PsychologyOnline PsychologyOnline uses secure instant messaging to provide live, accessible and confidential cognitive behavioural therapy over the internet. PsychologyOnline.co.uk CBT with a live therapist delivered remotely over the internet • • • • • Live one-to-one therapy using instant messaging-based text communication Private, discreet therapy in a secure online meeting room No travel or room booking – patients/users can attend therapy from convenient location, such as home Available evenings and weekends at no extra cost Relative anonymity reduces stigma and promotes disclosure PsychologyOnline.co.uk PsychologyOnline – growing and adding value in mental health therapy 2014 2013 • Full operrational launch • Product development • Investment • Pilots 2013 2012 2011 NHS Surrey Pilot And AQP status Talking Therapies Pilot Investment round 2009 2008 Patient Trials – Bristol and London Clinical Validation - Lancet 2001 Founded PsychologyOnline.co.uk Clinical Validity and Governance Summary of PsychologyOnline Clinical Validity data & Governance PsychologyOnline.co.uk Proven effective by peer-reviewed research Accessibility 297 depressed patients allocated to receive on-line CBT or standard care At 4 months 38% recovery (BDI<10) in intervention group vs 24% in control group Effect maintained at eight months – 42% vs 26% Median of six sessions needed for benefit Severely depressed benefited most Many patients found it easier to talk when not face-to-face with a therapist PsychologyOnline.co.uk Care pathway • Focus on individual cases • One therapist throughout • GP communication at all stages Referral GP or self referral Assessment Step chosen based on assessment tools and professional opinion questions + 30 min appt Step 2: structured programme - 30 min sessions - Goal setting - Homework Step 3: semi-structured programme - Mainly 60 min sessions (some 30 min) - Goal setting - Homework Step 3+: individual-focussed intervention - 60 min sessions - Goal setting - Homework Step2 mild-moderate Step3 moderate-severe Step up possible Same therapist retained Step3+ severe PsychologyOnline.co.uk The Patient Experience – Flexible Accessibility • Therapy relationship enhanced rather than hindered by lack of body language or eye contact – Relative anonymity reduces inhibition – Reduced pressure allows patient to take time to formulate responses – Solipsistic introjection • Text communication supports therapy – – – – Forces order and logic into communication Documents a narrative that can be reviewed and reflected upon during therapy sessions Creates thinking space Transcript available for download for review between sessions Patients who benefit • • • • • • Busy people who need appointments outside working hours or to fit in with a busy schedule Parents and carers who can’t organise cover to attend meetings Non-English speakers & ethnic minorities People with disabilities Patients in remote areas Social anxiety or stigma PsychologyOnline.co.uk The Therapist Family • In house service therapists or • PsychologyOnline Clinical Affiliates – >100 BABCP Accredited CBT Therapists and Chartered Psychologists – Rigorous selection and governance process • CRB, qualifications, accreditations, references – – – – Supervision to IAPT standards Varied specialisms Multiple languages Available out-of-hours at no extra cost PsychologyOnline.co.uk The User Interface PsychologyOnline.co.uk Web interface • • • Unique web address for each service Content, colour scheme and general contact information customised for each service – Looks and feels like a service website Patient Portal – Online completion of outcome questionnaires • PHQ, GAD etc – Outcomes scores viewable as graphs in patient login area – Secure asynchronous messaging between patient and therapist between sessions • Tasks can be sent as attachments – Set and manage goals – Can be used with any form of therapy – online, face-to-face, telephone PsychologyOnline.co.uk PsychologyOnline.co.uk PsychologyOnline.co.uk berkshire PsychologyOnline.co.uk IT Architecture, Security and Information Governance PsychologyOnline.co.uk PsychologyOnline Architecture • PsychologyOnline (POL) delivers Cognitive Behaviour Therapy (CBT) to patients remotely over a web connection in a secure and confidential manner. The system is a web-based application that clients and therapists can access from their own computers. Users access the system through a web interface using their registered user name and password. • Once logged in, clients can book appointments, complete questionnaires and send messages asynchronously to their therapists. When they book appointments, both therapists and clients are notified by email. • Online therapy takes place using a text based chat system that allows clients and therapist conversing real-time. ARCHITECTURE The POL system is structured using a typical n-tier architecture (see diagram), with the following layers: • Database: MS SQL Server • Business Logic: C# on .NET framework • Presentation: ASP.NET MVC HOSTING • The PsychologyOnline system is currently hosted by Norfolk and Suffolk NHS Foundation Trust. • The application and database are hosted on separate servers, which provides additional security for the database. The database server is only accessible from the application server. • Hosting the system on the NHS network ensures that PsychologyOnline fully complies with the NHS Information Governance toolkit. • All the data collected, i.e. patients, psychologists and transcript data are stored on a database hosted within Norfolk and Suffolk NHS Foundation Trust. BACK UP AND SECURITY • The live application and database are hosted on a NHS server that is housed in a secure environment and has full business continuity contingency. • Security is paramount to PsychologyOnline. The systemhas been designed and developed to ensure the system is protected against common security attackusing the OSWAP (Open Web Application Security Project) guidelines. • https://www.owasp.org/ PsychologyOnline.co.uk PsychologyOnline Patient Data Security Capability The PsychologyOnline managed services is a comprehensive solution that provides a scalable, flexible & secure IT Hosting & Application Managed Service. All patients’ identifiable information and communications are encrypted using the industry standard AES 256 algorithm. AES has been adopted by the U.S. government and is now used worldwide notably by all major banking groups to protect customer data. This method provides protection even in the event that an attacker gains unauthorised access to the database itself. Patient Data Protection The system makes use of the one-way encryption algorithm SHA-256 with the addition of a salt value to mitigate the risks of attacks such as hash and rainbow tables. For applications processing sensitive information, it is important to ensure that all information is encrypted in transit. The application makes use of the 256-bit SSL encryption mechanism and is configured to ensure that patient data is always encrypted in transit between the user’s browser and the application. Currently the application does not share Patient data with any other applications. Registration Security Features General Application Security Features It is important that NHS providers control who access the online therapy system. For this purpose the system has been designed so that NHS users require a two-factor authentication to be able to register for online therapy. NHS patient first need to register with their provider. They are then sent an email with a link to the activation page. Once they click the link patients are sent an activation code to their mobile that they require to activate their account. The application provides protection against SQL Injection attacks by ensuring that all user input is treated as such and cannot disrupt the execution of the query. The application provides protection against Cross-Site Scripting (XSS) attacks. This is accomplished by encoding all user input sent back to the web browser by default, and is effective against most forms of XSS attacks. User sessions are terminated after a certain period of inactivity to reduce the risk of unauthorised access to data from an unattended computer. A common issue with web application security is users making use of weak, guessable passwords. The application enforces a password quality requirement on all users ensuring that passwords are at least 8 characters in length and contains at least one non-letter. PsychologyOnline.co.uk PsychologyOnline Information Governance and Data Confidentiality Policies PsychologyOnline.co.uk PsychologyOnline operates strict Information Governance and is audited to IG Toolkit Level 2 Information Governance Policy This policy sets out the procedures, management accountability, and structures, which have been put in place by PsychologyOnline to align with the Information Governance Agenda and safeguard the movement of personal data within PsychologyOnline information technology infrastructure. Underpinning Policies and Procedures The following procedures have been put in place to support the high quality information governance within PsychologyOnline, and the sharing of this information with other organisations: • Information Security (Sets out how we protect the company’s information assets from unauthorised access and loss of integrity and accessibility) • Confidentiality and Data Protection (sets out the standards expected of staff in maintaining the confidentiality of patient information); • Corporate Governance Policy (Sets out the procedures for the company to respond to Freedom of Information requests); • Information Lifecycle Management (Sets out how the company creates, manages, updates and disposes records of its service users. The policy also guides the company in maintaining the highest quality of the information in terms of completeness, accuracy, relevance and accessibility). Staff Duties and Responsibilities • All staff, whether permanent, temporary or contracted are responsible for ensuring that they remain aware of the requirements incumbent upon them for ensuring compliance on a day to day basis. This includes maintaining confidentiality of data, ensuring secure storage of data and being aware of situations where disclosure may be required or may not be required. We are an Equal Opportunities Employer Data Confidentiality Policy • • • • This policy describes PsychologyOnline policy on Confidentiality and Data Protection, and employees’ responsibilities for the safeguarding of confidential information held both manually (noncomputer in a structured filing system) and on computers. This Policy will be communicated to all employees. All users must confirm in writing that they have read and understood these documents. This Policy will be published to employees through the intranet and a hard copy will be available at PsychologyOnline Office. This policy applies to all directly (and indirectly) employed staff and other persons working for PsychologyOnline. All staff and contractors have a personal duty of confidence to patients and to PsychologyOnline. The purposes of the Personal Information Handling Policy are: • • • • To promote the effective, consistent, and legal, processing of data by defining a Data Protection policy To ensure all employees are aware of their responsibilities in relation to the processing of personal data and to the law surrounding its use To ensure all employees are aware of the consequences of the misuse or abuse of personal data To establish and maintain trust and confidence in PsychologyOnline’s ability to process personal data To ensure compliance with legislation, guidance and standards relating to the handling of personal data PsychologyOnline.co.uk Contact Dr Michael Reilly Business Development Director m.reilly@psychologyonline.co.uk 00 44 (0) 7876593434 PsychologyOnline The Grange Market Street Swavesey Cambridge CB24 4QG PsychologyOnline.co.uk