Cybersecurity for Solo Therapy Practices: A 2026 Practical Guide

Solo therapists hold some of the most sensitive data in healthcare — and are among the least prepared for cyberattacks. Here's how to protect your practice without an IT department.

Healthcare is the most-targeted industry for cybercrime, and mental health practices are particularly attractive targets. The combination of highly sensitive data, limited security budgets, and the assumption that "no one would target my small practice" makes solo therapists soft targets for ransomware, phishing, and data theft.

The good news: you don't need an IT department to be reasonably secure. Most cyberattacks succeed because of basic gaps — weak passwords, missing two-factor authentication, unpatched devices, clicked phishing links. Closing those gaps takes a weekend of focused effort and pays dividends for years.

This guide is a practical cybersecurity reference for solo mental health practices. No jargon, no overwhelm, just the specific steps that will dramatically reduce your risk of becoming the next breach headline.

Why this matters more than you think

You might assume that as a solo practitioner, you're too small to attract attackers. The opposite is true.

What's on the dark web for mental health records

A complete healthcare record sells for $250–1,000 on dark web markets — orders of magnitude more than a credit card number ($5–30). Mental health records sell for a premium because they enable particularly damaging extortion and identity theft.

The attack patterns

The most common attacks on small practices:

• •Ransomware — encrypts all your data; demands payment to unlock. Average ransom for small healthcare: $10,000–50,000.
• •Phishing for credentials — emails that trick you into giving up login credentials, then those credentials are used to access your data
• •Business Email Compromise (BEC) — attacker takes over your email and uses it to redirect payments or impersonate you
• •Stolen device data theft — laptop is stolen, unencrypted hard drive provides full PHI access

The cost of a breach

Beyond the immediate disruption:

• •HIPAA penalties — $100 to $50,000 per violation, annual maximums up to $1.5M per category
• •Mandatory breach notification — every affected client must be notified in writing
• •OCR enforcement — public listing on the "Wall of Shame" for breaches affecting 500+ individuals
• •State penalties — many states have their own data breach laws
• •Legal exposure — class actions are increasingly common even for small breaches
• •Practice disruption — average healthcare practice loses 21 days of operations after a ransomware attack

The total cost for a small practice breach typically runs $50,000 to $250,000. Most solo practices cannot survive this hit. This is the math that makes basic cybersecurity non-negotiable.

The foundation: account security

If you do nothing else, do this. The vast majority of breaches start with compromised passwords.

Use a password manager

A password manager (1Password, Bitwarden, Dashlane) does three things:

• •Generates random, unique passwords for every account
• •Stores them securely
• •Auto-fills them when you log in

Most practices have 30–50 work-related accounts. Without a password manager, you either reuse passwords (huge risk) or write them down (different huge risk). A password manager solves this for $3–5/month.

Set this up first. Everything else depends on it.

Turn on two-factor authentication (2FA) everywhere

2FA — typically a code from an authenticator app — means that even if your password is stolen, attackers can't log in without your second factor. Enable it on:

• •Your practice management software
• •Your email account
• •Your password manager
• •Your bank and any payment processors
• •Your cloud storage (Google Drive, iCloud, Dropbox)
• •Your social media accounts
• •Any service that holds client data or financial information

Use an authenticator app (Authy, Google Authenticator, 1Password) rather than SMS where possible — SMS-based 2FA can be intercepted via SIM-swap attacks.

Use unique passwords (no reuse)

Reused passwords are the #1 way breaches cascade. If a small site you signed up for in 2019 gets breached and your password from that site is also your email password, attackers will access your email — and from your email, they can reset passwords for everything else.

The password manager makes this easy. Every account gets a unique, generated password.

Audit your old accounts

That counseling-specific forum you signed up for in 2015? That practice marketing list you joined in 2019? Each is a potential entry point if it gets breached. Periodically:

• •Search your email for "welcome" or "verify your account" to find accounts you forgot
• •Delete accounts you no longer use
• •Update passwords on accounts you do still use

Email and phishing defense

Email is the most common attack vector for healthcare practices. Here's how to harden it.

Use a HIPAA-compliant email service

Your personal Gmail is not HIPAA-compliant. Even if you'd never email a client's full record, even a simple "I'll see you Tuesday, Sarah" contains PHI.

Options for HIPAA-compliant email:

• •Google Workspace Healthcare — Google with a signed BAA
• •Microsoft 365 with HIPAA BAA — same idea for Microsoft
• •Paubox — purpose-built for healthcare
• •Hushmail for Healthcare — long-standing HIPAA-compliant email

Whichever you choose, make sure you've executed a BAA before sending any client communication.

Recognize phishing

Phishing emails increasingly look legitimate. Red flags:

• •Urgent language ("Your account will be suspended!")
• •Unexpected attachments, especially Word/Excel/PDF
• •Requests to verify credentials by clicking a link
• •Sender domain that looks slightly off (microsoft-support.com vs microsoft.com)
• •Generic greetings ("Dear Provider")
• •Spelling/grammar issues
• •Requests for payment or wire transfers
• •"Reply to this email" with a different reply-to address

When in doubt, don't click. Go directly to the service's website by typing the URL or using your password manager.

Don't open attachments without verification

If a "client" emails you a "completed intake form" as an attachment from an address you don't recognize, don't open it. Confirm via phone or known contact channel first. Many ransomware attacks start with a malicious document.

Device security

Encrypt your devices

Full-disk encryption means that if your laptop or phone is stolen, the data on it cannot be read without your password.

• •Mac: FileVault — turn it on in System Preferences
• •Windows: BitLocker — turn it on in Settings
• •iPhone/iPad: automatic if you have a passcode set
• •Android: typically automatic on modern devices; verify in Settings

Without encryption, a stolen device = a HIPAA breach. With encryption, a stolen device is just a lost device.

Keep software up to date

Most successful attacks exploit known vulnerabilities that already have patches available. Your job:

• •Enable automatic OS updates on every device
• •Install browser updates immediately when prompted
• •Update your practice management software, password manager, and security tools regularly
• •Don't keep using software past its end-of-life (Windows 7, old macOS versions, etc.)

This is boring but it's one of the highest-impact security practices.

Lock your screen

Every time you step away — even for 5 minutes — lock your screen.

• •Mac: Cmd+Ctrl+Q
• •Windows: Win+L

Configure automatic locking after 5–10 minutes of inactivity. A glanced-at screen with a client name visible is a HIPAA exposure.

Don't mix personal and professional accounts on shared devices

If your family uses the same laptop as your practice work, that's a problem. Either:

• •Use separate user accounts (each password-protected) on the same machine
• •Use entirely separate devices for practice work
• •Switch to a dedicated practice laptop and lock down personal-only use

The accounting overhead of separate user accounts is minimal and the security benefit is significant.

Network security

Use a VPN on untrusted networks

A VPN encrypts your internet traffic. On public Wi-Fi (coffee shops, hotels, airports), without a VPN, others on the network can potentially intercept your connection.

For solo practice work:

• •Don't use coffee shop Wi-Fi for sessions or PHI-related work, ever
• •If you must use untrusted networks, use a reputable VPN (NordVPN, ExpressVPN, ProtonVPN, Mullvad)
• •Verify your VPN is connected before opening any practice-related applications

Secure your home/office Wi-Fi

If you work from home:

• •Use WPA3 encryption (or WPA2 if WPA3 isn't available)
• •Change the default router admin password
• •Use a strong, unique Wi-Fi password
• •Update router firmware periodically
• •Consider a guest network for visitors so they don't access your main network

Don't use public Wi-Fi for telehealth

Even with HIPAA-compliant telehealth platform encryption, public Wi-Fi adds risk and isn't recommended. Always use a secure, password-protected network for client work.

Backup strategy

Cybersecurity isn't just about preventing attacks — it's also about surviving them. A good backup strategy means a ransomware attack is an inconvenience, not a catastrophe.

The 3-2-1 rule

• •3 copies of important data
• •On 2 different media types
• •With 1 copy offsite

For solo practice:

• •Your primary data lives in your practice management software (cloud-based)
• •Local backup of any local documents (on an external drive)
• •Cloud backup (Google Drive, iCloud, Dropbox — with HIPAA BAA)

If your practice management software is your primary system, the vendor should be running backups on your behalf. Ask them directly: "What is your backup strategy and recovery time objective?"

Test your backups

A backup that doesn't restore is not a backup. Once a quarter:

• •Pick one document
• •Try to restore it from your backup
• •Confirm it actually works

You don't want to discover your backups are corrupt on the day you need them.

Vendor and BAA discipline

Every vendor that touches PHI must have a signed BAA. Period.

Maintain a vendor list

Keep a running list of every service that holds or processes your client data:

• •Practice management software
• •Email provider
• •Telehealth platform (if separate)
• •AI documentation tools
• •Cloud storage
• •Payment processor
• •Text/messaging service

For each, document:

• •Vendor name and contact
• •Date BAA signed
• •Date BAA expires (if applicable)
• •What PHI they access
• •Their security certifications (SOC 2, HITRUST, etc.)

When evaluating new vendors, ask up front for their BAA. If they won't provide one, don't use them.

Incident response: when something happens

Despite your best efforts, security incidents happen. The difference between a minor incident and a major breach is often how you respond.

What to do in the first 24 hours

• •Don't pay the ransom without first consulting an attorney and your malpractice carrier
• •Disconnect affected devices from the internet
• •Document everything — what happened, when, what data may have been exposed
• •Contact your cyber insurance (if you have it — and you should)
• •Contact a privacy attorney experienced in healthcare breaches
• •Notify your practice management vendor if your data is potentially affected
• •Don't tamper with evidence — preserve logs and affected systems for forensic analysis

Mandatory notification timelines

Under HIPAA:

• •Affected individuals: within 60 days
• •HHS Secretary: within 60 days if 500+ affected; annually if fewer
• •Media: required if 500+ affected within a single state

Many state laws are stricter. A qualified attorney is essential.

Cyber insurance

For a solo practice, cyber insurance runs $500–2,000/year and can cover:

• •Forensic investigation costs
• •Legal fees for breach response
• •Mandatory notification costs
• •Credit monitoring for affected individuals
• •Ransom payments (some policies)
• •Lost income during practice disruption

If you don't have this, get a quote today. The cost is small relative to the protection.

The 30-minute weekly audit

Once a week, take 30 minutes to:

• •Review login alerts from your password manager, email, and PM software
• •Check for any unusual sent emails
• •Confirm 2FA is still enabled on critical accounts
• •Verify your backup completed
• •Update any software with pending updates
• •Scan your inbox for phishing attempts

This routine takes less time than scrolling Instagram and prevents the majority of preventable incidents.

The bigger picture

You're not going to become a security expert. You don't need to. You need to be:

• •Hard enough to attack that opportunistic attackers move on to easier targets
• •Resilient enough that an incident doesn't end your practice
• •Documented enough that, if something does happen, you can demonstrate reasonable care

Most cyberattacks on solo healthcare practices succeed because of basic missing protections — not sophisticated attacks. Closing those gaps is achievable, affordable, and protective.

A practice management platform built with security and HIPAA compliance from the ground up handles much of this for you — encryption, audit logging, access controls, secure messaging, BAA, and breach response procedures. But your end of the security relationship — your accounts, your devices, your behavior — is yours to own.

Want a HIPAA-compliant practice management platform with enterprise-grade security built in? Tendly handles encryption, access controls, BAA, and audit logging — so you can focus on the parts of security that only you can manage. Start your free trial.