PsychologyOnline uses secure instant messaging to
provide live, accessible and confidential cognitive
behavioural therapy over the internet.
CBT with a live therapist delivered remotely over the internet
Live one-to-one therapy using instant messaging-based text communication
Private, discreet therapy in a secure online meeting room
No travel or room booking – patients/users can attend therapy from convenient location, such as home
Available evenings and weekends at no extra cost
Relative anonymity reduces stigma and promotes disclosure
PsychologyOnline – growing and
adding value in mental health therapy
• Full operrational launch
• Product development
• Investment
• Pilots
NHS Surrey Pilot
And AQP status
Talking Therapies Pilot
Investment round
Patient Trials – Bristol and London
Clinical Validation - Lancet
Clinical Validity and Governance
Summary of PsychologyOnline Clinical Validity
data & Governance
Proven effective by peer-reviewed research
297 depressed patients
allocated to receive on-line
CBT or standard care
At 4 months 38% recovery
(BDI<10) in intervention group
vs 24% in control group
Effect maintained at eight
months – 42% vs 26%
Median of six sessions needed
for benefit
Severely depressed benefited
Many patients found it easier
to talk when not face-to-face
with a therapist
Care pathway
• Focus on individual cases
• One therapist throughout
• GP communication at all stages
GP or self referral
Step chosen based on assessment tools
and professional opinion
questions + 30 min appt
Step 2: structured programme
- 30 min sessions
- Goal setting
- Homework
Step 3: semi-structured programme
- Mainly 60 min sessions (some 30 min)
- Goal setting
- Homework
Step 3+: individual-focussed intervention
- 60 min sessions
- Goal setting
- Homework
Step up possible
Same therapist retained
The Patient Experience – Flexible Accessibility
• Therapy relationship enhanced rather than
hindered by lack of body language or eye contact
– Relative anonymity reduces inhibition
– Reduced pressure allows patient to take time to formulate responses
– Solipsistic introjection
• Text communication supports therapy
Forces order and logic into communication
Documents a narrative that can be reviewed and reflected upon during therapy sessions
Creates thinking space
Transcript available for download for review between sessions
Patients who benefit
Busy people who need appointments outside working hours or to fit in with a busy schedule
Parents and carers who can’t organise cover to attend meetings
Non-English speakers & ethnic minorities
People with disabilities
Patients in remote areas
Social anxiety or stigma
The Therapist Family
• In house service therapists
• PsychologyOnline Clinical Affiliates
– >100 BABCP Accredited CBT Therapists and Chartered
– Rigorous selection and governance process
• CRB, qualifications, accreditations, references
Supervision to IAPT standards
Varied specialisms
Multiple languages
Available out-of-hours at no extra cost
The User Interface
Web interface
Unique web address for each service
Content, colour scheme and general contact
information customised for each service
– Looks and feels like a service website
Patient Portal
– Online completion of outcome questionnaires
• PHQ, GAD etc
– Outcomes scores viewable as graphs in patient login area
– Secure asynchronous messaging between patient and therapist between
• Tasks can be sent as attachments
– Set and manage goals
– Can be used with any form of therapy – online, face-to-face, telephone
IT Architecture, Security and
Information Governance
PsychologyOnline Architecture
PsychologyOnline (POL) delivers Cognitive Behaviour Therapy (CBT) to patients
remotely over a web connection in a secure and confidential manner. The system is
a web-based application that clients and therapists can access from their own
computers. Users access the system through a web interface using their registered
user name and password.
Once logged in, clients can book appointments, complete questionnaires and send
messages asynchronously to their therapists. When they book appointments, both
therapists and clients are notified by email.
Online therapy takes place using a text based chat system that allows clients and
therapist conversing real-time.
The POL system is structured using a typical n-tier architecture (see diagram), with the
following layers:
Database: MS SQL Server
Business Logic: C# on .NET framework
Presentation: ASP.NET MVC
The PsychologyOnline system is currently hosted by Norfolk and Suffolk NHS
Foundation Trust.
The application and database are hosted on separate servers, which provides
additional security for the database. The database server is only accessible from the
application server.
Hosting the system on the NHS network ensures that PsychologyOnline fully
complies with the NHS Information Governance toolkit.
All the data collected, i.e. patients, psychologists and transcript data are stored on a
database hosted within Norfolk and Suffolk NHS Foundation Trust.
• The live application and database are hosted on a NHS server that is housed in a secure
environment and has full business continuity contingency.
Security is paramount to PsychologyOnline. The systemhas been designed and
developed to ensure the system is protected against common security attackusing
the OSWAP (Open Web Application Security Project) guidelines.
PsychologyOnline Patient Data Security Capability
The PsychologyOnline managed services is a comprehensive solution that provides a scalable, flexible & secure IT Hosting & Application
Managed Service.
All patients’ identifiable information and communications are encrypted using the industry standard AES
256 algorithm. AES has been adopted by the U.S. government and is now used worldwide notably by all
major banking groups to protect customer data. This method provides protection even in the event that
an attacker gains unauthorised access to the database itself.
Patient Data
The system makes use of the one-way encryption algorithm SHA-256 with the addition of a salt value to
mitigate the risks of attacks such as hash and rainbow tables.
For applications processing sensitive information, it is important to ensure that all information is
encrypted in transit. The application makes use of the 256-bit SSL encryption mechanism and is
configured to ensure that patient data is always encrypted in transit between the user’s browser and the
Currently the application does not share Patient data with any other applications.
Registration Security
General Application
Security Features
It is important that NHS providers control who access the online therapy system. For this purpose the system has
been designed so that NHS users require a two-factor authentication to be able to register for online therapy. NHS
patient first need to register with their provider. They are then sent an email with a link to the activation page.
Once they click the link patients are sent an activation code to their mobile that they require to activate their
The application provides protection against SQL Injection attacks by ensuring that all user input is treated as
such and cannot disrupt the execution of the query.
The application provides protection against Cross-Site Scripting (XSS) attacks. This is accomplished by
encoding all user input sent back to the web browser by default, and is effective against most forms of XSS
User sessions are terminated after a certain period of inactivity to reduce the risk of unauthorised access to
data from an unattended computer.
A common issue with web application security is users making use of weak, guessable passwords. The
application enforces a password quality requirement on all users ensuring that passwords are at least 8
characters in length and contains at least one non-letter.
PsychologyOnline Information
Governance and Data Confidentiality
PsychologyOnline operates strict Information Governance and is
audited to IG Toolkit Level 2
Information Governance Policy
This policy sets out the procedures, management accountability, and
structures, which have been put in place by PsychologyOnline to align with
the Information Governance Agenda and safeguard the movement of
personal data within PsychologyOnline information technology
Underpinning Policies and Procedures
The following procedures have been put in place to support the high
quality information governance within PsychologyOnline, and the sharing
of this information with other organisations:
Information Security (Sets out how we protect the company’s
information assets from unauthorised access and loss of integrity
and accessibility)
Confidentiality and Data Protection (sets out the standards
expected of staff in maintaining the confidentiality of patient
Corporate Governance Policy (Sets out the procedures for the
company to respond to Freedom of Information requests);
Information Lifecycle Management (Sets out how the company
creates, manages, updates and disposes records of its service users.
The policy also guides the company in maintaining the highest
quality of the information in terms of completeness, accuracy,
relevance and accessibility).
Staff Duties and Responsibilities
All staff, whether permanent, temporary or contracted are
responsible for ensuring that they remain aware of the
requirements incumbent upon them for ensuring compliance on a
day to day basis. This includes maintaining confidentiality of data,
ensuring secure storage of data and being aware of situations
where disclosure may be required or may not be required.
We are an Equal Opportunities Employer
Data Confidentiality Policy
This policy describes PsychologyOnline policy on Confidentiality and
Data Protection, and employees’ responsibilities for the
safeguarding of confidential information held both manually (noncomputer in a structured filing system) and on computers.
This Policy will be communicated to all employees. All users must
confirm in writing that they have read and understood these
documents. This Policy will be published to employees through the
intranet and a hard copy will be available at PsychologyOnline
This policy applies to all directly (and indirectly) employed staff and
other persons working for PsychologyOnline.
All staff and contractors have a personal duty of confidence to
patients and to PsychologyOnline.
The purposes of the Personal Information Handling Policy are:
To promote the effective, consistent, and legal, processing of data
by defining a Data Protection policy
To ensure all employees are aware of their responsibilities in
relation to the processing of personal data and to the law
surrounding its use
To ensure all employees are aware of the consequences of the
misuse or abuse of personal data
To establish and maintain trust and confidence in
PsychologyOnline’s ability to process personal data To ensure
compliance with legislation, guidance and standards relating to the
handling of personal data
Dr Michael Reilly
Business Development Director
[email protected]
00 44 (0) 7876593434
The Grange
Market Street
Cambridge CB24 4QG