How Headspace Health created a culture of cyber awareness

How Headspace Health created a culture of cyber awareness

Headspace Health is on a mission to change the way the world thinks about mental health. But to protect users’ data, innovative solutions are needed

Headspace Health is changing the way the world thinks about mental healthcare, delivering beloved meditation and mindfulness exercises and one-on-one care anytime, anywhere.

In 2021, Headspace and Ginger joined forces to form Headspace Health, the world's most comprehensive and accessible mental healthcare platform. In the midst of a growing mental health crisis, Headspace Health set out to democratise mental healthcare so people everywhere could get the care they need when they need it. Today, Headspace Health touches nearly 100m lives worldwide through its brands Headspace, Ginger, and Headspace for Work. 

Puneet Thapliyal is the Chief Information Security Officer at Headspace Health. Joining the company in 2016 when it was a Silicon Valley startup, and had zero revenue and zero customers, Headspace is now a company of more than 1,100 people, with revenue of hundreds of millions of dollars. 

“It's been an incredible journey and a great opportunity, and I feel lucky to be part of this journey,” he says. “Prior to starting at Headspace Health, I was CEO of my own security product company called Trusted Passage. I wanted to be part of a company that has a large impact on the world, and I got introduced to Ginger in 2016. 

“When I talked to the founding team, I was very impressed by the vision they had of solving mental healthcare for the whole world. I wanted to be part of the journey, and that was how I got into digital healthcare,” adds Thapliyal. “The company itself was building a tele-mental healthcare platform, which just five or six years ago was unheard of. I wanted to contribute as much as possible to make it a reality and, fast forward to today, it's a very mainstream offering.”

On a mission to solve mental healthcare for everybody in the world, Headspace Health offers a whole spectrum of services, from mindfulness tools to CBT, coaching, therapy, and psychiatry. The service starts with the mobile app, which helps users with meditation and helps users build good daily habits around sleep breathing. 

“That is a consumer offering, so anyone could go to the app store and download and start using that and help themselves get better,” Thapliyal comments. “Beyond that, if you need a little bit more help, then you are able to talk to a life coach, through text and video, for your subclinical needs.

“If you have a certain situation where you need clinical help, then you are able to elevate the service level to clinical where you can now schedule time with a therapist or psychiatrist, get medication, or whatever it takes to get you into a better state from a mental healthcare standpoint,” he explains. “That's the vision of the company: to focus on outcomes and to make sure anyone who comes and uses our service is able to get better from a mental healthcare standpoint.”

Helping remove the mental health stigma

Millions of people worldwide are living with a mental health condition, not helped by the COVID-19 pandemic which exacerbated mental health concerns, with a study by the Kaiser Family Foundation finding that nearly half of adults in the United States reported symptoms of depression or anxiety during the subsequent global lockdowns.

According to Headspace Health, mindfulness and meditation can positively impact mental and physical health, whether by reducing stress, improving sleep, increasing focus, or improving relationships.

“Our core mission is to build a service where mental healthcare is easily accessible to everybody in the world. We want to see a world where mental health is never an obstacle for anyone,” Thapliyal says.

Building this world is a huge challenge. According to a recent World Health Organisation study, about one in eight people -- a billion people worldwide – suffer from some kind of mental health disorder. Of those, Thapliyal comments, about 75% of them never even get any help for their mental healthcare. 

“That's a huge number, which has been exacerbated by the COVID-19 situation and the lockdowns,” he adds. “So, the core mission is to get our care services available to as many people in the world as quickly as possible, so that we can build a happier, healthier world.”

By making services available to more people, organisations such as Headspace Health are helping dispel stigmas associated with mental health. Figures by the National Attitudes to Mental Illness Survey show that people’s willingness to have contact with someone with a mental health problem has improved by 11% since 2009, while attitudes towards people with mental health problems improved by 9.6% in the same period.

“The fact that we've been able to contribute a little bit towards removing the stigma or taboo associated with mental healthcare, by bringing this very accessible platform and the service that we have, is a proud moment for me,” explains Thapliyal. “We've been able to actually move the needle in the last several years, and a whole team has been part of that, the founding team of the company, the executive leadership team and everybody else in the company who has joined the company with this mission in mind.”

The importance of cybersecurity and data privacy

While cybersecurity is important for every company in the world today, it is even more important in the healthcare industry. Technology has transformed modern healthcare but bad actors mean that there are unique risks when it comes to virtual mental health services.

“Healthcare is one of those industries where cybersecurity and data security are extremely important,” comments Thapliyal. “We are seeing an uptick in malicious activity in the healthcare industry. For example, the healthcare industry is being targeted by ransomware more than any other industry.

“On top of that, we are a single-purpose mental healthcare service provider, and in many of the regulations, including the Health Insurance Portability and Accountability Act (HIPAA) in the US, mental healthcare data is called out separately, from a security and privacy standpoint.

“We are highly aware of that, and we feel like that's a huge responsibility,” he explains. “The company has always had an extremely strategic focus on cybersecurity from the very beginning. We have built a very mature programme, and now we are morphing it from just purely cybersecurity to a very privacy-focused programme as well.”

As Thapliyal explains, part of Headspace Health’s success from a cybersecurity standpoint is the creation of a culture where everyone is aware of the importance of security and privacy.

“Unlike many other companies and industries, mental healthcare is one of those domains where privacy is super important for everybody, including our patients, user members, and our clinicians and coaches. Everybody in the company is highly aware and sensitive about preserving privacy,” he describes. 

“The whole cybersecurity industry is still learning how to build that culture of security, which permeates through the whole organisation and is not just limited to the InfoSec teams or the IT teams or engineering teams. It's a challenge, and it requires a thoughtful approach. When we onboard a brand new employee, for example, we focus on cybersecurity from day one. That's where the journey starts for a new employee, and then it has to continue throughout their time at the company.”

But, as Thapliyal explains, relying on training alone isn’t enough. Highly compliance-driven training can quickly become repetitive, so keeping everyone engaged is critical. 

“We have a strategic plan in the InfoSec team to drive engagement within the company to spread awareness of cybersecurity,” he adds. “These are from the small little things, from having a shared Slack channel, which we fondly call the ‘tinfoil hats channel’, where everyone is able to voice cybersecurity or privacy concerns, to more mature programmes such as our Security Insiders Programme, which involves deeper engagement, where every department volunteers a couple of team members to engage with the InfoSec team.”

All of this is about instilling a culture of cybersecurity awareness at all levels of the organisation, Thapliyal comments.

“We have now built out a programme where we depend on some of these security insiders to fulfil InfoSec requirements and instil this culture of cybersecurity awareness in their respective teams,” he says. “Those are initiatives where we need to be focused, we need to put the right resources, we need to fund it, and that's how we've been able to achieve this sense of heightened awareness around cybersecurity in the company.”

Extra focus on third-party risk

Healthcare providers, along with businesses around the world, are increasingly relying on third-party vendors to carry out their day-to-day operations. But while working with vendors has a range of benefits, the practice can also introduce information security and vendor compliance risks. 

Research by the Ponemon Institute has found that 54% of third-party respondents had at least one data breach involving protected health information (PHI) over the last two years, while 41% of third-party respondents had six or more data breaches during the same two-year time frame.

“Our third-party ecosystem is extremely important,” comments Thapliyal. “We are in a new world. We call our company a SaaS-first company, meaning given a problem business challenge, we first go and look for a SaaS service provider that can help solve that.

“This is very different from how traditional healthcare companies operate, where they run their own data centres and maintain their own networks,” he explains. “Since we are operating in SaaS-first principles, that – by the very nature of it – means we are dealing with a lot of third parties. As a result, dealing with all these vendors and third parties requires us to put extra focus on third-party risk management (TPRM).

“We have a team which is helping in our third-party assessments on a continuous basis, not just at the beginning of the contract,” he adds. “We have deployed tools to help with that, making sure our TPRM team is well-equipped to perform the access reviews at scale. And then we also categorise our vendors to the sensitivity of what data we might be transacting with them. So we have an extra special focus on any vendor that might transact with our PHI or personal identifying information (PII).”

An important part of Headspace’s operations, the business is continuing to improve its TPRM processes through technology investments.

“One such vendor we recently onboarded is called Privado,” says Thapliyal. “They are really helping us with maturing our secure software development lifecycle (SSDLC) and making sure we are not, for example, unnecessarily tracking users on our websites or on our mobile apps, and that we're not sending any PII or PHI to unapproved third parties.

“There has recently been a lot of focus in the media on apps that are doing nefarious things. We don't want to be in that business at all – that's not where we are. But we need to still build the tools to prevent any accidental sharing or tracking. So that's where Privado comes in as a big partner, for us, structurally built into our SSDLC, and we're very excited about how our partnership will shape up in the future.”

Looking at the big picture in challenging economic times

Since tech startup Ginger and Headspace merged in 2021, there has been what Headspace Health CEO Russell Glass described as a ‘staggering’ increase in demand. Ginger reported demand for its services increased threefold during the pandemic. But what does the future look like for Headspace Health?

“To answer that, we have to take a step back and look at the big picture, what's happening in the industry today,” comments Thapliyal. “There are a lot of macroeconomic factors in play, within the US and other parts of the world. There is constant chatter around a slowdown in the economy and a recession, and then most recently in the US, we have seen companies take corrective actions to right-size their companies. A lot of layoffs have been announced by the likes of Facebook and Twitter and all the large companies. 

“The general sense is that tough times are coming and we need to hunker down and prepare for that, and whoever does a better job in preparing for that will come out as a successful company on the other side.”

In a challenging economic environment, what is clear however is that the most important thing is to focus on the health and wellbeing of Headspace’s users.

“Given that broader context, our board and our executive team have given the directions to be very mindful,” Thapliyal explains. “We are trying to take this as an opportunity to refocus on doing less and doing better. So that's how we are changing our strategy as we go into 2023. 

“What that means to the company as a whole is that we will continue to get better and offer more features and more services in the coming years,” he concludes. “The focus will be on what we call members first, meaning anything that we do should ultimately benefit our patients.”

Headspace Health
Headspace Health
Headspace Health
Headspace Health
Our Partners