Cybersecurity matters. Here’s how to keep your practice safe

Between ever-changing schedules, notes that pile up, and the day-to-day running of a practice, therapists need all the help they can get. For many, that means increasingly relying on technology. But with that convenience comes the responsibility of keeping your client’s information safe.

Cybersecurity isn’t just for large practices; smaller clinics are targeted more frequently as time goes on. MasterCard’s blog highlights that “in 2023 alone, nearly 43% of all cyberattacks were directed at smaller businesses”. Therapists sit in a sweet spot for attackers. You store highly sensitive notes and payment details, but you often rely on small networks, off-the-shelf laptops, and cloud tools you did not configure yourself. In other words, you have information worth stealing and fewer defenses than a hospital.

Common weak points include:

• Phishing emails that trick you or a staff member into giving up your password
• Lost or stolen laptops, tablets, or phones that carry unencrypted files
• Out-of-date software that lets ransomware slip in through a known flaw
• Third-party tools whose own security you never checked
• Well-meaning clinicians who paste client details into public AI chatbots to “draft a quick summary”

The cost of poor cyber security

You ask clients to share their most personal stories. They do it because they trust you. A data breach shatters that trust in seconds, and you may never get it back.

The information you hold is incredibly personal, and incredibly valuable. We’re talking about deep vulnerabilities, diagnoses, treatment plans, maybe even financial details. If that information gets into the wrong hands, the consequences are serious. Clients could face public embarrassment, discrimination, or even safety risks, potentially making them hesitant to seek help again.

For you, a breach can mean legal trouble, huge fines, damage to your reputation that’s hard to fix, and the immense emotional weight of letting clients down. As the HIPAA Journal points out, small practices aren’t exempt from fines; they report that “in 2022, 55% of the financial penalties imposed by OCR were on small medical practices”. It can also result in weeks of unpaid downtime while you rebuild your systems. Most solo and small-group practices survive on tight margins; many never reopen after a serious breach.

There’s also the intellectual property your practice invested significant time and effort into developing, like unique treatment programs and techniques. Protecting intellectual property from cyber threats ensures that innovative methodologies remain confidential and exclusive to your practice.

So, what can you do to protect your practice and the people you serve? It starts with a few key steps.

Good habits lower your risks

First, take a good look at your current setup. Where might information be vulnerable? You don’t need to be a tech expert, but doing a basic risk check – maybe with some guidance from an IT person if you can – helps you understand where to focus your efforts.

Next, your team is your first line of defense. Make sure everyone who uses your systems knows the basics: strong, unique passwords (and consider using a password manager!), how to spot suspicious emails or links (phishing attempts are super common), and why they shouldn’t share access to sensitive information like clinical notes. Remember, not everyone needs access to everything. A receptionist probably doesn’t need to see detailed therapy notes, right? Set clear boundaries on who can access what information.

Technology itself offers layers of protection. Look into enabling Multi-Factor Authentication (MFA) wherever possible. This means even if someone gets a password, they’d need something else (like a code sent to their phone) to actually get in. It’s like adding a deadbolt to your digital door. Ensora Mental Health offers MFA, and it’s easy to set up. Here’s why we recommend you use it.

Keep all your software (including your practice management system, your computer’s operating system, everything) up to date. Those updates often fix security holes that hackers look for. Don’t ignore those update notifications! It’s not uncommon for people to leave their computers on all the time, but something as simple as asking staff to update and shut them down once a week can help keep up with security updates.

Also, think about how your network is set up. Use strong passwords for your Wi-Fi, consider firewalls, and be careful about how devices like tablets used for home visits connect to unknown networks. And physically, make sure devices that hold client information are secure: locked offices, secure server spaces if you have them, and maybe even locking cables for computers.

Backing up your data regularly is super important. Imagine losing all your session notes or client schedules due to a cyberattack or even just a computer crash. Backing up your data, preferably to a separate, secure location (the cloud or an external drive you don’t keep plugged in), allows you to recover if something goes wrong.

We’re also seeing more AI tools being used in practices. That’s exciting, but it brings its own set of safety questions. If you’re using AI for anything, like summarizing notes, suggesting resources, or even analyzing patterns in data, be really careful about how client information is handled. Does the AI tool store data? Where? Is it encrypted? Can you control what information is shared with the AI? It’s crucial to understand the privacy policy and security practices of any AI tool you bring into your practice. Don’t just assume it’s safe.

AI that anyone can access is also susceptible to prompt injection attacks, where the attacker manipulates prompts to get a specific output. That means an attacker could potentially get the AI to show the prompts used by another user, like the notes you wanted polished. When in doubt, keep sensitive client data out of AI tools, or look for ones specifically designed with strong privacy protections for healthcare. Choose tools that sign a Business Associate Agreement or run on your own device. Ensora Mental Health’s AI is designed for mental and behavioral health, with the security and control therapists need to keep their data safe. We believe in using AI safely and ethically to help you cut down on administrative tasks without risking your clinical integrity.

Finally, choose your tools wisely. If you use an Electronic Health Record (EHR), make sure it has good security features built, like controlling who sees what information, MFA, encrypting messages, and secure ways to handle payments if needed.

This isn’t just about technology, though. You need to have a plan. What would you do if you suspected a breach? Who would you call? How would you let clients know? Having even a basic incident response plan helps you react calmly and effectively if the worst happens.

Take one step at a time

Cybersecurity can feel overwhelming, especially if you’re not a techie. But you don’t need to make it a second job. Start small, by building good habits that only take a few minutes here and there. Turn on MFA. Update and reboot your computer once a week after you’re done with work. Over time, these things will become a natural part of your practice, and you can expand on them.

You already protect your clients in the room. Extending that care to their digital records is the next step in good clinical practice.

Click here to learn how to secure your clients’ data.