Zoom, privacy, and security

This is a note to my patients about privacy and security of the Zoom app and other related issues.

In the Covid-19 crisis, I am currently using Zoom as my platform for telemedicine. I initially used my health record’s system for video appointments, but I switched to Zoom for several reasons: (a) a few patients found the system difficult to access; (b) the call quality was not as good as I had hoped; and (c) it was difficult to record sessions, for people who have given me permission to do that.

Zoom has been a leader in video conferencing for some times and I have many colleagues who have used and are using it. They uniformly report that its call quality is better than alternatives. With the Covid-19 crisis, Zoom’s “moment” has arrived, and I have been impressed with their agility in meeting a massive increase in demand.

With their moment in the sun, they are understandably facing a high degree of scrutiny, and some of their practices have been questioned. Most of these questions are legitimate and deserve to be answered. I believe that Zoom is making a good-faith effort to do so. They have been changing policies and standards in a way that enhances privacy and security, with praise from independent sources for their efforts.

I have looked at these issues and I believe that none of them posed or is posing a risk to the security of what happens during my sessions with patients. I will continue to monitor the situation, but for the moment I will continue to use Zoom. In fact, I believe that the increased scrutiny that Zoom is facing will enhance patients’ security, because no one will be looking as closely at alternative providers for potential security issues.

Please let me know if you are not comfortable with my continued use of Zoom in your case. I am willing to try out alternatives on an individual basis, with the understanding that we may be trading off a possible increase in security for things like decreased call quality or convenience.

Most of my patients are comfortable using email to communicate about scheduling sessions, even though email is not a 100% secure medium. I imagine most of my patients do not take extraordinary measures to block websites from using “cookies” that track them around the web, which result in personalized advertising. And I’m sure all of my patients would not want any identifiable contents of our sessions to be available to anyone, unless they had given explicit permission. If all of that is the case for you, I am confident that my current system meets those standards. If this describes you, great. If it does not describe you, please let me know, and I will work with you to further enhance your privacy and security.

Unless you are very careful about people tracking your everyday web browsing (and I am not), I imagine that, like me, you have had the experience of looking at a product—or even buying a product—and being followed by ads for that or similar products for some time afterwards. I am confident that none of what you and I actually say during a session will be used by Zoom to target advertising or shared in any way. But if you have Zoom account and want to further decrease their use of cookies related to advertising, there are some instructions at the end about how to do that.

Otherwise, the rest of this post gives more detail on potential issues related to Zoom and to how I deal with recordings of sessions.

“Zoombombing”

The first issue that hit the news was the practice of “Zoombombing”: people showing up in meetings, and either saying offensive things or showing offensive images. Because our “Session IDs” (10-digit numbers identifying the session) are not available to the public, and because I use passwords, I was not concerned about this as a problem for me, or for most other therapists. Zoom has since made passwords the default.

I have been more concerned about the possibility of two patients inadvertently showing up on a therapist’s screen at the same time.

This cannot happen in our sessions. Because I have been using the Zoom “Waiting Room” feature, no one can enter our session unless I specifically let them in. If you are in the session, I will not let anyone else in, period. Zoom has since made the use of the Waiting Room the default. (In addition, I do not believe anyone else will even appear in the Waiting Room while I am in session with you because I am using different Sessions IDs for each patient, and using passwords.)

Zoom recordings becoming public

The Washington Post has reported recently on Zoom conversations, including at least one therapy session, being stored “in the cloud” in ways that could be accessed without a password. This is not a Zoom issue, it is apparently an issue with Zoom users not being careful with their recordings.

Zoom itself does not record sessions unless you use their “cloud recording” feature. I have disabled that feature on my account, so I can’t do that even by accident. When I do make a recording on my computer, I store it securely on an encrypted drive and I am careful to keep it secure. Nothing is 100% in this world, but I am confident in the steps that I have taken to keep your recordings safe.

Unless you and I have explicitly agreed that I can record your sessions, I will not do so, except occasionally by accident. That hasn’t happened yet on Zoom, but it happened occasionally in the office simply out of habit, because I record so many sessions. When it did happen, I would immediately stop the recording and later shred the DVD. If you see a red dot and an indication that I am recording when I should not be, please let me know immediately and I’ll stop, and securely delete whatever I have recorded. Even if you don’t notice, I will notice right after the session when I go to file the recording and see that there is no place to file it. I will then delete the recording securely, and let you know about my error.

Sharing video with you

Some patients benefit from viewing recordings of sessions. In the office I would make a second DVD and hand it to the patient in the waiting room after a short wait for the DVD to “finalize.” Obviously, it is important for patients to keep the DVD private after receiving it.

The system I am now using for sharing video is this: if you would like me to share video with you, I will create a Google drive folder that I will share with you. After each session to be shared, I will place the session’s video in our shared Google drive folder. I recommend that you copy it out of the folder, and then delete it from the folder so that it is “in the cloud” for the shortest period of time. This method of sharing is encrypted, so only someone with your Google password (or mine) could access the recordings.

Once you have the file, it is important you store it securely. The most secure way to do it would be on an encrypted (and therefore password-protected) thumb drive or SD card that only you know the password to.

There are other options for secure file sharing, so if you want me to share video with you but are not comfortable with this procedure, please let me know.

Disabling Zoom advertising cookies

The following information was provided by my colleague Johannes Kieding. Although I do not generally worry about advertising cookies, I did test out the browser instructions. They seemed to work, and it would have been a challenge to figure out how to do it without this kind of careful guidance, so I am grateful for these instructions. Please note that they apply only if you have a Zoom account, but it is not necessary to create a Zoom account in order to use Zoom for appointments with me.

The instructions are as follows:

“When you set up a Zoom account and agree to the terms of service, you give Zoom permission to place cookies on your device.

“Some of these cookies are required to enable core site functionality. Some of these cookies allow Zoom to analyze site usage to improve performance. Some of these cookies track your web browsing and sell your personal information to advertisers who then serve targeted ads relevant to your interests. You are given an anonymized identifier so the profile that contains your personal information cannot easily be linked to your actual name and real identity.

“Tracking in the service of providing targeted ads is a common practice on most commercial websites. Many people are OK with trading some personal privacy for services like gmail and Facebook.

“However, Zoom offers users the choice to opt out of being tracked and having their personal info sold to third parties while using Zoom services.

Johannes gives some instructions on how to change the settings from different devices. My understanding is that if you change the setting on any device, the changes should apply to all devices you use to access your account.

On your desktop browser

“To opt out of having your web browsing tracked and your personal info sold by Zoom to third parties go to www.zoom.us. If you have third party tracker blockers installed in your browser disable those first.

  1. Log into your account.
  2. Scroll to the absolute bottom of the page and click the tiny link “Privacy and Legal Policies.”
  3. You will see “Legal” and “Privacy” near the top of the next page. Click on “Privacy.”
  4. Scroll down until you see a box entitled “Cookies”. Click on the “Cookie Policy” link in that box.
  5. Scroll down to the very bottom of that page and click on the tiny link “Do Not Sell My Personal Information.”
  6. The default option is “Required Cookies / CCPA Opt-Out,” so you can just click “Submit Preferences.”
On your iPhone or iPad

“To opt out of having your web browsing tracked and your personal info sold by Zoom to third parties using the iOS Zoom app, launch the iOS Zoom app on your iPhone or iPad and make sure you are logged in.

  1. Tap Settings in the lower left corner.
  2. Tap “About.”
  3. Tap “Privacy Policy.”
  4. Scroll about a third of the way down the Privacy Policy Page until you see a blue link for “Cookie Policy.” Tap that link.
  5. Scroll down to the bottom of that page and tap the tiny link at the very bottom “Do Not Sell My Personal Information.”
  6. The default option is “Required Cookies / CCPA Opt-Out,” so just scroll down and tap “Submit Preferences.”

“I do not own an Android device so I cannot be specific about using the Android Zoom app to opt out, but I imagine the Android user interface is similar enough to the iOS user interface that the above directions would be a good guide.

To My Existing Patients: I am Switching Electronic Health Record Systems

I am switching Electronic Health Record (EHR) systems. The new system involves a number of changes:

  • For patients who choose to get appointment reminders, the system will send reminders before every appointment, not just non-repeating appointments.
  • Reminders can be sent by email (48 hours before the appointment), text message (24 hours beforehand), or both.
  • I am now offering a secure on-line portal for billing, payments, and secure communication.
  • Starting on July 1, monthly bills can be sent via the portal, email, or by US mail.
  • I will not be charging a processing fee on credit card payments through the secure portal.
  • It will be easier for me to collect co-pays at the time of your appointment.
  • I am now able to send prescriptions for stimulant medications to pharmacies electronically.

If you have not done so already, please fill out this “Communication Consent” form and return it to me. (That link will take you to a PDF document which you can mail, hand-deliver, fax to 617-977-0243, or, if you are comfortable with the fact that email is not a 100% secure method of communication, emailed a scan or legible photo.)

If you choose to enroll in the portal, the system will send you an enrollment email after I receive your form. At your first login, the system will ask you to verify your demographic information and communication choices; please complete that one-time process.

If you have any questions or experience any problems with this change, please do not hesitate to contact me.

Yours,
Nat Kuhn, MD

I’m moving my office

68 Leonard St, Belmont, MA 02478

As of May 27, 2017, my office will be located on the 2nd floor of 68 Leonard Street in Belmont Center. The building has an elevator, and is fully accessible from street level. Facing the front of the building, the entrance is on the right side, under a covered walkway that faces the Bank of America next door. The walkway is under the “68” in the photo.

Unlike my current office, there is no dedicated waiting room. To get to the waiting room: if you are standing by the elevator with your back to my office, turn right and go to the waiting room on the left which is attached to the offices of Drs. Robin Goldstein and Raymond Levy (see map here).

The new address is 68 Leonard St., Mailbox 208 / Belmont, MA 02478. Please update your address book. For current patients who use a bill-pay service, please update my address with your service for any payment which will arrive after May 26.

Parking is available on Leonard Street; you need to enter your license plate number and pay at one of the kiosks. There is also a large parking lot behind the buildings on the other side of Leonard Street. (See parking map here.)  I recommend that you allow extra time for parking.

The same buses that run to my current office (74 and 75) go to Belmont Center; so does the Fitchburg line Commuter Rail, which also stops in Porter Square.

My email (nk@natkuhn.com) and telephone number (617-489-9090) will remain the same.