Zoom for Healthcare
With the COVID-19 pandemic, there has been an influx in the use of Zoom for remote telecommunication and with it, a backlash over its privacy and security policies. In this post, I would like to address some of those concerns since we use Zoom as the underlying technology for telerehabilitation on Embodia. I will start by saying that the Zoom version used on Embodia is compliant and safe for telerehabilitation applications.
The general Zoom accounts are business accounts, and for those accounts, Zoom might have utilized the knowledge that an account exists with a certain email address for marketing and advertising purposes. Zoom released a blog post on April 1 addressing the concerns on their business accounts for what relates to sharing data with Facebook and Google.
Zoom for healthcare
The general Zoom account are not subject to the same privacy and security obligations that Zoom healthcare requires. Embodia entered into a HIPAA Business Associate Agreement with Zoom (here is the final signed agreement) that lists their obligation to keep Zoom for Healthcare secure and compliant. You can also refer to this document for additional information on how they are ensuring HIPAA, PIPEDA and PHIPA compliance.
What about "Zoombombing"?
Let's start by explaining what Zoombombing is. When you start a meeting on Zoom, the meeting is automatically assigned a random 10 to 11 digits meeting ID. Due to the increase in the volume of Zoom meetings recently, strangers have been able to join an ongoing meeting by matching its ID using a random combination of digits. You are at risk of this attack when you create a new Zoom account and do not modify its default settings (and we hope that Zoom will address those security concerns soon).
How does Embodia protect against "Zoombombing"?
When you add your Zoom account to the Embodia parent account, we override a lot of your default settings to make your Zoom account compliant and more secure.
One of those changes involves requiring a password when a participant is trying to join a meeting by just providing the meeting ID. This password is randomly generated by Embodia and is different for each meeting.
We do not make the meeting ID public, even to you or your patients. Instead, we rely on what Zoom calls Start URLs and Join URLs. Those URLs are very long and nearly impossible to guess. When you or your patient sign in to Embodia and click on the join consult button, we fetch those URLs from Zoom (as they expire every 2 hours) and directly add you to the consult, by-passing the need to provide a password as you are already authenticated on Embodia.
Zoom for healthcare is a secure and private platform. Joining a Zoom healthcare consult via Embodia provides additional security and privacy. This is why each healthcare provider and patient have their own unique profiles.
What did Zoom say?
We also reached out to Zoom and they confirmed that our set up is secure.
Hope this email finds you well. There have been numerous reports about security and privacy issues with Zoom.
Can you confirm that with our BAA, Zoom is secure, HIPAA and PIPEDA compliant and our patients' data are not at risk?
Looking forward to hearing from you
Elie Afif, CTO Embodia
Reply from Zoom:
Confirmed and we've addressed it in a couple of different ways (including restrictions on that SDK) via our blog posts, one of which from our CEO you can find here.
The alleged data they're referring to included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space. It did not include information and activities related to meetings such as attendees, names, notes, etc.
I hope this helps. Please let me know if you have any additional questions or concerns.
To our community of physiotherapists, occupational therapists, chiropractors, and rehabilitation professionals. Embodia is a secure and private platform which has integrated with Zoom for healthcare to provide low-cost, private and secure telerehabilitation. We are here to support you - please reach out at any time: email@example.com