Psyched to Practice

Practice in Action: Cybersecurity needs to be a Priority

Dr. Ray Christner and Paul Wagner Season 1 Episode 88

Share episode

In the latest Psyched to Practice podcast episode, Paul Wagner and Ray Christner are joined by cybersecurity expert Keith Bell, founder of MTS I.T. Solutions, to discuss the critical role of cybersecurity in mental health practices. From the growing risks of phishing attacks and data breaches to practical solutions for protecting client information, Keith offers actionable insights tailored to small and medium-sized businesses, especially those in healthcare and mental health. The conversation explores common vulnerabilities, such as weak passwords and outdated software, and emphasizes the importance of proactive measures like multi-factor authentication, risk assessments, and encrypted communications. If you’ve ever thought, "I’m too small to be targeted," this episode will challenge that misconception. Learn how to safeguard sensitive client data, maintain trust, and prevent the devastating consequences of a breach. Listen now to discover essential strategies for protecting your practice in this Practice in Action Episode: Cybersecurity needs to be a Priority

Keith’s Website: https://www.mtsits.com


15 Ways to Protect You Business PDF: https://drive.google.com/file/d/1KBPmhD1EHtWS6ATUAWzgDSm3lfc43XiG/view?usp=share_link 

#psychedtopractice #Cybersecurity #mentalhealth #DataProtection #podcast 

To hear more and stay up to date with Paul Wagner, MS, LPC and Ray Christner, Psy.D., NCSP, ABPP visit our website at:


http://www.psychedtopractice.com


Please follow the link below to access all of our hosting sites.


https://www.buzzsprout.com/2007098/share


“Be well, and stay psyched”


#mentalhealth #podcast #psychology #psychedtopractice #counseling #socialwork #MentalHealthAwareness #ClinicalPractice #mentalhealth #podcast

Hey everyone, welcome to the Psyched to Practice Podcast your one stop for practical and useful clinical information. Masterful insights from experts in the field and a guide to Daily Living. I'm Ray Christner, and with me, Paul Wagner, today we're we're really going on a different adventure than we've had before and a little bit out of the necessarily clinical realm and entering the world of cybersecurity. And, you know, I think this is a topic that, you know, if you're reading the title or even just listen to this intro, probably, you know, create a little bit of anxiety and a little bit of like, you know, angst because it's something that we know is so important. Yet, you know, I think and myself as a clinician, like, you know, I feel fairly techie, but there are so there is a depth of cybersecurity that I'm out of my depth. And so, you know, it's that emphasis that and why it's so important. Yeah, you know, I agree. It's it's something that as as a business owner, I've I've learned more about ongoing over the last few years. And as you as everyone here in our our guest talks about, you know, really around COVID time, it really kind of ramped up. And that's really when, you know, we started paying a whole lot more attention to it and really kind of changed our whole system. So yeah, an important topic, definitely anxiety provoking, but also we know that there are solutions. So let me introduce kind of our guests. So Paul and I kind of have a relationship already with our guests because he's the right guy for both of our practices. So we've known him for a while and you'll hear I've worked with Keith for, gosh, about 14 years now. So Keith Bell, he is the ceo and founder of mts i.t solutions which is a cybersecurity and i.t service that, you know, they use the term cybersecurity first business, which is that they really are looking at that piece of it as kind of the front end. But then they provide a whole lot of other i.t services as well and said Keith's been doing this work for us for a long time and has taught me a lot over the years. So glad we could share his information with everybody else. And if I remember, I think, you know, I know, you know, we're talking about it here in Hanover, Pennsylvania, working with Keith. But, you know, he's able to work with individuals across the country if I'm ever in yeah yeah I think me mean he's been great part of doing things virtually yeah he works with people in other states as well and I know other practices and he really, I think kind of has a really good understanding of health care and and mental health practices. And it's why we see for his services and, you know, other practices do as well. And with that, we hope you enjoy this practice in action episode. Cyber security needs to be a priority. Well, Keith. Welcome to the Speak to Practice podcast. Great to have you on with us. Yes, sir. Thanks for having me. I'm excited to be here tonight. Yes. So, you know, it's it's kind of Greek. So I've known Keith for many years. He's been kind of my practice. Is it guy for, I think almost 14 years now? Keith It's been quite a while. Yeah, time flies, doesn't it? That's right. That's right. And, you know, so, you know, this this idea of kind of a maybe a little different episode for us to really kind of just talk about the world of cyber security and basically how that affects mental health. So, Keith, I guess maybe just, you know, Paul and I know you would a little maybe tell us a little bit about your background and how you became a cybersecurity expert and I guess focusing in the mental health world. Yeah. So I guess my whole journey started back out of high school. I went to a technical school and it was kind of broken up into it was all about electronics. It was broken up in analog and digital and communications and computers were part of some of the terms. And I'll be honest with you, out of all those terms, computers I didn't like the most out of out of all of them. It's funny that I wound up here, but so I went through that, got my associate degree in electronics, and I had a neighbor who was a software developer at a large corporation based out of Baltimore. He approached me. He's like, Well, now that you graduated, what are you going to do? I'm like, I have no idea. He said, Well, we're hiring a temporary position to come load Windows 95 with 20 computers. I was like, Sure, great. You know, nothing else to do, so let's go for it. So I went down there, started working for that corporation and yeah, loaded Windows 95 on the computers and then they extended my contract and my contract they actually went to hire me full time after a period of time, and they sent me out for all sorts of certifications and trainings. And I was able to get, you know, pretty well versed in the field there. So from there I, I moved on, I went and worked in Teleradiology. So we, it was a really cool job actually. I was out going up the top of all these different tower sites. We were mountain wireless radios with FCC licensed frequencies for what we were doing is we were we had area hospitals that were as so you went to one of these hospitals and needed a CT scan or an MRI or something. That image would ride this wireless network that we built to a hub where we had a bunch of radiologists sitting and they would they would diagnose and dictate all the imagery that was coming in. So doing that for a while and that's kind of what sun me out to go out on my own. So the all these doctors that we had worked for had their own little private practices. So they would they would call me up like, Hey, Keith, you want to help me out after hours? So that kind of went off to where I finally went out on my own and, and we started MTA City Solutions. So fast forward to about 2019. That's, that was right around the pandemic timeframe. That's when we really saw the need for protecting our clients better with cybersecurity. I mean, don't get me wrong, cybersecurity was a thing before then, but really at right around the pandemic, that's when it kind of broke loose and we started seeing cyber attacks everywhere. So we knew that we needed to step up our game. We needed to get beyond the bleeding edge of the technology to better protect our clients, especially in health care. So you guys have a ton of AI and PII that you keep for your clients. So we we at that time turned into a cybersecurity focused MSP, and MSP is a managed service provider. So that's kind of how we got to the point where we realized that there is a definite need for cybersecurity within mental health and all healthcare and really all small and medium businesses all over the place. So that's kind of what triggered it for us and it's kind of where we are today. So we are a cybersecurity focused MSP today. Yeah. So, you know, it's just I mean, I think this is a common term, but you know, maybe just for those who think they know what that act would, cybersecurity actually is, what all does that encompass? Like how do you define what cybersecurity is? Well, at the end of the day is it's all about protecting the company's digital assets, and it's also about protecting your customers and clients sensitive data that you may have for them as well. So the approach to that is, you know, we take a multi-layered approach to protecting organizations because, you know, the hackers are always one step ahead of the good guys. Right. So we. We we do a defensive in depth method where we have layers of security. If they're able to breach this first layer security, we're going to be stopping at the next layer and the next layer and the next layer. So that's kind of our approach to to protecting organizations. But overall, cybersecurity in itself is just being able to protect businesses. Digital landscape. And, you know, there's a whole variety of things that need to be done to protect that. But, you know, some of the key things are, you know, so employee awareness training is huge because, you know, we're in a we're flying today that the bulk of cyber attacks are coming from business email compromises. So and these phishing attacks that are happening left and right, they're triggering ransomware and malware, infecting networks and taking them down so that, again, we can get further into some of those technical things that we need to do. But overall, cybersecurity is is good practicing good habits and making sure that we're protecting all the digital assets. So, you know, and I kind of knew this from our time together, but, you know, I as I've gotten more into understanding cybersecurity as a business owner and really looking at kind of what we need to do ethically in mental health in this as a psychologist. I think my initial impression was, you know, this is something that, you know, big banks have to worry about. Right. Like it's these big companies that that are going to be hacked then, you know, it's not really you know, I'm a little guy who really cares about, you know, what I have. But, you know, I learned from our time together, together. That's really a misconception I think a lot of people had. And, you know, can you share a little bit about your thoughts on that? Yeah, I mean, and I agree with you 100%. Right. It is a very common misconception. We hear it all the time when we're approaching businesses to to work with or like, you know, I'm too small to get hacked. Well, you're not too small to get that. You're just too small to make the news. There's there's tons of hacks in small organizations all the time. And I think of it like this is the way that hackers look at the smaller organizations. You know, a lot of times the smaller organizations, there's just as much data to be ransom. There's just as much money to be stolen. Maybe not as much money, but there's still a good bit of money to be stolen from these organizations. And the hackers know that these smaller organizations typically don't have the resources to put all the protections in place. So at the end of the day, they're they're an easier target than the Fortune 500. And on top of that, the way the world is with being able to hack today, I mean, you don't need to be a rocket scientist to hack. I mean, you can go on the dark web and buy ransomware for 30 bucks. Like, you know, kids can do this out of their basement. So it's it's very easy for the hackers to get a hold of these tools to try to breach these small organizations. Yeah. And I mean, I think, you know, again, kind of in our field, you know, last year with the United Health Care hack that kind of happened, I think a lot of people started feeling the pain because a lot of people that accepted that insurance didn't get paid for a while. And there was a lot of those things that came into place. But I think, you know, just in kind of the things that you and I have run through our business as far as just kind of check ups to see where our vulnerabilities were at, that was eye opening. I mean, I'm glad you mentioned about the emails. I think that was the thing that probably threw me off the most when when we started in this kind of, you know, venture in our practice was that, you know, our biggest vulnerability came from our own human error. Yeah, it does. And, you know, these, you know, these bad actors or hackers are getting very, very good at what they do. So there's a lot of social engineering attacks going on now, and social engineering involves the human component. So I have a quick story of a CPA firm that contacted us about helping them out after they had been hacked. So their receptionist received an email from a bad actor stating Acting as if he was new to the area and his business. He just relocated and they needed a new accountant and they were wondering if if they were accepting new clients. So of course the receptionist replies back, Well, of course we're accepting new clients. We'll just need this bit of information from you. And then he replies back, okay, give me a couple of days to get this together and I'll get it over to you and we can start moving forward. So at this time he's doing report, right? So this is the social engineering portion of it. So he's built a rapport with the receptionist and so that's for a couple days he sends over a PDF. It's supposed to have all of his information that she can ask for. Well, she opens up the PDF and it was infected with malware, goes through the scans. The entire network finds work data it looks for. This company had spreadsheets of every single client's Social Security number, among other information of all their clients. So, yeah, so they called us. Want us to help them out, to help them get out of the situation. Better protect them going forward. Fast forward and a couple of weeks later they call me up and like, this is really bad. We have clients calling us up now telling us that their tax returns have already been filed. So these bad actors got a whole lot worse information, went ahead and filed erroneous tax returns and got all of the refund money sent to bank accounts where I don't know where. And so all these clients were pretty much out of luck at this point. Now, supposedly, and I don't know, the end result was supposedly they were supposed to be able to work with the IRS to get their their returns back. I don't know if that ever happened or not, but one of the big component. Here, though, I want to bring up is your CPA firm lost 40% of their client base after this breach. Not to mention the costs that they had to pay for. Scuse me for what you call it. I'm drawing a blank here. Identity theft protection. Identity protection. They had to verify your identity protection for those of the clients that were breached. They had to send email notifications and mail notifications. They had to report to the state and the feds that they were breached and so on and so forth. So it was a mess. It was very time consuming for the corporation, the CPA firm. And not to mention, as I said, they lost over 40% of their business. So the reputational damage in these breaches is huge. You can put companies on your. And, you know, I have to imagine that that's something that, you know, for mental health practices, you know, the CPA firm and like losing that faith and that trust in, you know, the clients that they serve as well as the community around them, I can imagine. But, you know, so often when, you know, individuals are coming into the therapy setting, it's a really challenging point in their life. And so there's already a level of vulnerability that's needed. And so, you know, I hear that. Any breach of that trust, even if it's through some of these bad actors, kind of I don't want to say it's not through, you know, any fault, but it's because we're not aware. And so the lack of awareness and the lack of these, like, you know, premeditated steps to take, the precautions then can lead to, you know such a reputable damage that that really then all of the legal mess that's going on behind the scenes. Yeah, sure. And not to mention at this point, you know, you're, you know, your clients are trusting you with their information now. And, you know, most of the folks you might be working with, as you mentioned, are in very vulnerable states. And, you know, now they have very personal information about them that's being leaked out there and gets in the wrong hands. It could be thrown on social media and it could really, you know, really change the lives of your clients. So it's it's very important that we protect this stuff, for sure. And so, Keith, I'm curious for, you know, are listening basically in a variety of settings. And so what do you think are some of the you know, what are the maybe bare minimum pieces that regardless of, you know, if it's a private practice owner, if it's someone who's in a group practice or it's someone who's in the larger, you know, community based mental health facility like provider like it at the varying stages of support that are out there, like what are the things that are relevant to all individuals in terms of cybersecurity that they can be mindful of, make sure that they're doing the best they can to help protect the clients and protecting that information. So we would always just start with the basics. And, you know, it seems like it's so common now. It's it's heard so much over and over. You'd think most people are aware. But just start with the basics. Number one, strong passwords. You know, we can't do, you know, password, one, two, three, four anymore if they're not utilizing the same passwords over and over. So, for example, you know, a lot of folks come to us with the misconception of, well, all of my data is stored in a cloud. We don't even. It's not our problem. Well, what really what happened is once the investigation came to that breach and they realized that their system wasn't breached, your password was breached. That's how they got into their system and stole the data. So password reuse issue. So let's say they got your password to your target account or Walmart or whatever it was. And you use that also for your for your, you know, your practice software where you maintaining all your data that it's very easy to extract those passwords out of a computer. They're stored in clear text in your browsers. Anybody can get them within minutes if they gained access to your computer. So it's a very common misconception that just because your data is stored with your with your third party provider, that you're not liable in that breach. You know, multi-factor authentication, I think most platforms are requiring multi-factor authentication on everything. That's one very easy step that can be performed. And, of course, encrypted communications, you know, making sure that emails that contain sensitive information or encrypted to some level regular software updates on your computer, just making sure they're patched. You know, one of the first steps that we like to do when we work with new clients is we like to do a cybersecurity risk assessment because they really don't know, nor do we, what they really need to protect until we come in and do a risk assessment. Once we do an assessment, we're able to determine, okay, this is where your strengths are, this is where your weaknesses are. And from there, we're able to give a diagnosis and come up with a game plan to better protect your organizations. So, you know, obviously. A lot of organizations may not have the capacity to to do something and put these controls in place internally. That's when you guys we look to partner with a managed i.t. Service provider like lycos or the mta city solutions, something that we can do for folks. And there's many others out there as well. But I would I would suggest maybe engaging with some sort of managed service provider to to give a risk assessment, to have you understand where your own abilities are and where you need to patch things up. And I would say, I mean, as just someone who's gone through that process, again, I think that was for me pretty eye opening just to be able to go, oh, wow, like, you know, it was that easy to get this password or Yeah, I remember us going over the data and you're going like, Wow, here's the passwords that are mostly used. And I'm like, How would you even get that? You know, so I mean, I think that their security assessment I mean, for me, it really it really helped me really kind of understand what that, you know, what the vulnerable where those vulnerabilities are. And, you know, it led to us having, I think, a good conversation and consultation with them, what those steps are. And you mentioned a few things key, but I just want to those that are listening, we're going to put in the show notes some tips that Keith's group has put together. That's 15 ways to protect your business from a cyber attack. And, you know, when you sent that sheet over, I was looking at it and going, yeah, okay, I can check off a good bit of these, which always feels really good. So, you know, for for those who are interested. And is this on your website as well? Keith It's on our show notes. But is there a way they can access this through your website? Yeah, that's a good idea. At the end at the end of the show here today, you can find that as well, correct? Right. Yeah, right. I agree on the the the risk assessment is very eye opening to folks. If you don't know what you don't know, you know. So until we get in there and do, it can be a very eye opening experience for for some some for some folks. We find they they take a little offense to it when they see it. Other folks are just like, oh, wow, let's, let's, let's move forward right now and get something done so well. And, you know, it's a kind of piggyback off of your story of the CPA firm. You know, I think you and I have chatted about these. We've seen that happen emails to our own practice where someone will contact us through, you know, Psychology Today or some length that can get into our email. So we don't have our necessary emails on our website, but there's a way to get us a contact information, and it'll be a simple thing that'll be something like, you know, Hey, I have a niece who needs an evaluation and by the way, I'm going to pay for it. But let me let me pay up front for that. And it's like, you know, after doing the cybersecurity training, I go, Yeah, I know that we're not going to do that. But it's it's interesting too. Like, you notice that like, yeah, it happens in a CPA firm, but yeah, we see those as well that there there are bad actors out there that are just fine finding ways to, you know, to get information. And now we're in a day and age where forms are emailed to people. And, you know, there's there's other ways that those are done digitally. It can be problematic. Yeah. Yeah. And on top of cyber awareness training, which is very important, I mean, just as you mentioned, just doing some of the training that we've provided and kind of does open your eyes to things. But, you know, we we put advanced controls for scanning of messages. We have very, very in-depth tools that will scan every single link, every single attachment. And in any of these emails come on before they could even land in your inbox. So we're finding now that a lot of places are linking you to sites that look identical. What you think to the naked eye looks identical to your normal Microsoft log and wheel controls that we put in place to to scan these these emails coming in. I mean, they they stand down to the pixels of colors and fonts and size of fonts and everything else and making sure that this is actually a legit Microsoft signing page or not. So it's it's pretty in-depth how granular we get with this. And it'll, it'll go through a sandboxing process. It'll run through multiple virus tools to make sure everything's good. So, you know, having a very strong phishing and anti spam filter on your email can can help weed out a lot of that stuff. So again, it's not 100% and nothing else, unfortunately. So that's why, you know, that in addition to cyber awareness, training can really help protect your organization overall. And, you know, going back to like some of those just the general and just kind of the bare minimum things that individuals can do. Like I cannot but think that so many of those, it doesn't take a lot of effort to go and do and set up. But it is it is a hassle. But if we can work to kind of be just aware of the importance and what that that's really protecting ourselves from as well as building it into a routine, we can really help to integrate it. And, you know, I think a lot of the you know, when you're talking about password generators, multi-factor authentication, you know that those are out there to help create a more seamless and streamlined. But it does have to be an extra layer. And an extra layer does mean there is some deviating from what we're typically doing, but really just trying to recognize and embracing that and saying, okay, I might, you know, I need to remember to have my phone handy for that multi than multi-factor authentication. But once I'm getting in the habit of that, it becomes just the same as we would typically like, Oh, I have a password saved in Google or whatever that may be. It's just now a different layer of protection that's there. So wanting to encourage the individuals that, you know, as we're talking about these things, really kind of recognizing when we're, you know, encouraging, taking some of these steps. It's not just about, you know, it's not a one and done thing, but rather it's we put something in place, we adapt to it in the same way. We really try to encourage that for our clients as well. And it's, you know, it's almost kind of a that when we're talking about psychoeducation in the setting or in the session, this is, you know, a cyber education, you know, and it's really it's just as important to understand the basics and understand the process behind it as the end to course point is, you know, we we struggle with that as well because as you mentioned, when we put in additional controls in place, it does change your normal workflow. It does add a couple of other steps. So we have to find a happy medium too, where we're adequately, adequately protecting your organization without inhibiting normal workflows and slowing down normal workflow. So it's a it's a very fine line of, you know, protection versus convenience. And we need to make sure that we that we cover rate around their line to where it's not making it So it's almost impossible to do your job, but we still remain secure at the same time. And, you know, you go ahead. I think just just kind of piggyback on that. I mean, I remember like when we when we first really went into especially around the password issue. Yeah, you know, the initial start up was a little bit, you know, it was rocky in the sense of, my gosh, I got to, you know, do all of these steps. But then once you get a couple of weeks into it, know. No different. In fact, I mean, sometimes I even think it's faster now that we're used to it. And but it's it's just a learning curve. I mean, I think it's what people you know, I think if if we would have had this interview the first week that we did that, I you know, I would have been swearing at you at this point. Yeah. But, you know, after a week's practice and you kind of go into it, it's like I mean, it's kind of second nature now. And I mean, I think that I think that's the important thing. And I'm glad Paul brought that up because. Yeah. I mean, when we change from it, we think it's going to be more difficult. But it's just, you know, I love our password program that, you know, gives you these unique passwords and it's now not hard to do. I don't know if I loved it day one, but it's now it's it's so easy. I actually think I never forget my passwords anymore because I have this assistance of it, you know, which also I think is great. Now, if I ever lose the access to that program, I'm in trouble. But I do like it. We got you covered, right? We we can get you back there. No worries. That's right. And that's that's why we got you here, man. Right. So, I mean, one of the great things about and then when we're talking about encrypted passwords and I don't even know any of my passwords anymore, I have these now 20 character cryptic passwords for everything. I don't even know what they are. The password generator is just a generator of force and they're completely encrypted with multiple levels of multi-factor authentication, making them very secure. And even if they were hacked on the back end, it's still pretty much impossible to get to that database now, as opposed to storing them, as opposed to storing your passwords in your web browser. They're all clear text. They're very easily extracted. It just comes out like a notepad file and you can see everything. But, you know, one of the big things that we like, especially in this day and age with everything, is multi-factor authentication. And we find nine times out of ten, a lot of companies are using some sort of shared account to get into something. Well, with these password keepers that we use, we can share records with each other and we can actually keep the multi-factor authentication codes in the records, at least password keeper. So it's not like we're trying to log into a shared account. And, you know, the two factor authentication is going to raise a and you're running around the office looking for a way to get the code or so. It's really streamlines a lot of things where we have shared access to certain accounts like that. So there's a lot of good things about it. And and there's password generators as well. We also have features where we can put in breach watch. So we'll let you know that passwords embraced on the dark web and you can alert you to give it a change. So yeah. Yeah, that's I'm glad you brought the shared piece up. That's actually I mean and of a game changer because you know we we've had that I mean you know where one of us would come to our cell phone I'm in the middle of a session. Somebody needs the the the password. And, you know, now, since we've set that up, I mean, it's made it, you know, such a seamless process and again, front end, probably a little bit more work. But then, you know, I don't think anybody ever asks me for a code anymore. And I think I think we have a link to a point where it's running that smoothly. So that's a great point to bring up. Yeah. I mean, there's a bit of a learning curve and getting used to it, but you know, it's, it's life. People just tend to not like change. But like you said, once you got through a week or two, you actually wound up liking it better. That's you know, we see that you see that a lot. So, you know, as well as just the same as when we work with, you know, we're here for you to help you through the problems as you arise and get you through it and know keep you moving forward. That's right. And Keith, I think that piece about change that you just said is so important, because I think that can be such a barrier to interacting with these pieces like, oh, I don't have the time to commit to taking this step. Or, You know, I'm so busy, you know, I don't want to add just one more thing. And, you know, we go through constant changes, you know, when, you know, different updates to operating systems or changing, you know, changing that. And we adjust and we adapt. But because this one's more of a willful step, we have to actually go and engage with this change. It feels like it's just that much more of a hurdle. But if we really think, I mean, the the learning curve of going to different operating systems and you know, personally I at home I'm I enjoy using a mac you know here at the office we use windows and, you know, there is a learning curve, you know, even just my my copy paste prompt is different, you know, and the keyboard layout is different. But once we go in, we will fully engage back and forth. Okay, yeah, we're adapting and we're better able to find that middle ground. And so it encourage again any individuals that are maybe like, like, yeah, I know I'm supposed to do that, but you know, I'll get to it like, you know, try to make it that willful change that we're working to take because it is such an important step and it really only investing in your own security. And that way we're not waiting until there has been that breach. And then you're getting that phone call of, hey, can we work to set this up because yikes, this just happened to us. And instead. Hopefully these individuals are never having to make that call because they've taken these preventative steps. Yeah, absolutely. I mean, we work with small, medium business owners all the time. And it's like, you know, if you just kind of take your head out of the sand and really open your eyes up to what's going on, I mean, all it takes is one employee, one email to cripple the business that you've worked your entire life to build. You know, so taking a little bit of time upfront to have a risk assessment done, put some controls in place, give yourself some peace of mind that you're doing, know, even just a little bit to start protecting your organization to protect which you've worked so hard for you. Sacrifices go into your children's soccer games, working late, all sorts of things you sacrificed all your life to to build this business can be taken from you in an instant with a single email. So it's, it's, it's really important. And it's, I think today more people are becoming aware and really paying attention a little better. But it's been a struggle for the past few years, too, to get folks to really take this seriously. But I think it's becoming more more prominent in people's minds now, and people are starting to take it more seriously and they're thinking about it more, but they may not be taking action yet. And, you know, Keith, we've we've talked a little bit about email is being kind of one of the, you know, the cyber threats that we have. But yeah, I guess for those, you know, listening that are in the mental health field, are there are there other cyber threats specific to mental health that that our listeners should kind of be also aware of? Oh, sure. I mean, there's there's tons of different threats out there and I wouldn't say necessarily specific to mental health, but overall, I mean, there's there's all sorts of ways for for the hackers to get in your systems, you know, drive by downloads on websites. You know, you can go to websites that are in effect and they start popping up. If you need to do this, you need to click on this and people take the bait and they click in. There's brute force attacks where they can just come in and they just start trying to, you know, hammer your system to find out where there's a hole. So, for example, if you don't have, you know, your your Microsoft Windows operating system, passion of the Day, if you don't have your Zoom patched and up to date or all these different third party applications that are vulnerabilities out there, there's many ways to to to get into your system specifically, not to mention the email side of things. Now, with everything moving to the cloud, there's ways of breaking into your cloud application, being like, say, your Microsoft three 6510 warehousing tons of data in OneDrive and SharePoint mail. So that's you know, it's a very easy way to hack in as well. So yeah, I mean, specifically to mental health, I think the attack vectors, the attack methods are the same no matter what industry you're in with mental health itself, you know, obviously health care in general, you really have to worry about protecting the heart and and trying your best practice to be compliant because if you get breached, you're going to get hit with some pretty hefty fines. Now, we talk with a lot of health care professionals. They're like, you know, whatever it is, no type of police ever came and knocked on my door. But you're going to hear from them when when there's a breach. And there's there's pretty hefty fines for not doing your due diligence to protect your clients and your patients. So I say that's more specific to the health care and mental health industry right now. So now we scared everybody. And we have you know, we've created this world of anxiety. And in listeners, you know, I guess our maybe is we're kind of, you know, getting to the in here when we're looking at, you know, smaller practices. So like, you know, big organizations have a little bit, you know, greater capabilities, but, you know, smaller practices. A lot of times we're unlimited budgets, you know, not as many resources, you know, what do you think the smaller practices, what can they do to kind of implement some effective strategies or effective measures starting out? Yeah, I mean, what kind of goes back to our our basic stuff like we talked about earlier, just making sure you have strong flexible passwords, making sure you have multi-factor authentication, making sure your your your devices are encrypted, your your hard drives are encrypted and encrypted communications via email. So, I mean, there are very, very basic things that you need to do. Now, we've actually put together some some packages for for protecting organizations where we have kind of a basics and advanced. And in the lead. So the basics are going to cover your basics. Like, it's like I say some this is not going to be a full fledged everything all in one tool to protect all aspects of it But it's going to be a starting point. It's something that you can do now to get started, to show that you are doing your due diligence, you are doing something to protect within your your budgetary constraints, right? So if you're just not doing anything and you get breached, then you're most likely going to take some pretty hefty fines. If they can see that you're taking a proactive approach and you're doing what you can do within your budget. They're going to be more lenient on you, I would think. I have no proof of that. But that's kind of the conception that was among the industry. So, you know, if nothing else, at least reach out to an MSP to to get a quote, to talk to them about maybe getting their risk assessment, kind of seeing what that would look like, what the costs would be to have somebody manage and monitor this for you. So, you know, so that when we get up and do the elite packages, we have 24 seven eyes running on your systems monitoring all day long. So a lot of breaches happen after hours, holidays, weekends, when they know there's nobody sitting there monitoring the systems. So we have 24 seven monitoring going to a security operations center that's kind of monitoring all this metadata going back and forth across your platforms. And when there's anomalies in this data, it pings, alerts, and we have a team of engineers ready to respond and we can immediately isolate the machine that is having the issue as this throw in these alerts. And by isolating that machine, we can kind of stop the bleeding per say of the of the attack and may be isolated to one device before it goes and infects the entire network across your across your organization. So I would say, you know, kind of key takeaways, four basic things you can do against your own passwords, multi-factor authentication, encrypted communications and encrypted data. And I can personally speak to that because there was a time when I was on vacation out of the country and I pulled up my work email and I immediately got locked out of everything. And then I think I even got a text message for like, you know, it looks like someone's trying to hack in or like looks like someone trying to access this from out of the country. And so, I mean, it was seconds it took and so, you know, and that thankfully able to be resolved pretty quickly and then, you know, just had to give them a heads up like, oh, hey, yeah, no, that was truly me and verifying that. But once that happened, I had access back immediately to and so I got locked out. But also we could get conditional access policies. We will block log log in from out of the country because, you know, we see I say 70% of the attacks coming from from overseas and out of the U.S. Now, some of the bad actors are smart and they get behind a VPN to make them appear as if they're in the US. But then having that conditional access policy in place in itself, because about 70% of the attempts. So and then we also have controls in place. If we noticed there's what we call impossible travel. So if you're logged in, in, you know, Harrisburg, Pennsylvania, 10 minutes ago and he just logged in in Tampa, Florida, 5 minutes later, that's probably not likely that that happened. Our systems were alert us on that automatically disable your account, sign you out. And that's part of where we call them what we call a DLP is as a data loss prevention. So maybe someone you got into your SharePoint or OneDrive and they're starting to download a bunch of information from your account. Well, we're going to immediately recognize that, be able to shut them down and stop the bleeding of that breach. So yeah, I'm glad that was brought up. Yeah. I think again, with, with my kind of life, I travel a lot and have my laptop with me. I usually am doing some work from somewhere and I think that's that's just another big asset that, that we've had is to be able when we're traveling, you know, if we're on a network in a hotel, it's not going to be as secure and making sure that we have the right, you know, things in place to ensure that, you know, we're keeping everything is safe no matter what. Like, I don't think we always think about that. You know, it's like how we're going to a coffee shop and we're going to pop up our our laptop and join Starbucks wi fi. But yeah, that's a whole other level of risk that, you know, having these things in place. You know, I don't say I don't think about it now, but I know that we have the things in place. I don't have to worry about it now, if that makes sense. So for when you're roaming and traveling, like that's where we that's where we have that sassy client on your computer. It's kind of like a next generation VPN, but it puts you in a private cloud and it creates what we call a zero trust networking environment. So nobody else in that Starbucks coffee shop is. You want to be able to scan and ping your machine to see if they can get into it because you're protected by a private cloud firewall in the zero trust atmosphere. So it really helps cut down the cut down the possibility. So, Keith, as we're wrapping up, is there is there any other kind of things you would kind of want to just throw out to our audience of takeaways from that they just should start thinking about at this point before know as they're trying to consider their next steps. Yeah. So, you know, obviously don't don't ignore this this a real threat. It's something that, you know, if you do care about your business or you want to keep your doors open, you need to pay attention to this in some fashion. You need to take some steps to starting to protect your organization's data. I highly recommend reaching out to an MSP to maybe do a risk assessment for them to see where their strengths and weaknesses are and just have an understanding of where you need to patch things up. Now we can do a risk assessment for organizations and we'll we'll tell them where their weaknesses are and tell them what they need to do. And we'll give them a blueprint of what they need to do. And if they have the manpower to do it themselves or don't have the budget and resources to hire us, we're happy to give you a blueprint, and this is what you need to do. Now, if you don't have the resources or time or want to do it on your own, obviously a company like MTS, we can we can do it for you. So I say one of the key takeaways is put some of the basic controls in place strong passwords, multi-factor authentication. Reach out to a professional I.T. firm and look to having a risk assessment done to to really wrap your head around what you need to protect and what you can do. Right. Well, Keith, thanks for that. And, you know, I just want to throw out to the listeners, you know, as a site to practices kind of moving forward to do some continuing education programs. Keith and I are going to be teaming up here at some point in the near future to do an and ethics in cybersecurity and look at it not only what we need to do professionally, ethically, but then Keith sharing some more specific tips that are going to be able to be actionable steps that you all can take a look at. So keep an eye out for that. So we are looking forward to working together on that, right? Yeah, me too. And again, you know, thank you so much, Keith, for for taking the time this evening. And, you know, if our listeners are interested in, you know, kind of hearing more or even being able to kind of go and checking things out, like what are these websites? What are the social media that they're able to kind of follow and get some more information? Yeah, sure. Our website is going to be w w w dot m t s i t s stands for MTS I.T. Solutions Systems. Yes, it's dot com. And you can also search for us on Facebook and LinkedIn under MTF City Solutions as well. And then as Ray had mentioned, we're going to, I think, raising up a leave line here. We have our 15 Ways to Protect Your Business flier that we're going to leave behind for you guys. We want to take a look at that guy gives you a breakdown of 15 things that you can do on your own or 50 things that you can, you know, hire somebody to do for you. That that will be very good steps to protecting your businesses. And just, you know, I really hope our listeners take this seriously. You know, we were talking about Starbucks earlier, and I couldn't help but think of like we wouldn't holders or sessions in a Starbucks and so, you know, make sure we're protecting the dad in the same way we take those steps physically just because we can see it, it does. It is still there. And so I hope that they take that opportunity to go and check out the website and, you know, being able to help bring some security to their own practices in there. And if you're interested in hearing more and staying up to date with what's going on, just like to practice visit our website at WW that seek to practice dot com and follow us on all major social media and follow us on all major social media by searching site to practice. We'll be back in two weeks, but until then, you will stay psyched. The information contained in this podcast and on the site. The practice website is intended for informational and educational purposes only. Nothing in this podcast or on the website is intended to be a substitute for professional, psychological, psychiatric, educational or medical advice, diagnosis or treatment. Please note that no professional patient relationship is formed here, and similarly, no supervisory or consultative relationship is formed between the host guest and listeners of this podcast. If you need the qualified advice of a mental health professional or practitioner, please contact services in your area. Similarly, if you need supervision on clinical matters, please locate a supervisor with experience to fit your professional needs.

People on this episode

Head Shot

Dr. Ray Christner

Co-host
Head Shot

Paul Wagner

Co-host
Contributor

Dan Florell

Producer