FBI Alert About Zoom Security Vulnerabilities: Protect PHI With These Simple Changes.  

The FBI has released a warning about security vulnerabilities in the Zoom video-teleconference platforms.  See this link for more information from the FBI and this link for the HHS Office for Civil Rights warning.  The vulnerabilities allow unauthorized users to intrude into meetings (also called “Zoom-bombing”).  

Please take the following steps to protect the privacy and security of your patients’ information during your telehealth session:

  • Make sure your meeting is private by requiring a password to enter the meeting or use the waiting room feature to control who can enter the meeting.  
    • Zoom has just enabled these features by default on all versions of Zoom.
    • Check out this link for more information and a helpful video for how to confirm these features are enabled.  
  • Provide the link to specific people.  Do not share the link publicly on your social media or websites. 
  • Manage screen sharing options to “Host only”. This video and help article explain how to configure this feature.
  • Make sure your patients are using the most updated version of the application.  Zoom implemented patches in January 2020 to address many of the more serious security vulnerabilities. Use this link to learn how to download the latest version of the Zoom application.

During the COVID-19 public health emergency, the HHS Office for Civil Rights is exercising enforcement discretion to allow healthcare providers to use free versions of Zoom without violating HIPAA privacy and security rules.  If you are using a free version of Zoom, you will have to immediately switch to a HIPAA compliant version once the crisis is over.  Read the HIPAA business associate agreement very carefully and strike any language that allows Zoom to use your patients’ aggregated and/or de-identified information.  If Zoom is not willing to accept these changes in the business associate agreement, consider using another telehealth platform that will agree to these restrictions on protected health information use.  See this NPR article for more information about Zoom’s data sharing practices.  

By Veda Collmer, ArizOTA Legislative Affairs Committee