A year ago, when clinics were scrambling to figure out how to deal with a new virus, regulators opened the door to what tools they could use to see a doctor virtually. Currently, they can use Zoom, Skype, Facebook Messenger, Skype or a large number of other platforms, Did not face penalties From the Civil Rights Office of the Ministry of Health and Human Services.
But one Recent class action settlement Using Zoom Video Communications may allow healthcare providers to stop when evaluating tools to use.
Zoom will have to pay $85 million to resolve allegations that it shared user personal information and lied about its encryption practices without the consent of Facebook and Google. These terms have not been approved by US District Judge Lucy Koh.
Although the focus of the settlement is to compensate users of the Zoom service, there are some important lessons for healthcare providers.
“The emergence of Covid provides new relevance for Zoom and other similar technology platforms, but it also draws attention to their risks and limitations,” ClearDATA founder and chief privacy and security officer Chris Bowen said in an email Write. “Fortunately, we have seen Zoom quickly and adequately fix some obvious security issues, but since then, other privacy issues that are also problematic have also been exposed.”
The problem surfaced for the first time after Zoom last year Reached a settlement with the Federal Trade Commission Tell users that it provides end-to-end 256-bit encryption, which was touted in the HIPAA compliance guidelines for healthcare products.
Zoom actually uses a shorter encryption key, and it also has access to the encryption key that allows it to view the content of the user’s meeting. FTC’s complaint. The company has since updated its security practices.
In a class action lawsuit, the company also faces allegations that it shares user data with social media companies such as Facebook, Google, and LinkedIn through its software development kit (SDK). This information includes the user’s unique advertising identifier and the type of device they used to access Zoom. One of the plaintiffs, a physical therapist, had been using the paid version of the Zoom video conferencing service to see her patients when the pandemic began.
According to the settlement agreement, Zoom must not reintegrate Facebook’s SDK within one year, and requires Facebook to delete any data it obtains about US users.
“The privacy impact is the same as any other sensitive data breach, without the user’s explicit permission at all,” Bowen added. “This is a huge lesson and insight for the industry-an obvious reminder that health data cannot and should not be used, and our other behavioral data is aggregated for consumer marketing.”
When asked about the settlement agreement, Zoom mentioned the changes the company made in the last year, including increasing meeting passwords, waiting rooms, and restricting screen sharing.
“We are proud of the progress we have made on the platform and look forward to continuing to innovate in the areas of privacy and security,” a company spokesperson wrote in an email.
Recently, the company began touting a version of its Zoom for Healthcare platform for smaller practices and a feature that allows people to access video access in a browser instead of its app. Healthcare practices need to purchase a paid version of their software in order to obtain a signed business partner agreement.
Photo credit: elenabs, Getty Images
