6 Easy-to-Implement and Essential Cybersecurity Best Practices for Mental Health Organizations

Psychologists, psychiatrists, therapists, counselors, social workers, and other mental health professionals do their best work when focusing utterly and completely on the care of their patients. As their work has evolved over the last 10 years, mental health professionals can find themselves doing such important work in decentralized environments requiring very little technology. As long as they have a computer, internet access, and cloud software, they can deliver needed care whether remotely through telehealth, onsite at an office location, or at other onsite locations (such as hospitals or clinics) as needed.

This can lead to underestimating cybersecurity risks, as the ease of using technology lulls them into a false sense of safety. Yet, one slip could expose deeply personal sensitive data that harms patients and lead to penalties from non-compliance. Your reputation may also suffer, meaning less patients are likely to trust you with their data and health concerns in the future.

In your day-to-day work, how often have you thought about the following data security and privacy risks?

• Targeted cyberattacks: Personal healthcare data is extremely valuable when sold on the dark web—with mental healthcare data sold at a very high price because of its sensitivity. Cyberattackers specifically target mental health organizations with ransomware, phishing emails, and social engineering attacks to gain access to your data.
• Data access vulnerabilities: How many layers of security does it take to access your sensitive data? Can anyone with a password access it? How about access to your telehealth software?
• Hardware and software vulnerabilities: If you have obsolete, outdated hardware and software, it’s likely that gaping security vulnerabilities exist. Are you patching and updating software regularly?

Many ways exist to address these risks without investing in expensive technology and tools. Applying some easy-to-implement best practices will ensure that you’re protecting sensitive patient data and helping with your compliance.

We cannot overstate the importance of implementing and enforcing multi-factor authentication (MFA) across your entire organization. 99.9% of account compromise attacks can be blocked by MFA. The slight nuisance of getting a code sent to your phone and inputting it as a second factor of authentication is a small price to pay for the protection it offers. The good news is that your employees should be used to MFA by now from how it permeates our everyday lives, lessening the annoyance.

Digging a bit deeper, it’s important to set up access to your applications by role. IT professionals can set this up on the backend, directed by you. Everyone shouldn’t have access to everything with just a password. For example, an administrative assistant may not need access to sensitive patient data but a particular therapist working with that patient does. With role-based access, the assistant would never be able to access the sensitive data—even with the right password.

Even if you follow these best practices, be careful of the following pitfalls:

• Legacy systems: Holes often exist with legacy systems and applications no longer supported by a vendor. It’s best to modernize these systems or, at a minimum, ensure that IT professionals are aware of and shoring up these vulnerabilities as best as possible.
• Third-party applications: You might just assume the vendor takes care of cybersecurity, but that’s sometimes an incorrect assumption. Make sure IT professionals help you secure and monitor all possible access points, as those are usually the weak spots that cyberattackers look to exploit.
• Remote access: Access controls are especially important with remote access. You may want to consider using a VPN to ensure that anyone remotely accessing your systems does so securely. VPNs usually encrypt any information in transit so that cyberattackers cannot view sensitive data if they happen to eavesdrop on your connection.

2. Software Patching

One of the easiest attack methods for cybercriminals is to exploit unpatched software vulnerabilities. They bet on the fact that your mental health organization may not stay up on patching for your operating system and other important applications. If they’re right, then they have an easy way to breach your computers and servers.

It’s crucial to apply software patches and updates on an ongoing basis so that any known vulnerabilities cannot be exploited by cyberattackers. Especially ensure that you patch any applications that would give someone access to sensitive information about your patients.

Make sure that you replace technologies and applications that are “end of life,” meaning they no longer receive support from the vendor. When the vendor no longer supports hardware or software, then they no longer provide patches for security vulnerabilities and bugs. It’s important to upgrade or replace systems to reduce the chance that cybercriminals will exploit known, unpatched vulnerabilities in your obsolete technology.

Your staff likely lives by their devices. Computers, tablets, and smartphones are ways to interact with clients, access patient data, and connect to the administrative side of your organization. It’s essential to secure those devices—especially those used for telehealth and remote work—so that cyberattackers cannot exploit weaknesses and potentially access sensitive data on your device or network.

If you don’t have endpoint detection and response (EDR) on your devices, then it’s possible that cyberattackers can use existing software vulnerabilities to breach your device and hide undetected until they decide to steal data or deploy malware. EDR is so fundamental that cyber insurance providers consider the use of this tool as mandatory if they are to provide coverage. Similar to the now obsolete antivirus software, EDR prevents many potential exploits but also uses machine learning to detect anomalous behavior that may indicate a cyberattacker inside your network—cutting off a device from the network before an attack can take place.

You also don’t want devices exposed to unsecured wireless access points. Whether employees are accessing your network onsite or remotely, any wireless connections need to be secure and encrypted. Otherwise, cyberattackers could hack these unsecured connections, gain entry onto your device, and access patient data. If you cannot guarantee that employees have secure wireless access points at their homes or in public (such as at coffee shops, hotels, co-working spaces, etc.), then require the use of a VPN or secure browser when accessing specific applications.

In today’s often decentralized workforce, employees may use devices in the field or at home. While this is convenient for employees, it introduces the risk of device loss or theft, accessing unsecured networks, and not applying patches and updates. Such risks open you up to data breaches, exposing sensitive patient information, and compliance violations.

Mobile Device Management (MDM) can help with that issue by allowing IT professionals to centrally control, monitor, and secure mobile devices—whether issued by your organization or BYOD (Bring Your Own Device). With MDM, you can remotely wipe the endpoint if it’s lost or stolen, easily track who has what device, and restrict what websites and applications employees can access (minimizing the threat of malicious websites or applications exfiltrating data).

Ensure that any patient records and other sensitive information is encrypted. In case cybercriminals or unauthorized people access this information, it will be unreadable and unusable. Encrypt data both at rest (where data is stored) and in transit (when sharing data between different endpoints). Desktop computers, laptops, tablets, and mobile devices need device encryption.

Of course, many applications you use are based in the cloud, not on your devices or network. In such situations, it’s important to confirm the type of encryption the cloud application vendor provides. Most reputable healthcare application providers should have encryption built into the software, but it never hurts to confirm or get an IT professional to double check.

Your telehealth platforms are a great example of why encryption is important. Patients divulge extremely sensitive information during telehealth sessions. You don’t want someone listening in on these conversations, recording the video and audio, or selling such sensitive information on the dark web. Take encryption seriously.

Mental health professionals feel pressure to stay up on new therapeutic approaches, the latest research, and best practices related to delivering the best care to their patients. It’s likely that many of your employees are not staying up to date on cybersecurity best practices. After all, it’s IT-related in their minds, and not a professional priority.

However, all it takes is for one person to fall victim to a phishing email and you’ve got a data breach on your hands that could damage your organization’s reputation. Cost-effective, self-paced online security awareness training exists that can teach about phishing, social engineering, and other common threats. Learning how to spot the common signs of a cyberattack will reduce the risk of an employee falling for an attempt at accessing your network. Such training should supplement what they already learn about HIPAA and handling sensitive patient data.

--

These six recommendations are critically important yet also cost-effective to implement—showing that many cybersecurity best practices are more about common sense than expensive tools. Ensure that you restrict access to sensitive information, secure, patch, and encrypt endpoint devices, and train your employees. While other cybersecurity best practices exist and need implementation, especially if you are a large mental health organization, these six are a good start to help you assess your situation right now. Improving upon the areas above will go a long way toward protecting sensitive patient data within your mental health organization.