Moving to Virtual Care: Pros & Cons of Different Platforms

Our IT department has recommended PexIP.  I work for the Saskatchewan Health Authority.  Zoom has been expressly not authorized for us.

We are paying for the higher grade Zoom (Centre for Innovation in Peer Support @Support & Housing-Halton because they have updated many privacy protocols and adding in features such as password and "lock the room" features. Our privacy consultant expressed that with Zoom updates and other considerations that we are "good to stay with it".

We also researched this extra info from an Ontario Health update.

1. Update to the latest supported version of Zoom
2. Consider not using Zoom to host meetings that are expected to involve sensitive information. If you absolutely must use Zoom for sensitive conferences, consider using the Business or Enterprise versions of Zoom to take advantage of the feature allowing you to host conference data on your own server
3. Add a strong password to ALL meetings and use the Waiting Room feature
4. Ensure users are not exposing meeting ID’s or passwords on Social Media
5. Consider configuring Zoom to only allow the meeting host to share their screen
6. Lock meetings when all participants have joined
7. Be mindful of phishing messages impersonating Zoom meeting invites
8. Be mindful that conference participants can potentially record video and audio of conferences
9. Validate that you are following your teleconferencing software’s security features and that it is configured correctly

 Zoom and Zoom Telehealth

There isn't a separate "Zoom for Telehealth" product. The recipe for Zoom Telehealth is Zoom Business Meeting licenses + Zoom BAA (and the HIPAA/PIPEDA controls implemented by it) 

 So the meeting controls, etc., are exactly the same as the Business Licenses, with one notable exception; the compliance laws don't like potential PHI in the cloud, so cloud recording gets turned off. You can still record meetings locally, if you wish. 

More info.............

Below is a summary from zoom’s blog, their website and their data sheets.

Zoom Healthcare summary-Launched as early as fall 2018

Sources:

https://blog.zoom.us/wordpress...da-phipa-compliance/

https://zoom.us/healthcare

https://zoom.us/docs/doc/PIPED...mpliance%20Guide.pdf

 HIPAA/PIPEDA plans start at $200 per month per account, which comes with 10 hosts.
Please contact sales for signed BAA for HIPAA compliance and to learn about 1, 2 and 3 year pre-paid packages. This is likely 200 USD, I will find out.

How does Zoom protect its customers data? Zoom’s commitment to protecting the security and privacy of our customers’ data includes:

• Submitting our privacy practices to independent assessment and certification with TrustArc
• Undergoing an annual SSAE-16 SOC 2 audit by a qualified independent third-party
• Performing regular vulnerability scans and penetration tests to evaluate our security posture and identify new threats

Are there any PIPEDA or PHIPA certification programs? No. Currently there are no PIPEDA or PHIPA certification programs to assess third-party compliance.

How does Zoom help with PIPEDA and PHIPA compliance? Zoom uses privacy practices and technical security measures to ensure that customer data is protected. Our security and privacy measures include:

• The execution of “Data Protection Agreements” to contractually establish adequate transfer mechanisms
• Providing a variety of in-meeting product security features
• Protecting data in transit by TLS 1.2 using 256-bit Advanced Encryption Standard (AES-256)
• Leveraging the physical and environmental protection of our TIER 1 data center providers. Zoom’s hosting facilities have 24x7 manned security and monitoring through multiple layers of physical security controls including perimeters fences, manned lobbies, surveillance cameras (CCTV), man trap, locked cages, motion detectors, and biometric access requirements
• No monitoring, viewing, or tracking of the video or audio content of your video meetings or webinars
• No sharing of customer data with third parties
• Limiting retainment of accounts to 30 days after termination to assist with product reactivation (if requested by customer). After 30 days have passed, the account is permanently deleted

…………………………………….. 

Security and Privacy Certifications

SOC2: The SOC 2 report provides third-party assurance that the design of Zoom, and our internal processes and controls, meet the strict audit requirements set forth by the American Institute of Certified Public Accountants (AICPA) standards for security, availability, confidentiality, and privacy. The SOC 2 report is the de facto assurance standard for cloud service providers.

TRUSTe: TRUSTe has certified the privacy practices and statements for Zoom and also will act as dispute resolution provider for privacy complaints. Zoom is committed to respecting your privacy. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

EU-US Privacy Shield: Zoom participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Zoom has committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List https://www.privacyshield.gov/list.

TrustArc: TrustArc has certified the privacy practices and statements for Zoom and also will act as dispute resolution provider for privacy complaints. Zoom is committed to respecting your privacy. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedbackform.truste.com/watchdog/request

 Excerpt from Zoom blog article fall 2018: “Zoom is a popular choice among Canadian healthcare organizations for two reasons. First, Zoom has data centers in Toronto and Vancouver, so all live meeting data and traffic can be kept in Canada. Moreover, Amazon Web Services (AWS) will be available in early 2019 in Montreal, which means that 100% of data (live, recorded, and post-meeting metadata) will reside in Canada. Second, it’s critical for doctors to prove video session attendance and the timestamp of the start and finish to bill back to the province for payment. Zoom makes it easy to access each session’s timestamp and participant list.”

--talk about doing your homework Betty Lou!!  I appreciate your transparency - what we know, what we don't know -can offer. A model of practice for any organization.

No problem!