Zoom Bombing – how to prevent

Posted on by

Researchers at Boston University and Binghamton University recently published a paper A First Look at Zoombombing describing the phenomenon of malefactors joining online meetings with the goal of disrupting them and harassing the participants. This prompted Zoom and other suppliers to require additional security measures, such as requiring passwords for meetings. The researchers found that these measures were ineffective, since anyone who has access to the URI for the meeting most likely has the password as well. Instead, the authors recommend that meeting products create a unique URL for each participant. Zoom offers a way to do this but requires the meeting owner to distribute the links and for each user to log in first.

Fortunately, SBR Health recognized this problem at the inception of the company and provides three very simple but effective mechanisms for controlling access to meetings. The video meeting takes place over Zoom or Vidyo but all invitations and access control are handled by SBR. Health care systems can choose any one of these mechanisms or combine them as they see fit:

  • Email Link. Each patient, or guest can automatically be sent an email when a visit is scheduled whether that visit was create in the SBR system or within the electronic health record (EHR) system, e.g. Epic. The email contains a URL that is unique to each participant. When the patient clicks on the link to join the meeting, the system knows the identity of that participant and displays the name and other identifying information (DoB, MRN, etc) to the provider.
  • Patient Portal. if the health system has a patient portal or other web site, the SBR system can display a button to bring the patient into the visit. This way the patient portal performs the authentication without the patient needing to supply any additional credentials.
  • Username and Password. An account can be created for each patient on the SBR system. This can be done by the office staff, using SBR’s Admin site, or it can be created automatically upon receiving the information from the EHR. The office staff can give the information to the patient or the SBR system can automatically generate an email.

In this way, SBR provides a secure and convenient way to satisfy the HIPAA requirements for identifying the patient and prevent intruders from entering the visit.