERMISSIONS
Practice management software is commonly used to perform activities such as integrating treatment notes, managing billing, and communicating with other providers. Here is a helpful tip- Do not give everyone in practice the same level of access or share a password across providers. Instead, give everyone their own account, and set up user-specific permissions.
8. USE A SECURE INTERNET CONNECTION
No matter how many security measures you adopt, your clients won’t be safe if you access the internet or therapy notes on an unsecured channel. Do not use public networks to view patient notes, open emails, or deliver telemental health. Instead, use only your own encrypted network and always set your preferences to require a password to log in.
databrackets helps clinicians meet their ethical duties, including protecting client privacy. We offer a vast array of cybersecurity services such as:
- Cybersecurity Risk Assessment
- Vulnerability Assessment and Penetration Testing
- Social Engineering Pen Testing
- Compliance Management- HIPAA/HITECH, PCI-DSS, and more
- Certification- ISO27001, SOC2, and more
- Health industry cybersecurity practices: managing threats and protecting patients [PDF]. (n.d.). Retrieved from https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf
- Townsend, P. (2016, April 1). Does HIPAA require encryption of patient information (EPHI)? Retrieved from https://info.townsendsecurity.com/bid/74330/does-hipaa-require-encryption-of-patient-information-ephi