Over recent years, and particularly in the last several months, as professionals adapt to the unique practice circumstances brought on by the COVID-19 pandemic, an ever-increasing number of physiotherapists are utilizing technology to deliver services via telehealth. One of the consequences of this shift to remote working is an increase in cyber insurance claims, including those related to ransomware, social engineering, and other cyberattacks. While many health care professionals may not think they present an appealing target to attackers, insurer data shows that small- to medium-sized businesses are often easier to exploit and, therefore, make very attractive targets.
According to Beazley, the specialized Lloyd’s insurer underwriting the stand-alone Cyber Security & Privacy Liability Insurance policy available to CPA members, ransomware attacks are not new to the health care sector. In fact, health care was the most targeted industry in 2019 for ransomware attacks and is particularly vulnerable due to the sensitive nature of patient data and critical impact on patient care.1
One of the most common forms of attack used to deploy ransomware is through phishing emails.
Beazley’s 2020 Breach Briefing informs us that “direct email of malware and links to credential-stealing sites lead to a large number of incidents. There are a lot of protections available, in the forms of email filters and added layers of authentication, however, few of these solutions are broadly implemented. People have access to the information and technology that the attackers want, and attackers will continue to find new ways to reach people and exploit them. It would be incorrect to view phishing as the vulnerability; phishing just happens to be the most effective way of getting to the real vulnerability – people.”1
How Can Your Reduce Your Phishing Risk?
You don’t need to know everything about cyber security to help reduce your risk. Beazley recommends the following tips:
- Enable multi-factor authentication (MFA);
- Force regularly scheduled password resets, preventing recycled passwords; and
- Train yourself and your employees to recognize and report suspicious emails.
There are a number of additional considerations that physiotherapists and business owners should take into account to mitigate the additional exposures related to telepractice, including aspects related to communication with clients, what to look for when selecting a platform, and securing appropriate insurance coverage.
Communication With Clients
It is important that, in considering electronic communication with clients, you are familiar with any and all specific requirements and guidelines set out in the federal or provincial legislations, such as those of your provincial information and privacy commissioner. Physiotherapists must also adhere to the requirements set out by their respective regulatory college.
From the initial client contact where you are proposing telepractice services to the actual telepractice client visit, communication should be done through secured means.
While you may wish to send emails to clients to communicate the options available to them, there are associated risks with email communication. For instance, one cannot guarantee that the intended recipient will receive and review the email once it has been sent. Additionally, there are risks of interception errors in sending emails. If you are unable to send secure encrypted emails, then consent should first be obtained verbally (including over the phone) from clients before you communicate with them through unencrypted emails. Once consent is obtained, the amount and type of personal health information that is included in unencrypted emails should be limited. The simple identification of a client as a client can be a breach of applicable privacy legislation; therefore, it is important that no client identifiers (name, age, date of birth, address, etc.) are included in email communications.
Some public bodies, such as the Information and Privacy Commissioner of Ontario, also expect health information custodians to develop and implement a written policy for sending and receiving personal health information by email.2 In addition, they expect health information custodians to notify their clients about this policy and obtain client consent prior to communicating via email that is not encrypted.
Ultimately, professionals are responsible for ensuring that the virtual services that they are offering can be provided in a manner that protects their clients’ confidentiality and the security of their clients’ personal health information.
While the use of readily available platforms like Skype for telepractice can be appealing, Skype has been found not to be compliant with the Personal Health Information Protection Act (PHIPA).3-4 Health information custodians must carefully review user agreements for any program or application that they intend to use for the delivery of telepractice. Your regulatory college or professional organization may also have recommendations with respect to the provision of telepractice services. The Ontario Psychological Association, for instance, recommends that their registrants use platforms that offer bank-grade, end-to-end encryption for the provision of telepsychology.
In addition to ensuring that appropriate platforms are used to provide client care via telepractice, practitioners and clinics should make reasonable efforts to offer a complete and clear description of the telepractice services they can provide. Amongst other things, these descriptions should include any user costs associated with virtual services, as well as the limitations of these services.
If telepractice is deemed appropriate, health care facilities and professionals must obtain and document informed consent from clients who wish to opt in for telepractice. Clients need to be advised of the benefits and risks of proposed virtual care so that informed consent can be obtained. A best practice would be for clinics to develop standard terms and conditions for telepractice and have clients review and sign their consent to those terms. Additionally, consent and any related discussions with the client must be recorded in the client's medical record.
The CPA’s Professional Liability Insurance (PLI) policy has no additional restrictions for physiotherapists delivering professional services via telepractice within Canada. In order for the insurance coverage to apply, you must be working within your scope of practice. You must also abide by the professional regulations in your jurisdiction (for instance, the province or territory in which you are located) and in the province or territory where your client is located.
However, there are additional exposures when utilizing technology to deliver care, including potential privacy breaches or ransomware attacks, and it is important to consider this increased risk when making a decision about insurance coverage.
BMS recommends that physiotherapists, businesses delivering telepractice services, and/or those responsible for maintaining and safeguarding confidential client information purchase additional Cyber Security and Privacy Liability Insurance to address their increased risk and exposure.
CPA members have access to a specialized and comprehensive Cyber Security & Privacy Liability Insurance policy that provides first and third-party coverage, as well as coverage for expert services in the case of an incident, including but not limited to:
- Costs involved with a regulatory proceeding relating to the violation of a Privacy Law, including penalties (where insurable);
- Coverage for Business Interruption;
- Coverage for “Cyber Extortion” incidents;
- Third-party liability for privacy breaches;
- First-party data protection; and
- Web site media content liability.
Please visit www.cpa.bmsgroup.com for more information or contact BMS to speak to a broker.
Ultimately, there are a number of items to consider when making the shift to telepractice service delivery. Fortunately, CPA members have direct access to a range of experts to assist with any questions you may have.
Take the Cyber Security Pop Quiz!
As cyber risks continue to evolve, it’s important that your knowledge does too. Below, you’ll find a short quiz to test your cyber security savviness. Answers at the end.
- What does the “https://” at the beginning of a URL denote, as opposed to "http://" (without the “s”)?
- That the site has special high definition.
- That information entered into the site is encrypted.
- That the site is the newest version available.
- That the site is not accessible to certain computers.
- None of the above.
- Which of the following is an example of a “phishing” attack?
- Sending someone an email that contains a malicious link that is disguised to look like an email from someone the person knows.
- Creating a fake website that looks nearly identical to a real website in order to trick users into entering their login information.
- Sending someone a text message that contains a malicious link that is disguised to look like a notification that the person has won a contest.
- All of the above.
- None of the above.
- Which of the following four passwords is the most secure?
- If a public Wi-Fi network (such as in an airport or café) requires a password to access, is it generally safe to use that network for sensitive activities such as online banking?
- Yes, it is safe.
- No, it is not safe.
- If you are in an airport, is it generally safe to charge your phone using a USB wall plug?
- Yes, it is safe.
- No, it is not safe.
Cyber Security Pop Quiz answers: 1. B 2. D. 3. B 4. B 5. B
Did You Know?
Vyas Sekar, a professor at CyLab, which is a security and privacy research institute at Carnegie Mellon University, told the New York Times, “Like scammers who steal debit card numbers by putting illegal card-reading devices, or skimmers, on A.T.M.s, hackers can easily rip out USB ports and replace them with their own malicious hardware.”5
And while experts are still unsure of how often hacking attacks like these happen, the growing commonality of USB charging ports in places like hotels, public transportation, and airports has translated into an increased risk of falling victim to such scams.
“People want the convenience of charging their phones and tablets wherever they go,” Professor Sekar said, adding, “Obviously I would like it too, but there is a risk.”
- Beazley. (2020). Beazley: 2020 Breach Briefing [PDF file]. Retrieved from https://www.beazley.com/Documents/2020/beazley-breach-briefing-2020.pdf
- Minutti, N. (2017, May 11). Electronic Communication of Personal Health Information: A presentation to the Porcupine Health Unit (Timmins, Ontario) [PDF file]. Retrieved from https://www.ipc.on.ca/wp-content/uploads/2017/05/ipc-presentation-to-timmins-phu-re-communicating-phi-electronically-201.pdf
- Canadian Medical Protective Association (CMPA). (2015, October). Videoconferencing consultation: When is it the right choice? Retrieved from https://www.cmpa-acpm.ca/en/advice-publications/browse-articles/2015/videoconferencing-consultation-when-is-it-the-right-choice
- Grant, D. (2014, June 19). Complying with the Personal Health Information Protection Act [PDF file]. Retrieved from https://www.ocswssw.org/wp-content/uploads/2014/12/b2_-_debra_grant_-_b2.pdf
- Oritz, A. (2019, November 18). Stop! Don’t Charge Your Phone This Way. The New York Times – Personal Tech. Retrieved from https://www.nytimes.com/2019/11/18/technology/personaltech/usb-warning-juice-jacking.html
BMS Canada Risk Services Ltd. (BMS Group) is the CPA’s exclusive broker and provider of professional liability and practice risk insurance.