HIPAA Compliance and Zoom Video Conferencing


Is Zoom HIPAA/HITECH compliant?

Zoom is the leader in modern enterprise video communications, with an easy, reliable cloud platform for video and audio conferencing, chat, and webinars. Free and Non-business plans of Zoom video conferencing is not HIPAA compliant as Zoom Inc. will not sign required Business Associate Agreement(BAA) for HIPAA compliance and additional security features are not available in the non-business plans. However, Zoom offers a Telehealth plan for business account which is HIPAA compliant.

Zoom’s HIPAA compliant Telehealth  plans can be viewed at https://zoom.us/buy?plan=biz

Can a healthcare entity use Zoom video conferencing as a Telehealth or video conferencing platform with a patient?

The short answer is “Yes”. Zoom’s business plan provides end-to-end encryption and meeting access controls so data in transit cannot be intercepted. Zoom does not have access to identifiable health information and protects and encrypts all audio, video, and screen sharing data. Health care entities providing home healthcare, virtual patient care workflows, remote patient monitoring, remote specialist visits, population health management, and education providers can leverage the Zoom Telehealth platform.

Does Zoom sign BAA with Covered Entity or a Business Associate?

Zoom signs BAA with business plan account holders and the details of BAA can be viewed at https://support.zoom.us/hc/en-us/articles/207652183-HIPAA-Business-Associate-Agreement-BAA-

What do you need to do to make the Zoom conferencing HIPAA compliant?

Once you sign the BAA with Zoom, following update should be done to your account to make it HIPAA compliant:

  1. The setting Require Encryption for 3rd Party Endpoints (H323/SIP) will be enabled for all members of your account
  2. Cloud Recording will be disabled.
  3. Remove device/user information in logging and reporting
  4. Encrypted Chat will be enabled. 

Has the Zoom video conference been hacked?

Before you sign-up for Zoom plans please also review the published security flaws with the Zoom cloud meeting platform:

CVE-2019-13567: The Zoom Client before 4.4.53932.0709 on macOS allows remote code execution, a different vulnerability than CVE-2019-13450. If the ZoomOpener daemon (aka the hidden webserver) is running, but the Zoom Client is not installed or can’t be opened, an attacker can remotely execute code with a maliciously crafted launch URL. NOTE: ZoomOpener is removed by the Apple Malware Removal Tool (MRT) if this tool is enabled and has the 2019-07-10 MRTConfigData.

CVE-2019-13450: In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the webserver, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.

CVE-2018-15715: Zoom clients on Windows (before version 4.1.34814.1119), Mac OS (before version 4.1.34801.1116), and Linux (2.4.129780.0915 and below) are vulnerable to unauthorized message processing. A remote unauthenticated attacker can spoof UDP messages from a meeting attendee or Zoom server in order to invoke functionality in the target client. This allows the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens.

CVE-2014-5811: The ZOOM Cloud Meetings (aka us.zoom.videomeetings) application @7F060008 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Is Zoom video conferencing best for Healthcare companies?

Based on several thousand users’ feedback and the recent infectious Coronavirus disease situation, the Zoom healthcare plan has been becoming one of the popular platforms for telehealth and video conferencing to provide remote patient care.

Learn how databrackets can help your organization and vendors HIPAA Compliant >>

The following two tabs change content below.
Our mission is to assist organizations in developing and implementing practices to secure data and comply with regulations. With several years of experience in the IT and health care industries, databrackets is poised to meet the needs of your organization via: - Consulting Services - Online, Do-it-yourself Toolkits for Security Risk Assessment - Education (Training, Webinar, and Workshops) For details on how databrackets can provide customized assistance for your organization, please contact us at info@databrackets.com.

Leave a Reply