Updated: Oct 27
With healthcare continuing to take steps toward transitioning to a hybrid care model that ties location care to virtual care, it’s important to be aware of the security vulnerabilities associated with video conferencing platforms like Zoom. The world has witnessed Zoombombing go from being a harmless prank to a hacking strategy that puts sensitive data at risk. It's clear that the security concerns regarding platforms like Zoom who email links to endusers are more significant than ever and these risks are particularly concerning for telehealth visits and healthcare-related message exchanges putting patient data at risk. Although your EHR might be secure, sending telehealth links from your EHR to a patient’s email or cell phone leaves your patients’, providers’, and facilities’ EHR data at risk of cyber-attacks due to a lack of encryption that can be exploited outside of a secure environment.
The vulnerabilities associated with Zoom have exposed a wide variety of issues that can have severe consequences, especially in the realm of healthcare. Zoom's claims of end-to-end encryption have been questioned, and its connections routed through servers could lead to server-side decryption, jeopardizing patient, provider, and facility data privacy.
In the healthcare sector where patient confidentiality is paramount and telehealth has rapidly gained traction, it should be a vitally important concern for healthcare executives and patients that their telehealth is served over HIPAA compliant telehealth platforms safeguarding medical records, diagnoses, and treatments. In Zoom’s Terms and Conditions Section 10.4 that were updated in March of 2023, Zoom requested that users agree to “grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license” for various purposes, including “machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof” for all data that is captured during Zoom meetings whether it be in the form of chat or talk to text like transcription.
Telehealth software solutions should employ industry-standard encryption practices, such as strong algorithms like AES-256 to shield data during transmission and storage. This level of encryption aligns with the recommendations of reputable entities like the CIA. In addition to AES-256, telehealth software should also offer compliance with regulatory standards like HIPAA, GDPR, HiTrust, SOC2 and FedRAMP as well to provide the most secure environment possible.
The vulnerabilities and security lapses that have plagued Zoom's popularity are stark reminders of the importance of taking the necessary security measures in any industry but especially in healthcare. As telehealth continues to reshape the healthcare landscape, healthcare facilities must prioritize patient confidentiality, data integrity, and compliance with regulatory standards. Transitioning to HIPAA compliant telehealth platforms not only mitigates the risks associated with insecure platforms but also upholds the trust and confidence patients place in healthcare providers. In this era of information-centric healthcare, adopting secure technologies is not just a choice; it's a responsibility for patients' health data security and privacy.