Due to the circumstances with COVID-19 in Level 4,there is a higher and urgent need for the use of telehealth and video conferencing technologies that are easy to use and deploy.

A reminder that you should continue to apply good practice security approaches to your use of these technologies.  You will need to apply risk and privacy assessments and balance the risk and benefit of their use. In general terms while these tools carry some risk there are often mitigations that can be taken and the benefits are significant.

The NZ Telehealth resource centre has some useful information on telehealth and specifically on COVID-19 https://www.telehealth.org.nz/covid-19/

Zoom

Zoom has been a popular choice due to its features,easy deployment, and usability. There has been a lot of media coverage about Zoom around security and privacy concerns in the past few weeks.

The Government Chief Information Security Officer(GCISO) from the Government Communications Security Bureau (GCSB) has releasedspecific guidance around the use of Zoom which can be found here: https://www.ncsc.govt.nz/newsroom/zoom-security-advice-for-public-servants/  and further information can be found on the NZ Telehealth resource centre https://www.telehealth.org.nz/covid-19/software/zoom/

There are several practical steps included to help reduce some of the risks around Zoom that can be applied by any organisation.Some of this guidance may not be suitable for all environments and so each organisation will need to take a risk-based approach on what advice to follow depending on their unique circumstances.

Zoom has released a statement from their CEO explaining what steps they are taking to address some of these concerns. They state that the Facebook SDK components of the iOS mobile app have been removed and they have fixed the UNC link issue, among other updates and changes. They will continue to focus on security and privacy over the next 90 days: https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/ This post also includes links to other guidance Zoom has released to protect against ‘zoom bombing attacks’, such as this: https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-zoom-event/

However, some of this will take time to be completed and with all this renewed and intense scrutiny on the Zoom platform, we can likely expect more findings to be revealed in the coming weeks or months.

We recommend that you review the advice from Zoom’s updated guidance and the GCSB advice linked above, and that you take appropriate measures to mitigate the identified risks.

Cloud risk assessments

A number of cloud risk assessments have been completed for telehealth and video conferencing technologies and a list of these is being prepared with urgency for sharing with CIOs to assist in sharing and reuse. In the meantime if you are assessing a solution and want to know if someone else has completed a CRA or PIA then please let me know.

David Metcalfe
IT Security Manager
Security
Digital Strategy and Investment
Data and Digital
Ministry of Health
DDI: 04 816 2362

http://www.health.govt.nz
mailto:[email protected]

‍