Use of video-teleconferencing ("VTC") platforms has increased significantly during the COVID-19 pandemic. While such technology has its benefits, for example, allowing employees to work from home and health care providers to provide telehealth services to their patients, VTC platforms can also introduce serious privacy and security risks. For example, the Federal Bureau of Investigation ("FBI") recently issued a warning about multiple "VTC hijacking" events in which an unauthorized, unknown third-party disrupted online conferences with pornographic images, hate images, and threatening language. However, the risks of VTC hijacking are not limited to the offensive. VTC hijacking can also lead to breaches of protected health information, financial information, confidential client information, and other sensitive information.

While entities cannot eliminate all risks of VTC hijacking, they can minimize the risks by taking proactive measures. Multiple federal agencies recently issued guidance for the safe use of VTC platforms and other teleconferencing technologies, including the FBI, the Office for Civil Rights ("OCR") at the U.S. Department of Health and Human Services ("HHS"), the National Institute of Standards and Technology ("NIST"), and the Federal Trade Commission ("FTC"). Below, we have provided some of the advice the agencies issued, which entities and health care providers should follow to protect their confidential communications:

  • Always require a meeting password or use a waiting room feature (if available) to control the admittance of guests. Do not share the VTC meeting link on an unrestricted, publicly available social media account.
  • Carefully manage screen sharing features. For example, use the "host only" option for screen sharing.
  • Ensure all users have the most up-to-date version of the VTC platform. 
  • Ensure your policies address requirements for physical and information security related to VTC platforms. If the policies are silent on the topic or outdated, update them.
  • Protect VTC platforms against eavesdropping. Ensure users' personal networks are set up securely. Specifically, all users should use an encrypted router by enabling "WPA2" or "WPA3." Create or direct your employees to online tutorial videos that show them how to enable WPA2 or WPA3 on a router.
  • Require all employees to connect through a virtual private network ("VPN") to guarantee a secure, online network. If your business is unable to establish its own VPN, require your employees to download and use their own VPNs when conducting business.
  • If employees use their personal computers and/or mobile devices, confirm that they have enabled basic security features, such as enabling the PIN, fingerprint, or facial ID feature.
  • Require employees to report unusual or suspicious activity to your help desk, security operations center, or other appropriate contact.
  • Never leave personal devices unattended.
  • Require that employee laptops be password protected, locked, and secured. Passwords should be at least twelve (12) characters, with a mix of numbers, symbols, and capital/lowercase letters.
  • Ensure all work devices have up-to-date security features. Employees should enable "automatic software updates" on all of their devices.
  • For health care providers, use VTC platforms only in private settings, such as a clinic or office. Likewise, patients should not receive telehealth services in public or semi-public settings, absent patient consent or exigent circumstances. If telehealth cannot be provided in a private setting, providers should implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information, such as: using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others.
  • Only use "non-public facing" products. A "non-public facing" remote communication product is one that, as a default, allows only the intended parties to participate in the communication. Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted. The platforms also support individual user accounts, logins, and passcodes to help limit access and verify participants. In addition, participants are able to assert some degree of control over particular capabilities, such as choosing to record or not record the communication or to mute or turn off the video or audio signal at any point.
  • For health care providers and other covered entities and business associates subject to HIPAA, enter into a business associate agreement with the VTC platform.
  • Review privacy notices to make sure you are transparent regarding the collection, use or other processing of personal information via VTC platforms.

Although the COVID-19 pandemic has created major risks associated with VTC platforms, entities and health care providers that follow the agencies' advice above will reduce the data security risks associated with conducting business and providing health care online.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.