Health providers are turning to a range of telehealth solutions to enable them to continue to safetly provide healthcare to patients during the COVID-19 alerts. Zoom is one solution becoming increasingly popular with health providers and consumers, and while Zoom is not risk-free, the Telehealth Leadership Group (TLG) supports its use when appropriately implemented.
Telehealth Leadership Group: Zoom Security Advice for Health Providers
Standard of care
Providers should always ensure the treatment provided during a telehealth consultation meets the same standard of care as provided in an in-person consultation. For every consultation, the patient's identity should be confirmed, they should also be advised of any risks of telehealth, and their consent should be obtained before any consultation proceeding.
Security advise for health providers
Several large health providers in NZ have completed a detailed investigation into Zoom so some confidence can be taken in using Zoom for telehealth solutions during the COVID-19 pandemic.
Our advice when using Zoom is to:
Before your consultation:
- Software updates: We are all familiar with updating phone apps and desktop software solutions. These updates provide feature improvements and patch security vulnerabilities and Zoom is no different. Like all software, it is essential all Zoom updates are applied as soon as they are available. You should usually be prompted that an update is available.
- Use a meeting room password: We recommend setting a unique meeting password for all meetings and consultations. This password can be sent to patients utilising the 'send encrypted password option'. This will still enable patients to join with 'one-click' but will stop another person entering the call.
- Meeting ID: use randomly generated meeting ID, rather than personal meeting ID.
- Waiting Room: disable the 'join before host' feature and enable the 'waiting room' feature.
- Chat: consider disabling chat functionality. Disable auto-saving chat messages.
- Doorbell: select 'play sound when participants join or leave'. This should be set to be heard by the host and all attendees.
Once the meeting or consultation has started:
- Check attendees: check who is on the call before sensitive information is discussed.
- Lock the session: when everyone you were expecting to join the meeting or consultation has joined, select the participant's panel, click 'More' and then 'Lock Meeting'.
Other advice for consideration:
- Use the desktop application where possible: Our advice when using Zoom is for all users to use the Zoom desktop application where possible. If not possible, the Zoom's in-browser functionality should be used. The Zoom mobile app should be used as a last resort as the mobile platforms tracking and privacy implications are less clear.
- Sign in to Zoom where possible: Health Providers should sign into Zoom, and multi-factor authentication should be used to provide additional security where available for larger organisations.
All health providers should be aware of, and work towards completing a Privacy Impact Assessment and Cloud Risk Assessment. The TLG will provide some additional support and advice to providers to help in this process.
- Privacy Commissioner: Privacy Impact Assessment
- Digital.govt.nz: Cloud Risk Assessment Page
- GCSB: Zoom Security Advice for Public Servants
Zoom.US & ConnectNZ
Users are able to sign up to a Zoom account either directly with Zoom in the US (www.zoom.us), or through ConnectNZ (www.connectnz.co.nz). Although the features are the same through both channels, one of the main benefits of registering through the NZ partner is users are able to access a NZ based support team. I you want to discuss Zoom functionality you can schedule a support call with the Connect NZ team using this booking form.
Connect NZ are able to migrate US-based accounts if required.
There are a range price and functionality levels available, although it is relatively easy to move between these levels it is important to understand the different functionality available at each level. We are currently assessing if there are any recommended security settings (see below) that are not available on the Free account, but we are not aware of any at this time.
Zoom Free: The main limitation for Zoom Free is the meetings are limited to 40 minutes, so it is an ideal starting point for many smaller health providers and suitable for simple patient consultations.
Zoom Pro (Licensed): The first paid tier of Zoom removes the 40-minute limitation, but also gives some additional functionality particularly useful for medium to large-sized health providers. Mid-sized health providers will appreciate the administration role which enables them to administer both their free and paid user accounts. The administrator can also set advanced meeting controls, such as enabling and disabling recording, chat and notifications.
Zoom Business (minimum of 10 paid users): This tier gives expanded administrator controls including a dashboard where overall usage can be monitored, as well as detailed user reporting and performance. The administrator is able to customise further including custom branding and custom emails.