Why hackers target therapists

Hackers love to target healthcare workers, and therapists are no different. Mental health practitioners are tired and stressed like all healthcare workers and make mistakes just as often. However, patients put their trust in health professionals and expect to have themselves and their personal information secure. No matter what they share with their doctors or how they share it.

Under the HIPAA Act, healthcare providers must utilize strong cyber defenses to protect patients and their protected health information (PHI). This means that patients should feel safe even when the threat of a breach materializes.

SEE ALSO: HIPAA compliant email: The definitive guide

And all healthcare providers, including therapists, are increasingly becoming targets. Let’s explore the reasons why hackers target therapists and what mental health organizations can do to protect themselves.

1. Mental health organizations: SMBs targeted frequently

Most therapists are small to midsize business (SMBs) owners that don’t utilize solid cybersecurity solutions. They don’t have adequate resources to fortify themselves as they should. This largely means:

• Little to no IT budgets
• No staff to manage the cyber environment
• No cyber preparedness

And, therefore, weak cyber defenses.

In October 2020, the U.S. Treasury Department stated that since SMBs are more vulnerable, they are frequently attacked. A 2022 Critical Insight report even stated that SMB cyberattacks rose drastically in the first half of 2022, from 23% in 2021 to 31%.

Regrettably, most SMBs assume that because they are so small, they won’t be targeted. But the exact opposite is true. Especially for therapists as they discover new tech-savvy methods of seeing patients.

2. Increased reliance on technology = more access points

The pandemic accelerated the adoption of digital health technologies and a digital transformation within the industry. One that doesn’t seem to be changing any time soon. Currently, there are over 165,000 mobile healthcare apps, with the majority concerned with mental health. What are some other new technology trends useful to patients and their therapists?

1. Smartphones and tablets to contact mental health helplines 24/7
2. Telehealth to remotely visit health professionals
3. Personal digital devices to collect and send personal data from a distance
4. Electronic health records to facilitate sharing PHI between specialists

Healthcare organizations that embrace such technologies encourage improved patient engagement and therefore patient care. But this increased reliance on health tech means organizations also increase their attack surface. New technologies mean new vulnerabilities and more breach opportunities.

Especially as therapists navigate these new threat vectors while counseling patients. And while trying to keep them protected.

3. PHI from therapist treatments is valuable and sensitive

PHI from therapy sessions is more sensitive and, therefore, more valuable to doctors, patients, and hackers. Why wouldn’t cyberattackers want access? Especially as therapists keep detailed notes on really sensitive issues to properly treat those they see.

Hackers want to steal such data to use for a variety of reasons. They may want the PHI to steal someone’s identity. They may want to sell the information to the highest bidder (on the dark web, such records can sell for up to $1,000 or more).

Or they may even want it just to demand a ransom. PHI is very valuable to the right buyer, including to healthcare organizations that want the information back after being hacked. Especially when the threat of exposure (or double and triple extortion) could hurt a patient’s mental health even more.

The Vastaamo breach—an alarming lesson

A breach that demonstrates how bad it can get occurred in Finland in 2018. The company Vastaamo ran the largest network of private mental health providers in the country. In 2018, a security flaw in the IT system exposed PHI, including therapy notes, on the Internet. A hacker ran with it and copied the information though none of this became public until 2020.

The cyberattacker demanded a ransom from the company, but Vastaamo refused to pay. And in 2020, around 300,000 impacted individuals began receiving ransom demands. The amounts weren’t astronomical, but the threat of releasing such confidential information scared those contacted. All were shocked that this could happen, with many patients telling the police that the information was told in confidence. And that they expected it to stay that way.

One patient was even quoted as saying, “The fact that someone, somewhere knows about my emotions and can read my intimate files is disturbing.”

Therapists must protect therapy patients’ PHI

The patient’s statement alone demonstrates why strong cybersecurity is important. Even more so for mental health organizations that work within the U.S. and must ensure HIPAA compliance. Along with stolen PHI and angry/scared patients, the consequences of HIPAA violations include huge fines, loss of reputation, lawsuits, revoked licenses, and criminal charges.

Therapists must ensure that enough attention and budget is given to cybersecurity no matter the size or the technology used. What does this mean?

1. Antivirus software
2. Encryption
3. Endpoint security
4. Access controls (e.g., MFA authentication)
5. Employee awareness training

The right mixture of cybersecurity depends on the needs of every organization. Knowing what you need to secure and how to secure it is a fundamental part of patient care. The threat of a breach must be as stressful for patients as it is for healthcare practitioners. Proper precautions help safeguard everyone involved, including patients along with their PHI and their mental health well-being.