As a provider in a small practice, you followed government guidelines and shut down non-emergency in-person visits for your practice in recent weeks. You finally jumped on the virtual care bandwagon and started offering virtual care visits to your patients. You picked Zoom because that’s what other providers around you were using. But now, you’ve read headlines and heard from colleagues that there are security and privacy concerns with Zoom. You’re wondering what you should do and are concerned about exposing yourself to security breaches. You don’t have a large IT department supporting you as hospitals or large practices do, so you’re not sure what to do.
Does this sound like your situation? If so, this blog post is for you — read on.
What Are The Issues With Zoom?
There is a long list of concerns that have been outlined in multiple news reports. Here is a quick rundown:
Hosts can record meetings, including the video, audio and chat transcripts. Users are notified when joining the meeting. These recordings are stored on Zoom servers or third-party storage depending on how the host account is configured. It was reported that thousands of private sessions recorded on external storage, including therapy sessions, were left exposed on the open web.
Exposing User Data
Zoom shares personal data with third-party providers for advertising purposes. While that is common for many business applications, it is of much greater concern for application used to provide care. There have also been reports of Zoom leaking user’s email addresses and photos to other users.
Zoom encrypts data exchanged between users and their services, but they do not use the gold standard of “end-to-end encryption”. This means that Zoom could theoretically listen in on your video sessions and you must trust them not to do so.
It was also found that part of their traffic is routed through China, which gives rise to concerns that the Chinese government could be listening in on Zoom sessions. While this risk is real and should be of great concern to state actors, it’s difficult to determine what the level of threat is to you and your patients. There are many technologies commonly found in your house, office, and devices that could also pose similar threats: smart home devices, Huawei phones or equipment, the TikTok app, etc.
Your Zoom account is linked to a randomly generated, virtual meeting room number. Once you’ve shared this number with patients, you run the risk of one of them dropping in and surprising you (or dialing in without video). There are many news reports of individuals dropping into online classes and sharing lewd content using desktop sharing features.
Past security issues
Several additional vulnerabilities were discovered with the service over the past year. The company has typically been quick to address and fix the issues once made aware.
What Should You Do If You’re Already Using Zoom?
In a way, Zoom is a victim of its success. It was designed for ease of use in a business context, not healthcare. It’s getting much more attention now than ever before which has inevitably exposed its flaws. Many of these issues are not unique to Zoom. It has also been successful in handling an incredible technical challenge with an increase in users from 10 to 200 million in just a few months. This gives me faith that they have the technical wherewithal to handle security flaws that surface.
So, should you continue using Zoom?
If you are using their “free” or “business” plans (which start at $15/month), I highly recommend switching to their healthcare-specific solution, which costs $200+/month for 10+ providers. This version includes increased safeguards to protect personal health information. Many health systems and large practices have done a full security risk assessment of this offering and chosen to use it.
Best Practices With Zoom
If you opt to keep using Zoom, you should follow these best practices:
- Always use the automatically generated meeting ID (not your “personal meeting ID”)
- Use separate meetings for each patient (don’t re-use a meeting ID for multiple patients)
- Enable meeting passwords (default in Zoom Healthcare)
- Use Waiting Rooms (default in Zoom Healthcare)
- Lock a meeting once a virtual visit starts
- Always keep the Zoom application updated on your mobile device and computer to ensure you are using the most secure version.
The cost of Zoom Healthcare might be prohibitive for many solo or small practices, in which case you might want to look into the alternatives listed below. Note that none of these alternatives have received the level of scrutiny that Zoom has, and thus might have security shortcomings yet to be uncovered.
Picking Your Video Consult Solution
My general recommendation is to use solutions that have been expressly designed for healthcare use and that also offer additional features like appointment booking, payment processing or secure messaging. These tools were developed with privacy by design for healthcare uses, which might have the drawback of being slightly harder to use as a reasonable tradeoff for increased privacy and security.
The first thing you should do is check if your electronic health record has a videoconferencing module or service. There are typically many benefits to using integrated tools, from a privacy and security perspective, but also in terms of integrated scheduling, electronic payment, and visit notes.
If that is not viable, then I recommend you assess the options outlined below for your specific needs.
Alternatives To Zoom
These standalone, video visit solutions have been shortlisted based on a long list of requirements we use when conducting market scans and advising clients in the US and Canada, which include: comprehensive features useful to practices, technical performance, security, privacy, ease of use for patients, ease of use for providers, value for money, integration options, accessibility, and support services.
I’ve intentionally omitted video conferencing solutions like Skype, Microsoft Teams, Apple Facetime and Google Hangouts/Meet. While they all offer some layer of security and could be appropriate for your use with adequate configuration, they don’t offer the same privacy by design and added healthcare-specific features of the list below.
Take your time to compare each tool as they all offer different features and benefits. Pricing below is per provider for the recommended feature set. Some also offer free trials.
- Adracare: $14–39/month
- Doxy.me: $35/month
- Dr First: Starting $25/month
- Medici: No public pricing
- OnCall Health: No public pricing
- Reacts: $10/month
- Thera-LINK: $40–65/month
- For mental/behavioral health providers
- VSee Clinic: $49/month
Other Important Considerations
It is always best practice to confirm the identity of a patient at the beginning of a virtual visit.
Some virtual care solutions handle patient consent at sign up. If you don’t already have a consent on file from your patient regarding virtual care and the communication of personal health information with them using electronic means (email, text message, etc.), you will want to collect their consent explicitly before their first virtual session with you. Many professional associations are providing sample verbiage to use in such forms. In the absence of a form, it is recommended to request the patient’s consent verbally and document their response in your clinical notes for the session.
Finally, as is the case for any electronic system where you might have personal health information, you should always enable two-factor authentication and pick a unique password you are not using with any other system.