Teletherapy and Cyber Security

Important Disclaimer: This document is for informational purposes and general guidance only and is not advice on any specific regulatory or legal matter. Always consider getting qualified advice on the facts of any matter before proceeding.

In a world in the midst of the COVID-19 pandemic, therapists have had to adapt rapidly to continue offering psychotherapy. The main form of adaptation has been to transition to delivering  remote therapy, whether via telephone or video conferencing. Existing bodies of research have shown online therapy to be effective, but clients and therapists often still have concerns about privacy and security. Now is the time to directly address those concerns and it has fallen on me, as Numinus’s Clinic Manager to take on this challenge. My background as both a therapist and information technology professional helps me to understand and explain our approach to the delivery of remote sessions in the province of Quebec.

Numinus has always had a few therapists providing remote sessions to their clients; now it is the entire team. We have always abided by the rules governing the practice of teletherapy in our jurisdiction and will continue to do so. The Ordre des psychologues du Québec (OPQ), the governing body for psychologists and psychotherapists in Quebec, has produced several documents outlining the ethical and practical guidelines for remote therapy (in French only). I will briefly summarize these documents:

OPQ Guidelines for Psychologists/Psychotherapists practicing in Quebec

Encryption, End-to-End Encryption, and You

Encryption is a way to obfuscate the contents of a message, or video, so that only someone with the proper decryption key can undo the encryption and see the contents of the encrypted communication.  End-to-End (E2E) encryption adds an extra layer of security so that even the provider of the tool or service cannot decrypt the contents of communications, even if compelled to by law, or hacked by a malicious actor who inserts themselves as a “man in the middle” at the corporate level (e.g., at a software company’s servers that offer the teleconferencing solution).

The most common questions that arise from these guidelines relate to encryption. Does your therapist use a tool that encrypts your communication, preventing casual electronic eavesdropping by unsophisticated attackers? Good odds that the answer is yes, and at Numinus, we definitely do. All the tools listed by the OPQ use some form of encryption in order to prevent electronic eavesdropping.

PIPEDA, HIPAA, and Quebec’s “substantially similar” legislation

You may have heard people talking about various names for electronic privacy legislation passed in various jurisdictions and how they relate to remote practice. In the United States, there is HIPAA, in Canada there is PIPEDA. In Québec’s there is An Act Respecting the Protection of Personal Information in the Private SectorAn Act to amend the Act respecting health services and social services, the Health Insurance Act and the Act respecting the Régie de l’assurance maladie du Québec, all of Québec’s privacy laws relating to health records. The most important things to know about all of these laws, from Numinus particular perspective:

What you can do to help ensure that your sessions remain confidential

When it comes to security, you are more likely to have your remote session’s privacy violated by a person physically listening in from a nearby location than by a sophisticated state actor capable of breaking encryption or inserting themselves as a “man in the middle” attacker (e.g., the National Security Agency in the United States). The corporations offering these communication services have a vested interest, both legal and financial, in maintaining the privacy of these communications, so unless compelled by court order, they will not intercept any remote communications or turn over any recordings (which they all state that they do not even make in the first place). One could argue that you are as likely to have an in-person session bugged by law enforcement as to have a court order issued mandating that a session be captured and decrypted. If this is a real concern of yours, due to your work or other factors (e.g., you are a high level government official, famous actor, or crime lord), then online sessions might be best avoided! If you are not generally at risk of being a target of a state-level actor or law enforcement, you can also do some basic things to best assure your privacy:

  1. Make sure you are initiating sessions from a place where you can monitor, and ideally control, your environment to prevent someone from physically listening in.
  2. Do not use public WiFi networks when engaging in remote therapy unless there is absolutely no other choice. And if you must use public WiFi, then you must use a Virtual Private Network (VPN) software solution to provide an additional layer of protection to your communications.
  3. Regularly run virus and malware scans of your computer, or use your mobile device for your remote session, as they are far less prone to viruses and malware.

I hope this helps to inform you and address any concerns you might have, whether as a therapist delivering remote sessions, or a client on the receiving end!