Security and Privacy Tips for Zoom
Zoom is a software platform widely used for remote meetings and online instruction. The following tips are intended to help provide appropriate security and privacy controls when using Zoom for communications that involve sensitive data such has HIPAA-protected data, attorney-client communications, etc.
Before the Meeting
- Share the meeting link privately (e.g., email or chat), not via social media.
- Create a unique ID for each meeting. Use the option marked “generate automatically” rather than “Personal Meeting ID.”
- Require a password for the meeting. This prevents people from simply guessing the ID of your meeting. Do not re-use passwords for multiple meetings. By default, Zoom will create a new password for each meeting.
- Disable the “join before host” option for the meeting. Otherwise, the first person to join the meeting will become the host and will be able to control the meeting.
Recording the Meeting
- Do not record the meeting unless necessary. Do not record the meeting to the Zoom cloud location, which uses Panopto. If necessary, work with your local IT staff to understand what locations are approved for the type of information contained within your meeting (e.g., HIPAA). Notify participants in advance if the meeting will be recorded.
- Do not keep recordings longer than necessary. Notify other participants that they are not permitted to record the meeting by any means.
During the Meeting
- As of December 2020, Zoom has an integrated capability for automatic speech recognition (ASR). This option can be enabled by the meeting host using the “Live Transcript” button in the zoom client. This function is not approved for use with HIPAA protected data, and it is not advised to use this function for other confidential data. The ASR function in Teams is appropriate for most types of confidential data (including data protected by HIPAA).
- If you see someone in the meeting who should not be there, remove them from the meeting. Once all participants have joined the meeting, lock the meeting so that others cannot join.
- When ending a meeting that you are hosting, be sure to select “End Meeting for All” rather than “Leave Meeting.”
- If you are sharing your screen during a meeting, be sure you understand how screen sharing works so that you don’t share confidential information unintentionally. Close any programs, websites, etc. that you will not need during the meeting. If other participants will be sharing a screen during the meeting, remind them not to share private information unintentionally.
- If you have video enabled for your meeting, make sure that confidential information in your workspace is not visible to remote participants. Remind other participants that they should have similar protection for information in their workspaces.
- Make sure others in your location cannot overhear your conversations. Remind other participants of this requirement for their locations. This applies also to “smart devices” such as Alexa, Siri, etc.
- Be sure to keep your Zoom software updated to the latest version.
- From time to time, reports may be published about security issues with Zoom. Such reports are published about many kinds of software. If you have any concerns about the security of Zoom software, please email firstname.lastname@example.org
- Zoom has published a collection of resources on Privacy & Security for Zoom Video Communications.
- Additional information on Zoom can be found at the Office of Teaching, Learning & Technology.
Zoombombing is defined as a type of trolling in which a participant uses screensharing and/or audio to interrupt and disrupt meetings or classes. Use this form to report a zoombombing incident.