At Ambiki we are working on a HIPAA-compliant alternative to Zoom, tailored specifically to the needs of pediatric speech, occupational, and physical therapists.
While Zoom advertises a HIPAA-compliant version, it is not actually HIPAA compliant - and it is putting your patients' Protected Health Information (PHI) at risk.
Specifically, Zoom's feature to allow a participant to gain remote control over another participant's computer violates The Security Rule which requires "covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI". Covered entities must "Identify and protect against reasonably anticipated threats to the security or integrity of the information".
It is a reasonably anticipated threat that giving someone unfettered access to a computer that contains PHI or has tabs open logged into EMRs that contain PHI may result in said PHI being viewed by an unauthorized party.
Allowing a patient to remote control into a therapist's computer is the equivalent of leaving a computer logged into an EMR in the waiting room of a clinic.
In fact, by including this feature in their "HIPAA-compliant" offering, Zoom has actually done our whole profession a disservice by pulling the wool over therapists' eyes - so many therapists are now conditioned to allow patients remote access/control to their computer without thinking twice.
Why even allow remote control in the first place? Therapists often share resources or materials with patients and want them to interact with it (i.e. show them the letters A and B and ask them to click on the B). Remote control in a screen share environment is one way to make this happen.
At Ambiki we have solved this problem in a different and safer way with our innovative Click Beacon™. Ambiki's Click Beacon™ allows the therapist to visually see where on their screen the patient clicks when you are sharing your screen or a resource - without actually granting the patient remote access to your computer (and vice versa). It is HIPAA compliant. It maintains the interactivity needed between therapist and patient without the need to give one party access to the other party's computer.
During the pandemic, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued a temporary notice that it would exercise enforcement discretion against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency if they were using platforms that were not HIPAA compliant.
We are now 2+ years into the pandemic and health care providers have had ample opportunity to find a HIPAA-compliant platform for teletherapy which includes a Business Associate Agreement (BAA). It's time we get back to protecting our patients - and that means choosing a teletherapy platform that was actually built to meet the needs of therapists and one that is implemented in a safe and secure way that protects PHI.
Zoom has consistently had a lax record on security and privacy. It is no surprise that they cut corners in understanding the healthcare industry and the principles of the The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- 07/09/2019 Zoom security flaw could let websites turn on your Mac’s webcam without permission
- 03/26/2020 Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account
- 03/30/2020 COVID-19 Impact: Cyber Criminals Target Zoom Domains
- 04/01/2020 Zoom Users Beware: Here’s How A Flaw Allows Attackers To Take Over Your Mac Microphone And Webcam
- 04/02/2020 ‘malware-like’ macOS installer
- 04/02/2020 Thousands of Zoom video calls left exposed on open Web
- 04/03/2020 Move Fast and Roll Your Own Crypto - A Quick Look at the Confidentiality of Zoom Meetings
- 04/04/2020 Zoom admits some calls were routed through China by mistake
- 04/10/2020 Zooming in on the Target: Cybercriminals Automate Attacks Against Remote Workers
- 04/15/2020 Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000
- 04/20/2020 ‘War Dialing’ Tool Exposes Zoom’s Password Problems
- 04/20/2020 Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox
- 04/21/2020 Vulnerability Spotlight: Zoom Communications user enumeration
- 05/21/2020 Hacked Zoom installers taking over PCs
- 06/04/2020 Cisco Talos reveals two serious Zoom flaws [1] [2]
- 07/10/2020 Remote takeover flaw
- 07/31/2020 Security flaw would have allowed anyone to join a public meeting
- 11/06/2020 Zoom keystroke snooping
- 11/10/2020 FTC says Zoom lied about security
- 12/07/2020 Zoom phishing scams
- 12/21/2020 Zoom executive accused of being Chinese spy
- 03/19/2021 Flaw lets other Zoom users see way too much
- 04/08/2021 Zoom flaw lets hacker hijacks PCs and Macs
- 07/31/2021 Zoom settles class-action lawsuit
- 01/29/2022 Zoom Security Issues Are a Wakeup Call for Enterprises
- 02/10/2022 Mac microphones not turning off
- 05/25/2022 Tricking users into downgrading their Zoom client
