photo by Javier Molina
“Geek, Nerd, Computer Weirdo, Gamer, N00b, Cyberwoman, Infosec Bird, and Tech-Fangirl”. These are all names that I have grown up with, and continue to face outside of my role as a therapist. You see, before I trained to become a therapist my background was in IT and technology and seemingly still is.
My previous roles as a specialist engineer in the Army, then the industries of IT technician/Website/Gaming gave me a vast amount of background knowledge, hands on experience and keen interest in information security and cyber related issues and I have become a U.K. specialist in this area in relation to therapy/therapists and Cybertrauma (definition below).
Since undertaking my Psychotherapy training, including my PhD, I have noticed how the therapy profession as a whole doesn’t fully understand information privacy and data security as seriously as it perhaps should. This is not our, the therapists, fault entirely; I understand that there is a lot to consider on how it affects our day to day work, and isn’t covered as thoroughly as it should be in training. Due to our ‘industry’ generally not knowing enough about cyberspace (and why would we?), nor receiving this specialist training, and, whilst the various uses of technology changes and expands daily this is now a consideration that we need to make under the recent changes and new laws, of which further changes will be made this year that will affect every aspect of our practice. The new changes (ePR- Electronic privacy regulation) will further affect how you communicate on every level with your client and how you manage your business online in any of the formats it takes.
Examples of practice and the unknown
Over the last few years it has become very apparent that people involved in Psychology, Counselling and Psychotherapy (and similar professions) have much to learn about computers, information security (InfoSec) and data protection. I naïvely didn’t challenge this on my initial training and wish I had. After all, we were being trained to be therapists, not intelligence agents such as ‘MI5?’, but shouldn’t we be trained in-depth on how to handle and store sensitive data correctly? When I moved to University a few years ago, I found myself challenging staff about sending sensitive material via email and was taken aback that many of the staff were unaware of how email works and the associated security risks. I refused to send ‘data’ (even password protected to an .ac.uk account and gave my reasons for this). The University understood a fair amount about data protection, yet there were still information security holes.
For example, last year I was phoned by a therapist wanting to know how to digitally edit audio that had been requested under a subject access request. Which is now a viable lawful request by clients, and we must comply with, and remove third party information. I asked a number of Insurance companies what their response would be to this (I am curious by nature and wondered what the Inusuracne Industry would say and how we the therapists would be protected), they all had differing replies and were perplexed by this topic when I detailed how we therapists would need to do this.
More recently I was phoned up by a therapist who asked what to do about a pop up that appeared on their computer and resulted in them being unable to open their email account. It turned out that they did not have any antivirus software on their computer and it had been ‘infected’ via a link they had clicked without checking. Meaning all of their files were corrupted. After some IT help (my inner rescuer), I advised this therapist to inform their insurance company as the virus had deleted/corrupted all of their client data on their computer, in line with GDPR we are expected to retain client data (for a period deemed no longer than necessary) and this data was gone.
Lack of IT understanding can impede good information security practices
Several years ago, I worked in an organisation that moved from paper-based ‘case files’ to a computerised system. It was so interesting to watch how most of the counsellors in the organisation struggled to use this system and yet I was able all of the steps the IT team had taken to streamline this process. It was slick, yet the IT skills of some of the staff involved paralleled first time computer users. The main issues were that they didn’t understand why the system needed to be secure and why writing down their passwords was such a bad idea! ( and why the IT team were exasperated with resetting their accounts).
After speaking to a few people, it became quickly obvious they had never been given simple instructions on why password security is important (i.e. not writing them down or using ones that matched personal information), or locking their screen when they moved away from their desk, or sharing of files/information via computers or how to print documents securely. I thought it was a one-off and my mindset worked like this as I had training in ‘PerSec’ (Personal Security) from the Army so perhaps I was more aware of ‘giving away information?’ and perhaps I was more overly cautious?
Confusion within the therapy profession
Since this time, I have become very aware that data protection is a subject matter that seemingly confuses and scares our profession, and last year there was a pandemic of panic about GDPR (General Data Protection Regulation).This is only one small area of data protection that we needed to understand and adhere to, and lawfully should have been doing for some time (Data Protection Act 1998 and rulings such as PECR -2003).
From my perspective as a cyber specialist and realist of the things that can and do go awry the lacking of InfoSec knowledge that exists within the profession is worrisome. This is a huge challenge for our profession and we matter too in this topic and here is why we need to up our game.
Consider the effects of the ‘WannaCry’ Ransomware attack of 2017 (a program that would not allow access to ‘infected’ computers until a fee was paid).
This cyber attack saw as many as 81 of the 256 NHS trusts affected; The ransomware locked out medical staff from infected and unprotected computer systems, including MRI scanning and blood testing devices. This had a huge impact on the NHS; the attack paralysed systems for a short time, which affected both staff and patients. So, what would happen if the organisation you worked for was attacked and locked or indeed your own computer? How much would you be willing to pay? How would it affect your practice and your clients? Would you know how to remedy the situation?
Information Security and Data Protection
Dependent upon the size of your organisation and/or practice, you’ll most likely have someone designated as the ‘Data Protection Officer’ (DPO)or the ‘Information Security Manager’, but if you don’t (which you should do), then who is the person checking to ensure that the data you have access to is protected? Who would be the person to ensure firewalls are installed and are working. Who knows how to teach everyone to keep information safe and secure? And exactly how is data protection being managed?
What exactly is ‘Data’?
When you think of data, you most likely think of computer code or some form of information stored in an electronic format. But did you know that under the current legislation in the UK, the definition of data is quite wide ranging? Data exists in several forms, not just in a digital format. Data exists in our profession in scraps of paper, notebooks, paper and/or computer documents, voice recordings (taped sessions), sessions videoed and including voicemail/phones in offices, and CCTV. The ways in which all these various types of data should be stored, secured and handled are set out in current legislation such as GDPR (visit the Information Commissioners Website for more guidance) and Data Protection Act 2018 (gov.uk has various guides on the DPA 2018).
Why does all this matter, and how does it apply to me and my practice?
Risk of Cybercrime is ever increasing as more and more information is shared and stored electronically! The increase in cybercrime means that you can no longer not take any action to protect yourself and your data; that could be negligent and would also mean you are not trying to adhere to the data protection laws and regulations. But not acting also makes you and any data you hold an easier target for hackers to access.
Information Security in Therapy needs to be taken seriously
When I lecture/speak to my fellow professionals, I highlight that Banks hold financial ‘data’ about people and organisations, and pay thousands of pounds per day to have cyber security and information security training, systems and procedures put in place to protect the data held.
Our profession needs to take the issue of information security as seriously as banks and financial institutions do. We hold the most SACROSANCT, sensitive, in-depth, detailed, precious secrets, desires, traumas and heart-breaking personal stories known as ‘data’ on the planet. Wouldn’t you agree?
So what does this mean? Word count here limits the expansive subject so I will give a few examples of our online behaviour and what we can do to protect ourselves and clients.
Social Media – Avoid Oversharing Online a case study of client spotting.
Sharing information, however innocent it may seem can actually place our clients in danger; of identification and actual data depending upon their or your home situation.
Tweeting or sharing a social media post about how many clients, supervisees you have on a particular day on personal/practice social media accounts, (particularly those such as Twitter where accounts are public and not protected) can give someone enough information to monitor your practice (first locating your practice address online; held in directories, Google maps or on your practice website), then by accessing public CCTV, or by even parking close by. Using the innocent information shared online, your practice can then be monitored, clients can be identified (as they come and go from your location) and anyone whose identity and location is being protected (such as children under child protection orders) can then be placed in jeopardy.
Duty of Care over Client Data
Ethically, morally and now legally you have a duty of care to your clients’ data protection; having just a ‘GDPR contract and Privacy notice’ (possibly ‘borrowed’ from another source) isn’t going to cut it really. Did you know that The Information Commissioner’s Office (ICO) could lawfully restrict your practice from operating if you have a serious data breach within your practice? Fines for incorrect handling and storage of data, or for not obtaining consent to market to someone is only the tip of the iceberg of the potential law enforcements the ICO can give to individuals and organisations. I’m not entirely convinced being hacked is going to be a good enough excuse for the ICO if you knowingly did nothing to prevent it.
There are some things you can do right now to improve the information security and data protection within your practice;
- Visit the ICO website to access the various guidance documents, giving information on a range of information security and data protection techniques, and what your current responsibilities are.
- Engage with an IT professional, who can advise you of how to secure your computer, passwords, network and internet connection to avoid being attacked, such as adding firewalls and proper virus protection
- You can listen to industry podcasts and vlogs such as mine which is FREE; Cybersynapse, which give help and advice on various aspects of data protection, information technology and online best practices
- Sign up for information about an upcoming information standard for Therapists – Privacy4.co.uk
As you can see the various facets of cybertrauma intersect with aspects of the consequences of lax data protection processes; if your client data is hacked and falls into the wrong hands, your client could be a victim of trolls, cyber bullying, sexting, abuse, and which could then lead easily into safeguarding issues, mental health decline, addiction etc.… All from your practice data being hacked and leaked. The consequences for your practice could be a restriction in processing data (being ordered not to hold or process any client data, impeding your practice and your ability to actually work with your clients), large fines and damage to your practice reputation.
As a therapist, you may wonder why would any hacker or cybercriminal target you? But the question you should be asking yourself is; why wouldn’t they target you? This is not a movie script, and in this article I have reduced the activities that criminals engage in, as I don’t want to put the fear of fear into anyone- my message is about helping you help protect yourself and your clients. My case load often includes professionals who have a cyber related issue and this will be another article completely, I hope that I don’t have to help a therapist in the same position because it really can be prevented with a little know how.
The cybercriminals can easily and quickly locate the vulnerable. They are constantly on the lookout for the opportunity to make money – and they do not follow a ‘Code of Ethics’.
What should I be looking out for?
Raise your understanding of how to protect yourselves from:
Phishing: Where you receive an email that pretends to be from an authority (perhaps your bank, or maybe your boss) in which you’re asked to give out your passwords or personal information such as your address, telephone number, or other data.
File Hijacking: Where a hacker enters your computer and accesses your files, locking you out of them. The hacker then demands a ransom (usually money) before they will give you your files back.
Webcam Managing: Where hackers take over your webcam. This may be so that they can watch your keyboard and learn your passwords, or it may be to record video of you just to learn personal information about you.
Screenshot Managing: Where hackers enter your computer and take screenshots of your display. This can help them get information about you, get passwords, or even blackmail you.
Keylogging: Where hackers can record your keystrokes on your computer, thus gaining your passwords or other personal info.
Ad Clicking: Where hackers encourage you to click on a link (perhaps by email, or on a webpage) which will then open malware or simply ask for your personal info.
Catherine is a Human Being, Mum, Author, Doctoral (PhD) Clinical Researcher and Child/Adult Psychotherapist specialising in virtual and corporeal trauma using Integrative creative methods including gaming and biofeedback. She is a gamer, blogger, vlogger and podcaster. She is a director for Research and Development for ACTO, the director for Privacy4 (An industry information Standard for Therapists) a cyber specialist and proposes a new theory as to why we engage in cyber space as we do.
She has published in peer reviewed journals as a leading researcher in the U.K. around the topic of cybertrauma which includes a new academic definition for cyberbullying and cybertrauma/online harms. She writes for some of the largest U.K. e-safety companies, including a national newsletter #DITTO that goes directly into schools, she presents at National and International conferences (which has included CCMH/IATE, NSPCC, Marie Collins, Onlinevents and has presented at ACTO (The leading online counselling organisation in U.K.), ACTIO, Confer and other leading Psychotherapy Organisations around this large topic.
She has been on Therapist Uncensored, Shrink Rap Radio and Trauma Therapist podcasts in the U.S. She is UKCP MSc dual Child & Adult Psychotherapist. She’s a mum to two adult boys, runs a trauma practice and has a private practice too. She is currently writing a second book. She has a great self-care routine and uses Functional medicine principles and nutrigenomics to ‘biohack’ to ensure she is performing optimally for herself and her clients.
Learn more about Catherine's work via her website to connect on Twitter or Facebook
The Cybersynapse podcast is available on YouTube, iTunes, Spotify, Anchor and many more audio platforms