Zoom is not suitable for telehealth

I'm in the operations team that works behind the scenes with Cliniko. I help design and administer the systems that keep our platform online, fast, and secure. Making the decisions required to keep your data safe is exactly what we’ve been trained for. We’re devoted to what we do, and any security threat will literally keep us awake at night.

That's why the wide-spread adoption of certain tools for telehealth causes me great concern. I've recently seen countless articles and groups recommending generic video conferencing software for a quick telehealth solution. One tool in particular seems especially unsuitable for such a sensitive role in your practice. And, although we've agonized about whether we should name names, we feel the danger in remaining silent far outweighs that risk.

There has been a great interest in the use of Zoom for telehealth. Even on our own community forum, our members have touted how ‘safe and secure it clearly is’. But, as a security professional, I cannot, in good conscience, let this information be shared, without imploring you to dig deeper.

Zoom has had, and continues to have many glaring security issues—issues that indicate they put profits above privacy. Considering telehealth is about transmitting patient health information, primarily via video, it’s essential we hold the tools to the same standard as any other health record system. If we do that, Zoom would never even be considered.

So what exactly has Zoom done wrong? Well, it feels like almost daily a vulnerability is found, or at a minimum, extremely questionable privacy decisions are uncovered.

These are some examples:

• You may have heard of the recently coined term “Zoom-bombing”. There have been many cases of malicious actors joining zoom meetings uninvited, to share pornography, profanity and other offensive acts. This is enabled by Zoom’s lax security defaults, and in the past, by predictable meeting IDs. Zoom has been improving the security defaults after coming under scrutiny, but this should never have been the case.
• Zoom’s claim of end-to-end encryption is misleading marketing. Their “version” of end to end encryption, allows them to access unencrypted audio and video from your meetings. True end-to-end encryption would prohibit this.
• Thousands of users have had their personal information leaked to strangers. Zoom has a “Company Directory” setting that automatically adds other people to a user’s list of contacts, if the address shares the same domain. Many have encountered this when using their ISP provided email address.
• The Zoom iOS app sent users data to Facebook, even if they didn’t have a Facebook account. There was nothing in their privacy policy to address this. This casts serious doubt of the accuracy and truthfulness of their privacy policy.
• There is a security flaw in Zoom chat that allows malicious links (UNC path injection) to be posted in Zoom chat. When clicked, by an unsuspecting user, malware could be installed on your device, and your device password can be leaked to the attacker.

Sadly, this isn’t even an all-inclusive list. Their track record for security and privacy is horrendous.

Even with all this bad news, we’re not going as far as saying never use Zoom. We are saying never use Zoom for telehealth. You have an ethical and legal responsibility to your patients to protect their healthcare information. It would be negligent to trust Zoom in transmitting this information.

So what should you look for in a telehealth solution? Let’s start with safety and security. Be sure to vet the application thoroughly, especially if the platform requires attendees to install an application. A quick Google search for the platform's name and the words “security issues” will show you what kind of standing they have in the tech community.

Does the application encrypt video streams? Even some professional organizations have trouble with the terms and technologies used for encryption. A standard such as TLS (particularly DTLS) or SRTP are modern standards for web-based video/streaming encryption, as opposed to the older SSL standard that is no longer considered secure.

Peer to peer (P2P) is a term used to indicate that your system connects directly to the device in use by the person on the other end of the conversation with no “middle man”. Unfortunately, some have subverted this term, claiming their servers are one of the “peers” that you connect to. It’s not a requirement to be peer to peer, but it’s certainly your safest bet.

Ease of use is also important, and trying the tools out first is a valuable exercise. But this is only a useful point if the application has already been proven to be a secure and viable option. When it comes to your clients’ private information, security should come first.

No matter who you choose for your telehealth needs, I wish you the best of health and success in these challenging times.