2.3.2 Security

‘Security’ tends to refer to addressing external threats to data-driven systems. An example is the 2020 Vastaamo data breach in Finland, noted earlier in the report ( X X). To recap, over 30,000 people’s psychotherapy records from the Vastaamo private counselling service were hacked and used to extort victims, in what the then public prosecutor described as perhaps the largest criminal case in Finnish history in terms of the number of victims.²⁹³

Security assurances against data concerning mental health and disability must exist in the interest of protecting the integrity and confidentiality of personal data. According to Martinez-Martin and colleagues, ‘[b]ehavioral health information is a valuable commodity, and it is likely that companies will take further advantage of the lax security and privacy landscape’.²⁹⁴ Indeed, the healthcare sector is particularly attractive for those perpetrating cyberattacks, with major incidents reported worldwide.²⁹⁵ Kyriaki Giota and George Kleftaras point out that ‘[p]ersonal health information is of great value for cyber-criminals and can be used in order to obtain medical services and devices, or bill insurance companies for phantom services in the victim’s name’.²⁹⁶

Mental health apps – again, of which there are reportedly over 10,000 – appear particularly vulnerable to poor security processes. A study by Kit Huckvale and colleagues found that not one of the 79 apps in the UK NHS Health Apps Library encrypted user data stored on the phone.²⁹⁷ The apps did commonly use password security, though Huckvale and colleagues observed that this could lead a user to believe their data were secure.

One common strategy to address security concerns is to seek to anonymise, de-identify, or aggregate data where possible.²⁹⁸ Another strategy is to make clear the specific content of rights and obligations for technology developers, product manufacturers, or service providers and ‘end users’.²⁹⁹

Concepts such as ‘security by design’ have been floated to address security concerns early on.³⁰⁰ A key component of responsible governance would be ensuring that institutions that are handling data concerning mental health, distress and disability meet relevant data security requirements. Martinez-Martin and colleagues have also stressed that the ‘details of [security] measures, and who shall prescribe them and monitor compliance, will need explicit definition and should be included in the informed consent process’.³⁰¹

Security will remain a pressing task for the foreseeable future. To date, cybersecurity researchers have detected compromises in more than 100 million smart devices around the world.302 It will be unsurprising to see more major breaches of data concerning mental health and disability in the near future.

Go Mental by Josh Muir in Science Gallery Melbourne’s MENTAL. Photo by Alan Weedon.