How should allied professionals protect themselves from cyber threats?

The latest government data shows the number of people seeking help for mental health issues is at a record high[1]. The researchers attribute that to several factors, including the ongoing effects of the pandemic on society and the lockdowns used to control it, and an increased focus on mental wellbeing, which is giving people the confidence to seek help from therapists rather than coping on their own.

None of which is lost on cyber criminals. The above factors, teamed with a significant upsurge in general cybercrime, mean that psychological professionals and others involved in mental health work have become a hot target for hackers and fraudsters. Anyone in the sector using digital tools and systems would therefore be wise to arm themselves with the information and cover needed to protect their clients and practices, especially given the highly confidential nature of the work.

The risks are real. In October 2021, Vastaamo, a Finnish psychotherapy service provider, announced that its patient database had been hacked[2]. Information including names, addresses, social security numbers, emails and therapy notes were stolen. The attacker demanded €450,000 to stop the data leak, which Vastaamo refused to pay, and the information was duly posted on the dark web. The attack led to Vastaamo’s closure – we have no way of knowing the full extent of the damage caused to those individuals whose confidential information was disclosed.

What are the key risks?

As the Vastaamo case demonstrates, the data therapists hold is valuable. Sensitive information is vulnerable to ransomware attack, and personal details can be traded on the criminal market and used for nefarious gain, including to get access to secure accounts.

Criminals have all kinds of tricks up their sleeves to hijack this valuable intel. Phishing, where an attacker masquerades as a trusted entity to dupe a victim into sharing information, is the most common. But issues such as weak passwords or using the same one for multiple accounts can also lead to data theft (according to Google, 13% of users reuse the same password for all their accounts[3]). Other things to consider include system vulnerabilities and antivirus software that’s out of date, and insider threats, including disgruntled employees who steal data – a phenomenon that’s on the rise[4]. Human error, however, presents the biggest problem. In fact, software company Egress reported in 2021 that it accounts for a staggering 94% of data breaches[5].

Being proactive about security is clearly vital. There are steps that professionals [MD1] can take to protect themselves, such as cybersecurity-awareness training, implementing robust internal steps like multifactor authentication and strong passwords, backing up data regularly, and safely storing client information on a password-protected hard drive.

But perhaps the most crucial factor is understanding that common professional liability insurance won’t necessarily cover every loss, which could leave therapeutic practices exposed if an event is cyber-related. A stand-alone cyber policy will allow you to fill gaps in cover that may exist in your professional liability policy.

Cover as an ethical issue

Healthcare professionals have long been aware of their ethical and legal obligations to clients – and now that has to involve considering the vulnerabilities that come with cybercrime. For many in the sector, acquiring the right cyber insurance is now an essential part of meeting those ethical and legal responsibilities.

While psychological specialists are of course obligated to safeguard their clients’ confidentiality, including safeguarding sensitive information, they also need to protect themselves from significant financial loss, including legal fees, data recovery costs and potential settlements with affected parties. These costs can be especially crippling for small or independent practitioners, making insurance coverage a valuable safety net (a recent report claims that smaller organisations are three times more likely to be targeted by cybercriminals, as they are less likely to have robust security measures in place[6]).

Some regulatory bodies and professional associations may require allied professionals to carry cyber liability insurance as part of their ethical and legal responsibilities to protect their clients’ privacy and security. Therefore, obtaining coverage cannot only protect your businesses and finances, but also ensure regulatory compliance.

Therapists and other practitioners should consider insurance to cover cyberthreats to protect their clients’ confidentiality, mitigate financial risks, and fulfil ethical and legal obligations. The fact that IT and training measures have been taken, or that a breach hasn’t yet happened, should be of little comfort. After all, it takes just one click on a malicious link to change everything. Just ask the people at Vastaamo, who had been practicing happily and successfully for more than 12 years before the cybercriminals changed everything.

Get a cyber insurance quote by visiting https://www.howdengroup.com/uk-en/cyber-request-a-quote and filling out the short form.