6 minute read
EXECUTIVE BIO
Puneet earned an undergraduate degree in Computer Science from HBTI, Kanpur and a masters degree in Computer Science from Rensselaer (RPI), NY.
“That's a huge number, which has been exacerbated by the COVID-19 situation and the lockdowns,” he adds. “So, the core mission is to get our care services available to as many people in the world as quickly as possible, so that we can build a happier, healthier world.”
By making services available to more people, organisations such as Headspace Health are helping dispel stigmas associated with mental health. Figures by the National Attitudes to Mental Illness Survey show that people’s willingness to have contact with someone with a mental health problem has improved by 11% since 2009, while attitudes towards people with mental health problems improved by 9.6% in the same period.
“The fact that we've been able to contribute a little bit towards removing the stigma or taboo associated with mental healthcare, by bringing this very accessible platform and the service that we have, is a proud moment for me,” explains Thapliyal. “We've been able to actually move the needle in the last several years, and a whole team has been part of that, the founding team of the company, the executive leadership team and everybody else in the company who has joined the company with this mission in mind.”
The importance of cybersecurity and data privacy
While cybersecurity is important for every company in the world today, it is even more important in the healthcare industry. Technology has transformed modern healthcare but bad actors mean that there are unique risks when it comes to virtual mental health services.
“Healthcare is one of those industries where cybersecurity and data security are extremely important,” comments Thapliyal.
in the healthcare industry. For example, the healthcare industry is being targeted by ransomware more than any other industry.
“On top of that, we are a single-purpose mental healthcare service provider, and in many of the regulations, including the Health Insurance Portability and Accountability Act (HIPAA) in the US, mental healthcare data is called out separately, from a security and privacy standpoint.
“We are highly aware of that, and we feel like that's a huge responsibility,” he explains.
“The company has always had an extremely strategic focus on cybersecurity from the very beginning. We have built a very mature programme, and now we are morphing it from just purely cybersecurity to a very privacy-focused programme as well.”
As Thapliyal explains, part of Headspace Health’s success from a cybersecurity standpoint is the creation of a culture where everyone is aware of the importance of security and privacy.
“Unlike many other companies and industries, mental healthcare is one of those domains where privacy is super important for everybody, including our patients, user members, and our clinicians and coaches. Everybody in the company is highly aware and sensitive about preserving privacy,” he describes.
“The whole cybersecurity industry is still learning how to build that culture of security, which permeates through the whole organisation and is not just limited to the InfoSec teams or the IT teams or engineering teams. It's a challenge, and it requires a thoughtful approach. When we onboard a brand new employee, for example, we focus on cybersecurity from day one. That's where the journey starts for a new employee, and then it has to continue throughout their time at the company.”
But, as Thapliyal explains, relying on training alone isn’t enough. Highly compliance-driven training can quickly become repetitive, so keeping everyone engaged is critical.
“We have a strategic plan in the InfoSec team to drive engagement within the company to spread awareness of cybersecurity,” he adds. “These are from the small little things, from having a shared Slack channel, which we fondly call the ‘tinfoil hats channel’, where everyone is able to voice cybersecurity or privacy concerns, to more mature programmes such as our Security Insiders Programme, which involves deeper engagement, where every department volunteers a couple of team members to engage with the InfoSec team.”
All of this is about instilling a culture of cybersecurity awareness at all levels of the organisation, Thapliyal comments.
“We have now built out a programme where we depend on some of these security insiders to fulfil InfoSec requirements and instil this culture of cybersecurity awareness in their respective teams,” he says. “Those are initiatives where we need to be focused, we need to put the right resources, we need to fund it, and that's how we've been able to achieve this sense of heightened awareness around cybersecurity in the company.”
According to research by Headspace Health, 32% of users benefit from a decrease in stress after 30 days of using the service. Meanwhile 22% of users show an increase in focus after one session, while 19% benefit from a decrease in anxiety symptoms after eight weeks.
Extra focus on third-party risk
Healthcare providers, along with businesses around the world, are increasingly relying on third-party vendors to carry out their dayto-day operations. But while working with vendors has a range of benefits, the practice can also introduce information security and vendor compliance risks.
Research by the Ponemon Institute has found that 54% of third-party respondents had at least one data breach involving protected health information (PHI) over the last two years, while 41% of third-party respondents had six or more data breaches during the same two-year time frame.
“Our third-party ecosystem is extremely important,” comments Thapliyal. “We are in a new world. We call our company a SaaS-first company, meaning given a problem business challenge, we first go and look for a SaaS service provider that can help solve that.
“This is very different from how traditional healthcare companies operate, where they run their own data centres and maintain their own networks,” he explains. “Since we are operating in SaaS-first principles, that – by the very nature of it – means we are dealing with a lot of third parties. As a result, dealing with all these vendors and third parties requires us to put extra focus on third-party risk management (TPRM).
“We have a team which is helping in our third-party assessments on a continuous basis, not just at the beginning of the contract,” he adds. “We have deployed tools to help with that, making sure our TPRM team is well-equipped to perform the access reviews at scale. And then we also categorise our vendors to the sensitivity of what data we might be transacting with them. So we have an extra special focus on any vendor that might transact with our PHI or personal identifying information (PII).”
An important part of Headspace’s operations, the business is continuing to improve its TPRM processes through technology investments.
“One such vendor we recently onboarded is called Privado,” says Thapliyal. “They are really helping us with maturing our secure software development lifecycle (SSDLC) and making sure we are not, for example, unnecessarily tracking users on our websites or on our mobile apps, and that we're not sending any PII or PHI to unapproved third parties.
“There has recently been a lot of focus in the media on apps that are doing nefarious things. We don't want to be in that business at all – that's not where we are. But we need to still build the tools to prevent any accidental sharing or tracking. So that's where Privado comes in as a big partner, for us, structurally built into our SSDLC, and we're very excited about how our partnership will shape up in the future.”
Looking at the big picture in challenging economic times
Since tech startup Ginger and Headspace merged in 2021, there has been what Headspace Health CEO Russell Glass described as a ‘staggering’ increase in demand. Ginger reported demand for its services increased threefold during the pandemic. But what does the future look like for Headspace Health?
“To answer that, we have to take a step back and look at the big picture, what's happening in the industry today,” comments Thapliyal. “There are a lot of macroeconomic factors in play, within the US and other parts of the world. There is constant chatter around a slowdown in the economy and a recession, and then most recently in the US, we have seen companies take corrective actions to right-size their companies. A lot of layoffs have been announced by the likes of Facebook and Twitter and all the large companies.
“The general sense is that tough times are coming and we need to hunker down and prepare for that, and whoever does a better job in preparing for that will come out as a successful company on the other side.”
In a challenging economic environment, what is clear however is that the most important thing is to focus on the health and wellbeing of Headspace’s users.
“Given that broader context, our board and our executive team have given the directions to be very mindful,” Thapliyal explains. “We are trying to take this as an opportunity to refocus on doing less and doing better. So that's how we are changing our strategy as we go into 2023.
“What that means to the company as a whole is that we will continue to get better and offer more features and more services in the coming years,” he concludes. “The focus will be on what we call members first, meaning anything that we do should ultimately benefit our patients.”