Episode 610: Don’t Panic – But Do Pay Attention: What the Darksword iPhone Exploit Actually Means

by | Apr 2, 2026 | Clinician Resources, Podcasts |

Transcript

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 610: Don’t Panic – But Do Pay Attention: What the Darksword iPhone Exploit Actually Means.

 

Liath Dalton 

Ah, yes, another day, another exploit. So there has been a lot of buzz and some panic as well, to be honest, about a recently reported iPhone exploit that is called Darksword, which certainly sounds ominous. But we wanted to talk about what it actually is, what it isn’t, and what you should be doing about it as a clinician or practice owner. So first, if you haven’t heard about what Darksword is, we’re going to tell you a bit about it.

 

Evan Dumas 

Yeah, so Darksword is the name for a set of hacks that target iPhones still running the iOS 18, so the older one. So say you have an older iPhone and you’re like, you know, I don’t want to update my iOS, you are a great target for hackers. And unfortunately, this is like a bunch of different little vulnerabilities because of, like, the elderly devices and their old iOS, and it allows people to have a ton of access to your device. And unfortunately, all you have to do to get it is go to an infected website. This is called zero click, where you don’t have to do anything to get this. Now it has been popping up in like Saudi Arabia, Turkey, Malaysia, and affecting people, and probably some cases in the US, but it is affecting iOS 18 users with older iPhones.

 

Liath Dalton 

Yes, and it’s super scary because of the zero click nature of it. However, it’s also really important context that it is typically used in very targeted attacks, like journalists, government officials, high profile individuals. I think some of the headlines and initial articles made it seem like it was more widespread that, like just having an iPhone running the older iOS meant that you were likely to be a victim of it, right? But that, thankfully, is not the case. It has not been deployed broadly to the general public, and it was patched really quickly once discovered.

 

Liath Dalton 

So while it’s technically serious, it is not, and I really want to emphasize this, something that’s suddenly putting all iPhone users at immediate risk.

 

Evan Dumas 

No.

 

Liath Dalton 

But it still matters for clinicians.

 

Evan Dumas 

Yeah, definitely.

 

Liath Dalton 

Because even though you’re unlikely to be directly targeted by something like Darksword, it is still highlighting an important truth, which you if you have been listening to this podcast and to Evan and me, know that your phone is not just a personal device, it’s part of your practice infrastructure, and it is really important to ensure that it is hardened.

 

Liath Dalton 

So if you use your phone to access your EHR or any systems that contain client info, even just checking your practice email, or storing any documents or files that contain client info, then that means that your phone is part of your HIPAA security environment and needs to be hardened appropriately so that it is a contributing and secured part of your security circle.

 

Liath Dalton 

So really, the biggest takeaway is that your practice is not likely to be at risk from an advanced exploit like Darksword. What is a more realistic risk? Because within the framework of HIPAA, we’re always talking about reasonable and anticipated threats, reasonably anticipated threats, and those are more likely to come through in everyday gaps. This actually is a good example of of where that kind of intersects, because the vulnerability here is just the device not being updated.

 

Liath Dalton 

And very importantly, if you are managing your devices according to the HIPAA Security Rule standards and have implemented the technical security measures that make a device qualify for Safe Harbor under HIPAA’s Breach Notification Rule, then having automatic updates enabled and keeping all of your devices that touch client info up to date so that they can’t be vulnerable to this sort of exploit is part of that process and part of the hardening measures.

 

Liath Dalton 

Other gaps that we see in everyday practice are also not having explicit policies and procedures around device security and around personal device use, particularly in a group practice context, it also can involve using embedded apps or tools and just lax behaviors around device security practices. Those are what generally are leading to breaches where the device is the weak linchpin in what makes the breach possible.

 

Liath Dalton 

So what you should do is not panic. It’s just, follow basic, good device security processes and have the perfect combination of, and here the perfect combination is pairing technical security measures with behavioral security measures.

 

Liath Dalton 

So technical security measures are things like having a strong device locking, so your passcode and biometrics, making sure encryption is enabled, that’s a default on iPhones and Androids at this point too, limiting app permissions, only using vetted tools.

 

Liath Dalton 

Behavioral measures are then going to be things like avoiding unsecured networks or using a VPN if you need to connect to an unsecured network. All really manageable, practical things that can be implemented on a day to day basis. And that’s what we want to be focused on, not the kind of attention grabbing headlines, because if you’re following these practices, then you aren’t vulnerable to Dark word and other exploits that are similar in nature to it. And we’ve seen a variety of ones, not just specific to iOS and Apple devices, but Androids and Windows devices as well.

 

Liath Dalton 

So whatever device type you’re using, you need to have good security measures in place on it and then pair that with good security behaviors. So all that to say that, yes, Darksword is intense, however, it is not a reason to panic.

 

Evan Dumas 

No.

 

Liath Dalton 

And it just is a good story and example to remind us about the importance of these foundational security measures, and that security isn’t really, in practice, about just reacting to the scariest threat, it’s about consistently covering the most common ones. Easy peasy.

 

Liath Dalton 

And as always, this being a foundational element of risk management within a practice setting, this is something that we have a lot of dedicated resources and support around. So please check out the links in the show notes to our device security suites of resources. We have, one specifically oriented to group practices, and then another to solo practitioners. Those cover everything that you need to implement the technical security measures, understand and follow the accompanying behavioral measures, and have your documentation so that you have that very important and valuable piece of coverage of qualifying for Safe Harbor under HIPAA’s Breach Notification Rule. Which basically means in the event of theft or loss of a device that has touched client info, or Protected Health Information, that the incident investigation doesn’t have to go any further than verifying that the lost or stolen device had Safe Harbor in place and that it was documented as such.

 

Liath Dalton 

So it is a tremendous piece of CYA, really. And as we like to say, CYA is self care in this context.

 

Evan Dumas 

Yeah, definitely.

 

Liath Dalton 

Thanks for joining us, and we hope you’ll come back next week.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.

evan

Your Hosts:

PCT’s Director Liath Dalton

Senior Consultant Evan Dumas

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we share information about the recent Darksword iPhone exploit, and what that means for therapy practice owners regarding device security.

We discuss:

  • What you need to know about this exploit
  • Device hardening within your security circle
  • Device security gaps we see in everyday practice
  • Pairing technical security measures with behavioral security measures
  • PCT’s resources around risk management and device security

Therapy Notes proudly sponsors Group Practice Tech!

TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.

*Please note that this offer only applies to brand-new TherapyNotes customers

Resources for Listeners

PCT Resources:

  • Group Practice Care Premium
    • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
    • Device Security Suite: assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
    • Remote Workspace Security Suite: assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
  • PCT’s Comprehensive HIPAA Security Compliance Program (discounted) bundles:
    • For Group Practices
    • For Solo Practitioners
      • Comprehensive HIPAA Security Policies & Procedures
      • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
      • Device & Workspace Security Suites
      • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
      • Includes the Risk Analysis & Risk Mitigation Planning service + tool
      • HIPAA Security & Privacy Ethics training
  • HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.

 

Resources:

      Group Practices

      Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.

      Get Started

      Solo Practitioners

      Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.

      Get Started


      v2.10.0

      Continuing Education National Approvals

      Person Centered Tech Incorporated has been approved by NBCC as an Approved Continuing Education Provider, ACEP No. 6582. Programs that do not qualify for NBCC credit are clearly identified. Person Centered Tech Incorporated is solely responsible for all aspects of the programs.

      Person Centered Tech Incorporated is approved by the American Psychological Association to sponsor continuing education for psychologists. Person Centered Tech Incorporated maintains responsibility for this program and its content.

      Continuing Education State Approvals

      • Person Centered Tech is an approved provider continuing education provider with the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health Counseling. CE Broker Provider #50-23706.
      • Ohio Counselor, Social Worker, and Marriage and Family Therapist Board accepts continuing education credits from providers approved by the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health.
      • Person-Centered Tech Incorporated is recognized by the New York State Education Department's State Board for Social Work as an approved provider of continuing education for licensed social workers #SW-0540 and the State Board for Mental Health Practitioners as an approved provider of continuing education for licensed marriage and family therapists #MFT-0092, licensed mental health counselors #MHC-0210 and licensed psychoanalysts #P-0050 and the State Board for Psychology as an approved provider of continuing education for licensed psychologists #PSY-0068.

      Policies and Terms

      Training Resources

      About Us

      Email: [email protected]

      Customer Service Hours: M-F 9AM-3PM PST

      Address:
      Person Centered Tech Incorporated
      PO Box 42494
      Portland, OR 97242

      Where's our phone number?

      Scheduled Maintenance

      We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss

      jQuery( document ).ready(function() { if (typeof Boxzilla !== 'undefined' && Boxzilla !== null) { Boxzilla.on('box.show', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.show', }); }); Boxzilla.on('box.dismiss', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.dismiss', }); }); Boxzilla.on('box.hide', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.hide', }); }); Boxzilla.on('ready', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.ready', }); }); } });