A Healthy Security Posture Starts With These Features
Whether you’re conducting telehealth appointments or connecting medical communities virtually, your patients’ digital privacy is an essential component of effective care. If personal health information is somehow compromised, it can not only impair patient trust but also risk noncompliance with important regulations like the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
At Zoom, we know that security and privacy are fundamental to a successful healthcare organization, which is why we’re equipping providers with features that help safeguard the exchange of important information via Zoom.
Here are some of those features, along with a few measures we’ve taken to help you address relevant compliance requirements.
Key security features
Tailored encryption options
- 256-bit AES-GCM encryption: We use 256-bit AES-GCM encryption as our standard for real-time meeting audio, video, and shared content in transit across Zoom Meetings, Zoom Webinars, meetings occurring via Zoom Rooms, Zoom Contact Center, and Zoom Phone data transmitted over the public internet.
- End-to-end encryption (E2EE) for Zoom Meetings: When enabled, this feature uses 256-bit AES-GCM encryption to help encrypt communications between all authenticated meeting participants using the Zoom client. However, the cryptographic keys for E2EE meetings are known only by the devices of the authenticated meeting participants. Enabling E2EE for meetings disables certain features.
- E2EE for Zoom Phone: You also have the option to enable E2EE during one-to-one Zoom Phone calls between users on the same Zoom account that occur via the Zoom client. During a call, clicking the “More” button will present an option to elevate the session to an end-to-end encrypted phone call. When enabled, E2EE establishes that the call is encrypted using cryptographic keys known only to the devices of the caller and callee. Additionally, users can verify E2EE status by providing a unique security code to each other. During an E2EE Zoom Phone call, certain Zoom Phone features are disabled.
Advanced chat encryption for Team Chat: When advanced chat encryption is enabled, chat content is encrypted using keys generated and known only by participants’ devices and is additionally encrypted while in transit over the public internet using Transport Layer Security (TLS). When advanced chat encryption is enabled, you won’t be able to use a few chat features.
Authenticated login: We offer single sign-on (SSO), a feature that facilitates a safe and quick process for signing in to your Zoom account. SSO helps add an extra layer of security, especially if your doctors need to hit the road and are no longer on your network. If you cannot use SSO, we recommend enabling two-factor authentication (2FA). You can also log in via an OAuth process, which allows you to approve one application — Google or Facebook — to interact with Zoom on your behalf so you don’t have to manually enter a password.
Required meeting passcodes: Account owners and admins can configure required passcodes at the individual meeting level or at the user, group, or account level for all meetings and webinars, which can be shared with patients to join a telehealth session for an added layer of security.
Important compliance measures
HIPAA: Whether you’re a solo practitioner, small clinic, or enterprise health system, Zoom helps enable a customer’s HIPAA compliance program by securing protected health information (PHI) and executing a Business Associate Agreement (BAA).
PIPEDA/PHIPA: We help enable compliance with Canadian Data Protection regulations, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and, locally, the Personal Health Information Protection Act (PHIPA).
SOC 2 + HITRUST: Zoom has expanded the scope of its SOC 2 Type II report to include additional criteria to meet Health Information Trust Alliance Common Security Framework (HITRUST CSF) control requirements. HITRUST is a security framework that leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA. This attestation applies to Zoom Meetings, Zoom Phone, Zoom Team Chat, Zoom Rooms, and Zoom Webinars.
Prioritizing patient privacy
A patient’s consultation with their doctor should be stress-free, and using a video communications platform to do so should only help improve the experience.
By adhering to relevant standards and offering these security features, we strive to offer an experience characterized by ease of use, safety, and trust, empowering you to safely exchange and store valuable health information via our platform.
We’re committed to being a platform you can trust — with your patient interactions, important information, and communications within your healthcare organization.
To learn more about Zoom’s approach to privacy, explore our Trust Center.