Knowing your risks is key to being prepared. However, as a physiotherapist, how do you navigate risk in today’s digital landscape? 

Many businesses are more vulnerable to cyber risk than they realise. 

Who’s vulnerable to cybercrime? 

Small business 

It’s a common misconception that cyber threats are only a concern for large businesses. In reality, businesses of all sizes have become targets of cyber incidents and small businesses have been the most vulnerable. 

According to the Australian Signals Directorate’s Annual Cyber Threat Report 2023–24, the majority of cybercrime reports came from small businesses. 

This trend is echoed throughout the 2024 Cyber Wardens research, with 82 per cent of small businesses reporting that they experienced a cyber incident in the past 12 months.

Many of those incidents occurred due to: 

• owners or employees receiving a suspicious SMS, email or phone call
• information being leaked due to an attack on another organisation
• passwords or accounts being hacked. 

If you practise as a sole trader or run your own physiotherapy practice with staff, you may not have a robust IT infrastructure to protect you in the same way that a larger company would. 

This makes it easier for cybercriminals to steal valuable personal data or conduct a cyber attack. 

The health sector 

As a physiotherapist, you may hold, store or transmit sensitive patient data on a regular basis—such as personal health information and identification and financial information.

This data is valuable to cybercriminals, making healthcare practices a common target. According to the 2024 Notifiable Data Breaches Report by the Office of the Australian Information Commissioner, the health sector is one of the top targeted industries for cybercrime. 

How can you mitigate the risk? 

Physiotherapists can follow these practical tips to mitigate their risk of a cyber attack. 

• Carefully consider what information your practice obtains from patients, how that information will be stored and how long you will keep that information for (noting your obligations under the Health Practitioner Regulation National Law and shared Code of conduct).
• Keep the software you use in your practice up to date. This means ensuring that you accept and implement all software updates and that you are not using outdated or legacy versions of software.
• Ensure that you and any staff or contractors are using strong passwords or phrases that are unique to that piece of software in your practice.
• Where possible, set up multi-factor authentication. This ensures that even where a password may be compromised, there is another line of protection before your data is able to be compromised.
• Ensure that you carefully evaluate any emails, texts or calls for scams or potential phishing attacks. This can include checking the actual email address of the sender; reviewing the communication style, inclusive of typos; and looking out for any suspicious changes in a person’s details, including financial details. Remember, if in doubt, you should call the person you are corresponding with to ensure that it is really them.
• Consider obtaining external IT support for your business. An external IT provider will be able to assist you to set up appropriate protections for your business, keep you and your systems up to date on current cyber issues and offer appropriate training to you and your staff to avoid cyber incidents. 

When a cyber attack occurs, time is of the essence—you need to move quickly to protect your business and your patients. 

Having a plan or policy in place that documents how a cyber attack will be managed by your practice in the event of an attack is recommended. 

Cyber liability insurance 

Cyber risks may not be front of mind in your day-to-day practice. 

However, in the event that one does occur, it can be beneficial to have cover to help you get back on your feet and a supportive team to guide you through the claims process. 

As an APA member, you can access cyber liability insurance with BMS. 

Simply get a quote for cover in the BMS Portal. 

To learn more, visit the APA website or contact BMS at apa@bmsgroup.com 

This article is facilitated by BMS with information on tips for mitigating risk by Scott Shelly and Alexander Sheridan of Barry Nilsson. 

Disclaimer: Barry Nilsson communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. You must be a current Australian Physiotherapy Association (APA) member to be eligible to register for the APA Member Insurance program. You must be part of the APA Member Insurance program in order to access additional cover, which includes but is not limited to Cyber insurance. If your membership ceases you will not be offered renewal when your policy expires. In offering this insurance to our members APA is a distributor of BMS Risk Solutions Pty Ltd (BMS) AFSL 461594, ABN 45161187980. This insurance policy is arranged by BMS under a binder with Certain Underwriters at Lloyd’s. When acting under a binder BMS is acting as agent for the insurer and not as your agent. Any advice provided by BMS is general advice only and BMS has not considered whether it is suitable for your particular objectives, needs or financial situation. Please read the Policy Wording and BMS Terms of Engagement which contains the Financial Services Guide before making any decision about purchasing this policy. As a distributor, APA may receive a percentage of the commission paid to BMS by the insurer and/or a fee per policy. APA receives an annual payment from BMS which is used for insurance related marketing and professional development activities to support our members.