In the midst of the COVID-19 nationwide public health emergency and with 43 states issuing stay-at-home orders, both business and personal connectivity has become increasingly dependent on video-teleconferencing (“VTC”) platforms, such as Zoom, in order to stay connected.
Unfortunately, these VTC platforms may be extremely vulnerable to hacking attempts by malicious actors and other cybersecurity attacks. These types of cybersecurity vulnerabilities are a notable threat to any organization that leverages VTC platforms to connect remotely; however, health care is particularly susceptible to the negative impact of an exploited vulnerability.
As the Department of Health and Human Services’ Office for Civil Rights (“OCR”) decided to ease restrictions on telehealth technology, it released guidance advising that OCR will not penalize health care providers for using less secure products to provide timely and accessible care during the national emergency. For more information on this guidance, please view Hall Render’s resource page regarding HIPAA compliance for telehealth procedures during the COVID-19 emergency response.
One application that has gained significant popularity since the onset of the COVID-19 emergency is Zoom, which provides video and web conferencing capability through a variety of devices / operating systems. The Federal Bureau of Investigation (“FBI”) has noted an increase in reports of VTC hijacking (referred to as “Zoom-bombing” even when attacks are made to other VTC platforms). There have been a number of reports of Zoom meetings that have been disrupted and compromised through “Zoom-bombing” which can include interruptions from uninvited and unwelcome participants making derogatory comments or projecting pornography during the meeting.
The FBI has published recommended guidelines to either use Zoom in a more secure manner or to consider whether Zoom may no longer be the desired platform for VTC use. A few additional recommendations to consider include:
- Consider whether end-to-end encryption should be used given the sensitivity of the topic to be addressed. Zoom does not offer this now but is quickly moving to include it within the platform’s security capabilities.
- Do not make meetings or classrooms public. In the Zoom platform, there are two ways to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a teleconference or classroom on an unrestricted, publicly available social media post. Provide the link directly to specific attendees.
- Manage screensharing options. In Zoom, change screensharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated the platform’s In this security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Lastly, ensure that your organization’s telework policy or guidance addresses requirements for physical and information security.
If you have any questions, please contact:
- Melissa Markey at (248) 740-7505 or mmarkey@hallrender.com;
- Mark Branstetter at (615) 423-6651 or mbranstetter@hallrenderas.com;
- Cory Brennan at (317) 429-3614 or cbrennan@hallrender.com; or
- Your regular Hall Render attorney.
Hall Render’s attorneys and professionals continue to maintain the most up-to-date information and resources at our COVID-19 Resource page, through our 24/7 COVID‑19 Hotline at (317) 429-3900, or your regular Hall Render attorney.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
