Cybersecurity in Digital Mental Health: More Context

This page is dedicated to providing additional information about cybersecurity within the context of digital mental health services provision. Please email me any content you would like me to consider for including: becky@beckyinkster.com

Who could be impacted by a data breach in digital mental health?

Cyber crimes can have hugely devastating impacts. Without intending to, providers could be hurting the very people they are trying to help. In the digital age, this is especially true and we must remember that devastation can scale just as quickly as the other positive aspects we often focus on in digital mental health provision. Digital mental health data breaches can cause enormous, widespread impact:

Targets some of society’s most vulnerable people, including children patients/users
Patients/users not only worry about their own security and mental health, but also their loved ones and close relationships too (breaches can pass on information about them too, which could be exploited as well).
Data breaches can destroy trust between patient/user and their provider
Employee data could be hacked too. This can be a difficult and very stressful situation especially if staff continue to work with the provider. CISOs and security teams can also experience mental health and wellbeing issues.
Business impacts could be as severe as leading to bankruptcy (see Case Study 1 below) involving blackmailing a provider. It requires budgeting for compensation payable due to the hacking. It requires resources to ‘clean-up’ issues (e.g., providing support to patients/users after the event occurred whose data had been leaked).
Legal issues could include prosecution, fine or imprisonment (e.g., concealing the security failings ‘cover-up’). They could be ordered to pay an administrative fine (e.g., Article 34 of GDPR states that data controllers must communicate a data breach to people impacted without undue delay). It comes with many obligations to secure their networks, and also hold them accountable for failing to do so.
Please let me know more ways data breaches could impact people in digital mental health spaces by emailing me at becky@beckyinkster.com as I know there are many more examples to come. This is not a comprehensive list, but the aim is to further develop it over time.

“Cyber attacks could establish a foothold in the delivery of health services and put people’s lives and well-being at risk.”

— https://securityboulevard.com/2019/08/healthcare-is-in-cybercriminals-crosshairs/

Worrying Signs and Troubling Trends

Personal health information the most valuable data on the dark web (Knight Ink)
Emerging evidence shows associations between breaches and worsened clinical health outcomes (e.g., reference)
Expert, Mikko Hyppönen, reported escalations and shifts in cyber crime tactics. He says: "It might be now the case that we are seeing the beginning of the next trend -- a trend where medical information is becoming a prime target for financially motivated criminals." (reference)
We live in an API Economy filled with opportunities and risks. Gartner predicts that by 2022 API attacks will no longer be infrequent but will become the most frequent attack vector for application breaches. Alissa Knight partnered with mobile security company Approov to hack 30 mobile health apps to highlight the threats they face through application program interfaces (APIs). The findings were published in a recent report, “All That We Let In.”. This is worrying in light of healthcare moving in the direction of using APIs, for example: “APIs have a big part to play in health IT interoperability in the years ahead…” and “Various data sources like genomics and lab data will be transferable because of APIs," he added. "Providers will be able to give more precise care based on all of the data being accumulated from APIs coming in from apps and hardware. APIs have a bright future in healthcare.” (reference)
We live in an Emotions Economy and the risks of manipulating people are high, especially during people’s most vulnerable moments.
The word ‘cybersecurity’ is only mentioned once in the entire 71 page (~26,000+ words) white paper released April 2021 by The World Economic Forum partnering with Deloitte Global entitled “Governance Toolkit for Digital Mental Health: Building Trust in Disruptive Technology for Mental Health”. Trust and cybersecurity go hand-in-hand, alongside safety and protection of our most vulnerable populations.

Case Studies / Features

Client data exfiltrated in Advanced NHS cyber attack

Mental health trusts still unable to access patient records months after attack

Mental health's cybersecurity nightmare is here. Now what?

In March alone, three alarming cybersecurity incidents have been reported in mental health organisations across the world.
Source: https://www.sanitybytanmoy.com/mental-health-cybersecurity-nightmare-is-here-what-now/
29th Mar 2022. By: Tanmoy Goswami

Ransomware strikes Scottish mental health charity

The RansomEXX cyber criminals have claimed responsibility for the hack which led to more than 12GB of sensitive data being leaked to the dark web
Source: https://www.itpro.co.uk/security/ransomware/367137/scottish-association-mental-health-ransomware
21st March 2022 By Connor Jones

Vastaamo breach, bankruptcy indicate troubling trend

Vastaamo treated ~40,000 patients and had 25 centres across Finland

“The blackmailing of patients directly, as well as the resulting bankruptcy of Vastaamo Psychotherapy Centre, could single a shift in cyber crime tactics.”
"Four months after revealing it suffered a data breach in which patient records were stolen, Finland's largest psychotherapy center has declared bankruptcy. A significant part of the incident occurred after threat actors attempted to extort the center and threatened to release confidential therapy notes and sessions. When Vastaamo refused to pay the ransom, threat actors started blackmailing victims directly."
Source: https://searchsecurity.techtarget.com/news/252496977/Vastaamo-breach-bankruptcy-indicate-troubling-trend

“Finnish therapy centre accused of covering up cyber attack”
Private therapy practice Vastaamo faces questions over its security and business practices in the months leading up to one of the biggest data breaches in Finland’s history
Source: https://www.computerweekly.com/news/252491234/Finnish-therapy-centre-accused-of-covering-up-cyber-attack

Amazon Sued for Hosting Florida Provider’s Stolen Healthcare Data

amazon web services sued Florida provider.png

“Florida-based SalusCare has sued Amazon Web Services for hosting mental healthcare data allegedly stolen from the Florida mental health provider. The lawsuit aims to compel the data’s release.”

Source: https://healthitsecurity.com/news/amazon-sued-for-hosting-stolen-health-data-to-compel-its-release

Highly confidential psychotherapy records from Maine center listed on the dark web

“In what may be the worst breach of 2017 so far in terms of highly sensitive and confidential patient records, a behavioral and mental health center in Maine recently learned that its patients’ records – including evaluations, session notes, and records of sex offenders and sex abuse victims – had not only been in the hands of one criminal, but had reportedly been sold to an unknown party for unknown purposes.”

Source: https://www.databreaches.net/highly-confidential-psychotherapy-records-from-maine-center-listed-on-the-dark-web/

Data of 14,200 people with HIV leaked online by US fraudster who was deported from Singapore

"We are sorry for the anxiety and distress caused by this incident," said the ministry. "Our priority is the well being of the affected individuals," it added, saying that it has been contacting affected individuals to inform and help them since Saturday (Jan 26), and that it has worked with relevant parties to disable access to the information.
Source: https://www.straitstimes.com/singapore/data-of-14200-singapore-patients-with-hiv-leaked-online-by-american-fraudster-who-was
Updated 30th Jan 2019. By Chang Ai-Lien, Fabian Koh and Salma Khalik.

How can US law enforcement agencies access your data? Let’s count the ways

A hack using a forged legal request that exposed consumer data collected by Apple and Meta shed light on the reach of the law
Source: https://www.theguardian.com/technology/2022/apr/04/us-law-enforcement-agencies-access-your-data-apple-meta?utm_campaign=The%20Week%20in%20Data%20TWID&utm_medium=email&utm_content=209422316&utm_source=hs_email
By: Johana Bhuiyan. Date: 4 April 2022

Massive DDoS attack harnesses 145,000 hacked IoT devices

“Security expert says these types of attacks are likely to become more common. EHRs and other hospital IT systems could face dramatic new risks.”
“A hacktivist group were upset with patient case in media they took issue with how the hospital was managing this patients case and decided to target”
“The initial DDOS progressed to outright efforts to penetrate network and solicit patient data didn’t access data but it was a disruption set of events”
“We need to take more seriously that threats are real, not just breaching and accessing data but also being disruptive to clinical operations”
Source: https://www.healthcareitnews.com/node/529886
Additional sources of information can be found here: https://darknetdiaries.com/episode/14/
Update: 10 Year Jail Term for Boston Children’s Hospital Hacker

Other Recommended Resources

Scam Targeting Therapists: What You Need to Know

https://www.cphins.com/scam-targeting-therapist-what-you-need-to-know/?utm_medium=email&utm_source=MindSite+News&utm_campaign=0521055b61-EMAIL_CAMPAIGN_2022_06_13_12_59&utm_medium=email&utm_term=0_a45f29b079-0521055b61-532252230

We reviewed mental health apps for privacy and didn’t like what we found

https://foundation.mozilla.org/en/privacynotincluded/categories/mental-health-apps/?utm_medium=email&utm_source=email&utm_campaign=pnimh2022&utm_content=mhapps_launch

The Level Up scheme set up by the NCA

https://nationalcrimeagency.gov.uk/what-we-do/crime-threats/cyber-crime/cyberchoices

How Data Can Be Used Against People: A Classification of Personal Data Misuses

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3887097

Patient data '10-15 times more valuable than credit card data’

May 2021

Source: Niamh Griffin, Health Correspondent, Irish Examiner

Text: “Patient data is 10 to 15 times more valuable than credit card data when sold on the dark web, a cybersecurity expert has said. Professor Kevin Curran of the University of Ulster said health files offer permanent and extremely useful information about patients to criminals. Information including date of birth, addresses and family connections can be sold on at huge profit, he said. “I would say 10 to 15 times [greater than credit card data] is a good estimate,” he said. “The professionals online put that together with other records and they sell it for a lot more money. Then loans can be taken out or false identities can be issued based on this.”…”

Talkspace threatened to sue a security researcher over a bug report

March 2020

Author: Zack Whittaker

“A security researcher said he was forced to take down a blog post describing an apparent bug in Talkspace’s website that gave him a year’s subscription for free, after the company rejected his findings and sent the researcher a legal threat…”

The Apperta Data Breach Fiasco

May 2021

Author: Guise Bule

“The Apperta Foundation, a non-profit organization originally created by NHS England and funded by taxpayer money, seems to be embroiled in a very public data breach fiasco of their own making. In a classic case of 'shoot the messenger' they are threatening the individual who first notified them of the breach with legal action....”

Mobile health and privacy: cross sectional study

June 2021, 12 pages.

Keywords: Persistent Identifiers, user contact information, unencrypted, GPS, MAC identifiers, cameras, microphones etc.

https://www.bmj.com/content/bmj/373/bmj.n1248.full.pdf

Gioacchino Tangari, Muhammad Ikram, Kiran Ijaz, Mohamed Ali Kaafar, Shlomo Berkovsky.

Department of Computing, Macquarie University, Sydney, NSW, Australia

Centre for Health Informatics, Australian Institute of Health Innovation, Macquarie University, Sydney, NSW, Australia

Recommended by DIMH2021 Cybersecurity Panellist: Pia Tesdorf

Regulations and Standards Aware Framework for Recording of mHealth App Vulnerabilities

May – June 2021, 16 pages.

Keywords: BLE, EHR, IoT, mHealth, Privacy, Regulation, RFID, Security, Standard, Vulnerability Recording

https://www.igi-global.com/pdf.aspx?tid=270900&ptid=254213&ctid=4&oa=true&isxn=9781799861560

Zornitza Prodanoff, University of North Florida, USA

Cynthia White-Williams, University of North Florida, USA International Journal of E-Health and Medical Communications

Recommended by DIMH2021 Cybersecurity Panellist: Pia Tesdorf

Security and Privacy in IoT-Cloud-Based e-Health Systems—A Comprehensive Review

17 July 2020, 35 pages.

Keywords: security; privacy; internet of things (IoT); cloud; e-Health

https://www.mdpi.com/2073-8994/12/7/1191/html

Chanapha Butpheng Kuo-Hui Yeh Hu Xiong

Department of Information Management, National Dong Hwa University, Hualien 97401, Taiwan

Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung 804, Taiwan School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China

Recommended by DIMH2021 Cybersecurity Panellist: Pia Tesdorf

Is ‘privilege creep’ putting your organization’s data security in jeopardy? How to adopt a model of least privilege and mitigate the dangers of privilege creep.

Author: Kamel Heus

Published: 21 July 2021

Mental health: Unqualified therapists exploiting vulnerable patients

Author: Jordan Dunbar and Anisa Subedar; UK Insight

Published: 5 November 2021

The struggle to make health apps truly private

Author: Sara Morrison, Vox

Published: 21 July 2021

More resources coming soon. Please get in touch if you have anything you’d like to share!

becky@beckyinkster.com

return to cybersecurity main page