Chief Compliance and Ethics Officer Health Care

Zoom & other on-line meeting programs

  • 1.  Zoom & other on-line meeting programs

    Posted 04-01-2020 11:46 AM
    I have been monitoring news in the last 24 hours about breach in personal data by Zoom conferencing.
    1st thing this morning there is news from the Boston Field office of the FBI about Cyber Security issue reported
    on Zoom Bombing with porn and hate messages.

    I put a halt on all virtual meetings until our IT company can give us some insight.
    Anyone else heard?

    Mary Blahut RN CHC
    VP Compliance
    Diamond Bar, CA
    2020 HCCA Compliance Institute

  • 2.  RE: Zoom & other on-line meeting programs

    Posted 04-01-2020 12:54 PM
    This is a two parter.

    First, as I understand it, the issue of sharing personal data was an issue related to the use of Facebook log-in.  Zoom was allegedly sending analytics to Facebook for all users regardless of whether they used Facebook to log into Zoom or not.  This is actually an extremely common practice.  Many apps on phones talk to each other, exchanging all sorts of data.  The issue here was that Zoom didn't disclose in their privacy practices that they were doing this.

    Second is the issue of Zoom meetings being hacked.  With the increased use of Zoom, hacking has increased.  There are several ways that users can try to mitigate this risk:
    1. In the enterprise-wide Zoom settings, there is an option to automatically require a password for all scheduled Zoom meetings.  (This can be turned off by the scheduler, so staff would need to know that they are required to do this.)  This should keep unwanted people out of Zoom conferences.  Without this, anyone with the link can join the meeting.
    2. Require staff to periodically reset their passwords.
    3. When a meeting is scheduled, screen sharing should be set to "host only".  That way if someone DOES join the meeting, they at least can't control the screen.

    Hope this helps!

    Emily Roberts
    Compliance/Privacy Manager
    Morrow County Health District

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.

    2020 HCCA Compliance Institute

  • 3.  RE: Zoom & other on-line meeting programs

    Posted 04-01-2020 05:23 PM
    Good advice. We used Zoom just this morning.

    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho

    Anything I say is my sole opinion and not of my company.

    2020 HCCA Compliance Institute

  • 4.  RE: Zoom & other on-line meeting programs

    Posted 04-02-2020 06:14 AM
    Unfortunately with the OCR telemedicine waiver some folks in your organization might think HIPAA is waived - so here are some tips:

    • Make sure staff are directed to your digital health team and using tools approved by your organization
    • If you use Zoom, make sure staff download the correct app from the official zoom website or official mobile app versus something random they google that is a spoof that is actually malware
    • Have a BAA
    • Enable waiting rooms which will allow you to control who can join
    • Don't use personal meeting ID's which can be reused by cyber criminals
    • Require a password
    • Lock meetings once everyone has joined
    • Consider locking controls once everyone has joined - microphones, cameras, and screen sharing
    • Consider using a virtual background so others don't accidentally share their backgrounds
     Please add anything I've missed.

    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    2020 HCCA Compliance Institute

  • 5.  RE: Zoom & other on-line meeting programs

    Posted 04-02-2020 02:04 PM

    Thanks for the tips Brenda!



    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

    2020 HCCA Compliance Institute

  • 6.  RE: Zoom & other on-line meeting programs

    Posted 04-02-2020 10:59 AM
    ​Zoom also offers a HIPAA compliant product and will sign a BA.  That has more protections than the free or basic subscription.

    Barbara Barrett
    Chief Compliance Officer
    Reliant Care Management Co
    St Louis,MO

    2020 HCCA Compliance Institute

  • 7.  RE: Zoom & other on-line meeting programs

    Posted 04-02-2020 11:11 AM
    Yes, I have definitely heard of similar cases of which I'm aware, Zoom meetings were shared without password access, and controls were not put in place (i.e., what Emily mentioned especially removing people's ability to share); muting all participants and removing them from the meeting if they are unruly, etc.

    Mona Kay Rifi
    Innovate Compliance

    2020 HCCA Compliance Institute

  • 8.  RE: Zoom & other on-line meeting programs

    Posted 04-04-2020 08:20 AM
    Hi all!

    I read an article this morning about Zoom bombing. Turns out that miscreants have created a program called zWarDial to guess Zoom meeting identification numbers and then join calls uninvited. Adding a password makes the meeting undetectable by zWarDial.

    And Zoom lists other features to protect the meeting from uninvited guests, including disabling a participant's video and requiring a participant to log in before joining the meeting.

    Here is more information about the zWarDial program and how security experts found the program. It's a long but interesting read.

    Corporate Compliance Officer
    Eagleville Hospital

    2020 HCCA Compliance Institute

  • 9.  RE: Zoom & other on-line meeting programs

    Posted 04-04-2020 08:42 AM
    I had only heard about fake zoom websites so that people would create an account and hack into devices in that way and did not know about zoom bombing.  Thank you for sharing this and for the links! 

    2020 HCCA Compliance Institute