Health care providers using (or considering) teleconferencing software Zoom, heed this important warning: serious security, privacy, and data protection issues reportedly plague the product, leading several public and private entities to discontinue use.
During the COVID-19 crisis, federal and state agencies encouraged provider flexibility for the sake of continuing care. The US Department of Health and Human Services (HHS) made special HIPAA penalty exemptions for providers who, in good faith, turn to telehealth services. California’s Division of Workers’ Comp (DWC) has broadly encouraged telehealth as a means of remotely treating injured workers.
But as providers adopt new tools to enable remote treatment, cybersecurity and privacy warrants careful consideration.
Catastrophic Success for Zoom
It seems appropriate that “zoom” is an onomatopoeia for something rollercoasters do.
As the threat of coronavirus forced countless professionals to work exclusively online, Zoom saw astonishing growth almost literally overnight. But all that new business exposed significant gaps in the platform’s defenses against cyberthreats, leading to headlines like the Guardian’s “‘Zoom Is Malware’.”
Zoom users have experienced a range of privacy violations, including:
- Private recordings of Zoom meetings, including some containing sensitive information, being easily found and exposed online.
- Zoom account information compromised, including the information of at least one major healthcare provider, as hackers recognized the platform’s vulnerability and moved in.
- “Zoom bombings,” in which uninvited parties invade and hijack Zoom meetings.
Soon enough, entities from public school districts to national governments decided the risks associated with using Zoom were too great, and terminated use. Zoom founder and CEO Eric S. Yuan offered an explanation and promised to do better while encouraging remaining users to utilize the software’s existing security measures.
Telehealth and Privacy During COVID-19
While the US Health and Human Services Office for Civil Rights (OCR) is waiving HIPAA violation penalties against providers “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
For telehealth purposes, providers should consider using only the known popular applications recommended in the OCR notice: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. Providers should also enable all available encryption and privacy modes when using such applications. We also encourage providers to notify patients that these third-party applications potentially introduce privacy risks.
Telehealth and Privacy for California Workers’ Comp
As California’s Division of Workers’ Compensation (DWC) promotes “creative solutions” for continuing care to injured workers, including telehealth services, providers must carefully weigh their options regarding appropriate software tools. Telehealth cybersecurity is a new, but crucial, consideration during the current COVID-19 crisis.
The California DWC broadly encouraged providers to utilize telehealth services in their March 19 Newsline. In a March 28 followup, the DWC defined the technological requirements of a billable telehealth visit:
“Telehealth options include remote visits via video-conferencing, video-calling or similar such [sic] technology that allows each party to see each other via a video connection.”
Any remote visit in which provider and patient can see — and not just hear — each other fulfills DWC standards. As providers consider the confidentiality of medical services and take the necessary steps to protect the privacy of both parties, a wide range of options that meet DWC standards is available. We strongly encourage providers to devote some time to thoroughly research those tools.
No software is impervious to malicious online actors, but providers should consider the security reputation of any platform used to treat injured workers remotely.
For more on telehealth rules for Medicare, California health insurers, and California workers’ compensation, look through the free resources available on our COVID-10 page.