Video Teleconferencing Security Tips for Zoom

As there are reports of security concerns regarding the use of Zoom for healthcare video teleconferencing, please read the following security tips regarding the use of Zoom (any version or product) and apply all or any of these to your meeting invite. These tips can be enabled under “Settings” in Zoom.

• Use a computer-to-computer connection when possible to enable encryption of telecommunications.
  • Use of phone-to-computer communications via teleconferencing product should be used as last resort, as this type of communication is not fully encrypted due to partial phone network usage.
• Require password for meeting entry.
  • Regardless if via computer or by phone, you can set this up in the meeting settings.

• Require unique meeting ID for each meeting invite.
  • Always use a button called “generate automatically” when it comes to scheduling Zoom meetings. This ensures that each provider-to-patient transaction has a unique meeting ID and password.
• Never use your personal meeting ID.
  • Each Zoom user has their own personal meeting ID. Think of this as your Zoom phone number.
• Do not schedule “Recurring Meetings.”
  • These types of meetings use the same meeting ID.
• Lock your Zoom sessions: Once everyone is in, go to the Participants drop-down menu and select “Lock Session.”
  • This prevents any other participants from joining the meeting.
• Set screen-sharing to “Host only.”
  • This way only the host can delegate screen sharing to others in the meeting (if needed).
• ALWAYS enable a feature called “Waiting Room.”
  • With this feature a meeting host is created. This allows the host (provider) to “admit” any other participant (patient) into the meeting.
• Require meeting registration.
  • This shows you every email address of everyone who signed up to join your meeting and can help you evaluate who’s attending. Please see below:

• Set your registration approval setting.
  • You can configure the registration process by changing the approval type. There are two types of approval:
    • Automatic Approval: Anyone who signs up will receive information on how to join.
    • Manual Approval: Anyone who signs up will need to be approved by the host on the meeting management page.
      • Select this option when discussing patient health information.
  • As the host, you can opt in or out for email notifications when someone registers. You can also turn off registrations after the scheduled meeting time has passed.

• Enable authentication profiles at the user level.
  • Sign into the Zoom and navigate to settings. Enable “Only authenticated users can join meetings.” Checking this box means only participants of your meeting who are signed into their Zoom accounts can access this particular meeting.

• Disable join before host.
  • Participants cannot join meeting before the host joins and will see a pop-up that says, “The meeting is waiting for the host to join.”
  • If you are the host, there is a login button to log in and start the meeting as the host.
• Ensure Zoom software is up to date.
  • Contact your organization’s help desk or ask your Zoom vendor contact for any security updates/patches and/or software upgrades that are necessary. Patches are software and operating system (OS) updates that address security vulnerabilities within a program or product. Make sure you only download software updates from trusted vendor websites.
  • Do not trust a link in an email message – attackers have used email messages to direct users to websites hosting malicious files disguised as legitimate updates. Users should also be suspicious of email messages that claim to have a software update file attached. These attachments may contain malware. Always verify updates with your help desk or vendor directly.

Recently, Zoom announced it will be updating to Zoom 5.0. The platform is slated to be upgraded with the AES 256-bit GCM encryption standard on May 30.

Additional new features include new controls that allow meeting hosts to report users to Zoom. Meeting hosts will be able to report a participant during a meeting by clicking on the Security icon, then Report. Also, “Waiting Room” will be turned on by default for education, Basic, and single-license Pro accounts so hosts can approve each participant individually. Meeting passwords will also be on by default for most customers in Zoom 5.0. For administrative accounts, account admins will be able to alter the complexity of meeting passwords.

Even with these new functionalities, users should continue to be vigilant in their use of any teleconferencing solution. Teleconferencing products provide convenience for remote work, but there are a variety of security risks that need to be fully understood by the users for the safety of patients, providers, and organizations.