Security & Privacy Concerns with Zoom Platform
AdvancedMD and our telehealth partner, Zoom, are equally committed to the security and privacy of the patient-provider relationship and associated information. Over the past few days there have been reports in the media about security and privacy vulnerabilities in Zoom. Our security and R&D teams have been following this issue closely and continue to track news on this issue. It’s our commitment to provide updates on fixes and preventative measures as they become available.
Below you will find information regarding concerns currently in the media, an update AdvancedMD previously made to address concerns, and what you can do to help keep your telehealth visits secure.
What are the security and privacy concerns with Zoom?
There are two major issues that have been broadly reported. Zoombombing is the term for crashing into a Zoom meeting. There are two ways this vulnerability can impact our customers:
- A malicious actor could happen to identify an ID for an ongoing telehealth call, and then join the call directly or share the meeting ID with a large group of people who could then Zoombomb the call.
- An innocent person could inadvertently transpose numbers in their own meeting ID and accidentally join a telehealth call.
These options are highly unlikely for the type of Zoom meetings used within AdvancedMD telehealth as each meeting is created with a new and random meeting ID.
To further protect your telehealth visits, yesterday AdvancedMD updated all telehealth sessions so a chime rings any time anyone enters and exits the session. This is now a default setting. This setting should be left selected by the provider.
What further efforts should you do?
- Providers should lock telemedicine meetings. To lock a meeting, go to Manage Attendees > More > Lock Meeting after the Zoom meeting launches, and all participants have entered the meeting.
- Providers and patients should download the latest version of Zoom which will apply and enable this security fix. Zoom users are prompted after each meeting to update the Zoom client if a new version is available.
Please note: On April 1, 2020 it was reported in news media that once a hacker joins a Zoom meeting, the hacker can use a specially-crafted link to steal users’ Windows credentials. This vulnerability was patched on April 1 and is no longer an issue.
- Require providers to admit attendees (automatic security enhancement). To enhance security in our telehealth feature, we have enabled a new setting in Zoom called Waiting Room. This change requires the provider to admit all attendees to the call. The admit process is simple and can be done directly after starting the visit session. If needed, the provider can also remove attendees. This increases security and privacy against malicious Zoombombing attacks. Prior to this enhancement, anyone in the telemedicine waiting room could automatically join the meeting.