Why cybersecurity for coaches and therapists?

Originally, I wanted to write my book for everyone – which I now do in a newsletter.  Cybersecurity is a topic people often get very nervous about, and one of the reasons is we tend make it seem like you have to learn everything, perfectly, A-Z and understand a lot of technology jargon. I wanted to break it down into the small pieces we can all to tackle – and really, all of us can do this. 

From working within fraud prevention and cybersecurity, I had both seen first-hand the impact on victims. Some of the cases and stories I will never forget. These victims were individuals and business of all types. In this book, however, I have filtered down to write for an audience of coaches, therapists, councillors, psychologists, researchers, mentors in mind – essentially any practitioner that works with either confidential, sensitive or client specific data. 

For the title, I narrowed it down to 'coaches and therapists', but I am contacted by people from all kinds of occupations such as occupational therapists, social care workers and physiotherapists. Each time they reach out to say they have found the book useful, it gives me a smile. I simply want more people to be more safe and secure online – at work or at home. Most of the advice is therefore written to be transferable to help you be more secure privately. As some say to me – it's also not so bad to flex that you know a little about cybersecurity to your friends and family! 

So, what do we need to do next?

Talk about cyber and fraud incidents we experience 

As I was mapping out the book, I was watching the rise in attacks in healthcare and I was observing risky practices within my work as a coaching psychologist, mentor and researcher. Even though practitioners will talk about confidentiality, they just aren't aware enough of the impact. We haven't talked about it until now. Since writing the book, people reach out to share their stories to me which is good – we need more of this, and we need to consider how security and confidentiality go hand-in-hand. 

Don't separate security and psychology

Awareness around cybersecurity and fraud prevention is still low, yet the experience for victims is clear. It is important for practitioners to realise that the psychological impact of cybercrime or fraud starts from the moment someone has knowledge that something about them might be breached.  Research with victims of hacking and cybercrime has documented the fear and perceived risk that links to our deep uncertainty experienced around, what has happened and what might happen with anything about us that has been accessed (Gibson & Harfield, 2022, Palassis et al, 2021). Whilst a practitioner may not consider that simple data such as a list of clients or email addresses will cause issues, your clients may not have told anyone they work with you. Any form of breach puts them in that place of unknowing. 

When Vaastamo in Finland, a psychotherapy company, was attacked, both the company and the underlying clients were subject to blackmail from the attackers. The vivid reports from this case are worth reading (Ralston 2021, WithSecure, 2022). 

Finally, I challenge all of you to realise the ripple effect also of cybercrime. An example: an executive client has told you about his stakeholders' issues. If an online call is intercepted, or notes found, that will have a clear impact. However, even if information isn't revealed anywhere, a breach is a breach and the sense of confidentiality and reputation damage is clear. The practitioner still needs to respond and recover and know how to.

Response and recovery

This is why, whilst the book covers practical step-by-step tips to upskill your cybersecurity to better protect client data and conversations, it also goes much further. It looks at defences but also response and recovery and what to do if something happens. It also looks at how practitioners can be targeted by scams from two perspectives: one as the practice owner or practitioner specifically targeted, and two, more generally as we respond to something that turns out not to be genuine.  Having worked for some years with payment fraud and seen the damage it can do, it was important to me to include a chapter on upskilling on how to better prevent this. 

We still need data

It's also not just our client data at risk – it's anything you hold on your devices and networks, including any intellectual property you are building and personal files of any kind. Once on your device or network – anything is up for grabs. Criminals look for what they can sell.

It's important to add that I very firmly believe that we also do need data. 'Keeping less' isn't the answer. Without good records, we cannot provide the right services for our clients, and we need robust records for court cases and insurance purposes. What we need is a better approach to cybersecurity, and to contract with our clients on the risks. There is no one approach that will keep us fully safe, so we have to see security as part of our CPD to each year add to our defence and response capabilities. 

• Alexandra J.S. Fouracres works as a cybersecurity managing consultant, runs her own coaching and mentoring practice, and is an academic at the University of East London.  She is author of Cybersecurity for Coaches and Therapists: A Practical Guide for Protecting Client Data, published by Routledge.  Alexandra runs a newsletter on simple cybersecurity tips at www.cybersecurepractitioners.com for practitioners, individuals and small businesses.

References

Gibson, D., & Harfield, C. (2022).  Amplifying victim vulnerability: Unanticipated harm and consequence in data breach notification policy. International Review of Victimology.

Palassis, A., Speelman, C. P., & Pooley, J. A. (2021). An Exploration of the Psychological Impact of Hacking Victimization. SAGE Open, 11(4), 21582440211061556.

Ralston, W.  (2021, May, 04). They told their therapists everything - Hackers leaked it all. Wired.

WithSecure. (2022, November 9). Cyber Security Sauna: Breaking Views – The Vastaamo case. [Video] YouTube.

The following extract from Cybersecurity for Coaches and Therapists: A Practical Guide for Protecting Client Data, by Alexandra J.S. Fouracres, is reproduced by permission of Taylor & Francis Group.

Healthcare as a target

As many practitioners will be working in the healthcare space, this section focuses on it. However, many may also have roles in educational establishments – teaching or training others or performing research. It is therefore worth mentioning that the education sector is also widely targeted. This is why many educational establishments have strict cybersecurity policies as well as ethics guidelines for research, data storage and software use. Both healthcare and education are sectors where there is something to lose – records that, if revealed or destroyed, can impact the person they pertain to. What would happen if your education records were completely deleted? What would happen if your medical files are gone or revealed to the public? As will be unfolded in this section, data is a valuable commodity, and attacks on healthcare have been climbing along with the exposure of records and data breaches as a result (Seh et al., 2020). More later on the financial statistics.

So far it was highlighted that cybersecurity is often challenging for the self- employed and for small businesses. However, let's now be clear that this book will help change that view and also that cybersecurity has not necessarily been easier for medium-sized or larger therapist, counselling or coaching services to navigate either. The attacks on them are also more likely to reach the headlines due to the scale of impact. Those stories provide some good case studies of cyber- attacks on practitioners.

In the United States, one of the largest breaches of mental health records so far occurred in 2020, exposing a little over 295,000 patient records (Alder, 2020). Breaches like this are not new. In 2015, a data breach of around 11,000 patients at a Texas mental health facility was notified. In the investigation afterwards, it was discovered that an authorised user may have gained access to the records as early as 2012 (Alder, 2015). In Australia, Anglicare in Sydney fell victim to a cyber-attack in October 2020. Among other things, Anglicare provides mental health services and counselling. The breach was reported in the Australian media as a ransomware attack (Malone, 2020). The company itself did not appear to confirm the attack method but did state that it had strengthened its security, in statements about the incident on its website (Anglicare, 2020). In March 2022, Scottish men- tal health charity, SAMH, fell victim to a ransomware attack where attackers have claimed to have exfiltrated data.

Ransomware is a threat that has become more complex for healthcare in the last years and will be covered in Chapter 5 in more detail. In brief, it involves hackers infiltrating a company, often subsequently blocking the company from its own data or keeping a copy until a ransom is paid. The victim is threatened with deletion or exposure of the data if the ransom is not received by a deadline. One of the most vivid ransomware stories to read about is that of Vastaamo. Vastaamo is a Finland-based company running therapy centres across the country. The attack was revealed to the public in 2020 after it led to a significant data breach which is well depicted in some very emotive write ups by Wired on the aftermaths of patients exposed by this particular cyberattack (Ralston, 2020, 2021).

The story had great impact throughout the country; and hit the international press. Personal data and therapy notes were among the data stolen on around 37,000 patients. The shock within Finland at the lack of cybersecurity around sensitive data even led to legislative change around a person's ability to change their social security number in certain circumstances, such as being a victim of hacking (Helsinki Times, 2020). Ralston, in his articles for Wired (2020, 2021), provides accounts of some of the patients the attackers subsequently tried to blackmail individually, and how this affected them. He also quotes a Finnish cybersecurity research officer explaining how the case highlights the explosivity of sensitive medical records (Ralston, 2020).

The investigations afterwards revealed signs of cybersecurity negligence at Vastaamo and that the company was initially likely breached in November 2018 and March 2019. It was only in October 2020, however, that the situation came to light, expounding the media outcry. The gaps between when a company is first breached and when the company notices it, can indicate both a lack of controls at the company and the sophistication of the attack. Other reasons the Vastaamo case hit the media in style were that it was a ransomware attack, and when the company did not pay the ransom demanded by the hackers, things exploded. The hackers, determined not to back down, began to publish some of the data they had obtained, including that of well-known figures in society. They also started contacting the patients, blackmailing them for money under threat of having the notes of their private therapy sessions made public (Kleinman, 2020; Ralston, 2020).

Vastaamo is also a good example of how far the impact of a cyberattack can extend. In addition to the data exposure and impact on clients, the company ended up filing for bankruptcy, citing being ruined by the costs and uncertainty connected to the cyberattack and its aftermath (Scroxton, 2021). Damages for the breaches may still also have to be paid out (Yle, 2021). Through this book, you will be reminded periodically that most cyber risks applicable to practitioners can similarly lead to potential financial and reputation loss and thus similar outcomes. This is not to frighten you as reader, however. Remember that there were indications of security negligence in the Vastaamo case (Ralston, 2020). With the defences built up through these chapters and knowing how to react, each reader will be starting in another place when it comes to integrity. Companies do survive cyber incidents! However, in a case such as the one at Vastaamo, the breach of trust around the company's handling of sensitive data was likely insurmountable (Scroxton, 2021), especially once the details were made very visible in the media. Stories about breaches of the self-employed practitioner and smaller practices are less likely to hit the media – not so much because they would be less emotional or less newsworthy, but rather because the media is not short of eye-catching stories pertaining to cyber incidents and breaches at larger healthcare institutions. These headlines have included a homicide case being opened after a death was initially seen as related to a cyberattack on a hospital in Germany (Tidy, 2020). Although this case was later closed, another case is continuing in court, in which a baby may have died due to monitoring systems not being available during a ransomware attack (Vaas, 2021).

In 2020, one cyberattack alone in the United States is thought to have led to the compromise of at least 10 million medical records, from a total 29 million healthcare records potentially breached over the same year (Alder, 2021). Again, don't think attacks on healthcare only occur in larger countries, by way of an example – in May 2021 alone, the healthcare sectors in Ireland and New Zealand were widely attacked (Greig, 2021).

Cyber care is for life

Lessons from the last section include the need to implement cybersecurity to fix and learn from issues, and improve on an ongoing, continuous basis. The Finn- ish and Texas cases, mentioned earlier, highlight how attention to fixing security weaknesses when the first breaches occurred may have prevented the latter outcomes. Another example of this that may encourage you to see how ongoing cyber- security due diligence is necessary is one of the most written about cyberattacks that also affected the healthcare industry. This occurred in 2017. It was named WannaCry and had an impact on around 150 countries and approximately 300,000 devices (Akbanov et al., 2019). It has been written about extensively – partly due to the fact that the weakness was not remediated after the attack. This led to another large attack, not too long after, that targeted the same weakness, and was named NotPetya (Shackelford, 2019). WannaCry is also written about fre- quently, as the sophistication of the malware behind it is such that the malware has been used over and over again, impacting tens of thousands of healthcare institutions. Its inadequate mitigation means it is still being applied today (Forni, 2020; Berger, 2021).

Repetition is a theme through all cybercrime. Criminals will continue to exploit weaknesses and vulnerabilities until they are remediated. Methods that prove lucrative are extended, and go into a new MO to fit a new victim audience or to adjust around hurdles put in their path. Repetition also follows into scams. "Scampreneurs" (Button et al., 2009, p. 5) will use both open and illicit sources of information, including lists of people who have been a victim of a scam before – and end up on so-called sucker lists (Peachey, 2020).

As a practice owner, you will be directly targeted by scams that tune into your needs and vulnerabilities as a practice owner. The book will cover some of these scenarios and empower you towards creating life-long cyber-care practices, thus helping you protect your practice and client data from being exploited through the use of products that are not secure, vulnerable networks and unprotected devices and also from scammers. Cybersecurity is also not all about technology either. Much of this journey will be about making you more robust against the human errors, as these are also taken advantage of, along with security vulnerabilities and lapses, by criminals chasing your lucrative client data (Seh et al., 2020) and your bank balance. Statistics were promised earlier. Exposed patient/client records have been reported as being sold on the darknet for up to US$1,000 or more (CBS News, 2019), whereas credit card numbers can sell for, in comparison, a lowly US$5 to 110 (Stack, 2017). A small disclaimer: as with any statistics, there is some variation in the prices reported, and the higher prices are linked to cases where the data record is more complete. For example, a complete medical record will fetch more than 'only' a social security number (CBS News, 2019).

Healthcare has lost billions to cyber-attacks, and criminals have been well- tuned to this sector for some time. One journalist even asked in 2016 whether healthcare hacking had become an epidemic (Akpan, 2016). In February 2021, the French president, Emmanuel Macron, announced a 1 billion Euro programme to combat cybercrime after 500,000 patient records were leaked in France in a cyber-attack (France24, 2021). During that exact same month, a cybersecurity resilience focused firm, IT Governance (Irwin, 2021), estimated that 2.3 billion records had been compromised globally. They noted the top three breached sectors as health-care and health science, education and the public sector (Irwin, 2021).

Criminals, very simply, target healthcare because they can. There are vulner-abilities they are capable of exploiting; moreover, many of their victims will pay a ransom, knowing that the consequences of data being exposed can be very severe for the individuals the data pertains to. As mentioned earlier, after the Vastaamo attack, when the hackers did not get the payment they demanded from the company, they turned to blackmailing the individual clients since they had their full contact information as well as material from their sessions. One of these individuals, who was interviewed by Wired (Ralston, 2020), expressed how this left him feeling suicidal but also fearful of the legacy of it all for his family. Another had been a teenager when in therapy and was afraid of what the material in his session notes would mean for his future, if exposed (Ralston, 2021). The BBC also reported one Vastaamo client's description of the feeling of being blackmailed and his anxiety and fear over the things he had shared with his therapist being revealed. He was simply not ready for them to be known but was also not in a position to pay a ransom (Kleinman, 2020).

For you as practitioner – no matter the size of your practice or the sector you see it falling under – you can see the picture being painted in this section. Your data fits into this sensitive, lucrative, category. This coupled with the increasing focus of criminals on exploiting a home set-up and the digitisation of services, the purpose of this book should be becoming clearer. Cybercriminals are fully aware of what having access to your client records or conversations can earn them. They also know which buttons to press to scam you as well. All of this we will unpack in more detail.

It is important that we take a minute to reframe before moving to the conclusion of this chapter. Despite the statistics, cases and data so far, you can and should see this journey as a new venture. Your rucksack is empty, ready to be filled with resources. From Chapter 2 onwards, you will be able to pick those up and carry them with you. This book will not only inform you about how to activate different practices to protect yourself from vulnerabilities, but will also teach you in a conceptual, factual and reflective way, which will enable you to spot red flags and abnormalities yourself going forward. After you have read this book, it might stay on the shelf as something to turn to if something comes up, or to refresh or use the checklists at the end, but you will also be enabled and active in your own cybersecurity.

After putting into place solid foundations, you are less likely to be someone who ignores the first signs of a breach, unlike those in some of the cases given so far. You will also, going forward, better understand media reports on new threats in the future, and you will know what to do in the event anything happens.