Blog
← Back to Blog
April 20, 2020 cybersecurity

Zoom's Security Problems: What They Mean for Your Practice

Video conferencing and remote communication

Zoom went from 10 million daily users in December to over 300 million in April. When the pandemic forced everyone remote, Zoom became the default video platform. But rapid adoption brought intense scrutiny, and security researchers found serious problems.

The Issues

Zoombombing

Uninvited participants joining meetings to display offensive content. This happened because Zoom meetings were discoverable and joinable by default without authentication. Schools, therapy sessions, and business meetings were disrupted.

Encryption Claims

Zoom claimed "end-to-end encryption" for calls. Researchers discovered this wasn't true. Zoom used transport encryption (TLS), meaning Zoom's servers could theoretically access call content. For HIPAA-covered conversations, this distinction matters.

Data Routing Through China

Some Zoom calls were routed through servers in China, even when all participants were in the US. For organizations handling sensitive data, this raised significant concerns about data sovereignty and surveillance.

Mac and Windows Vulnerabilities

Researchers discovered vulnerabilities in Zoom's Mac installer (it used a technique borrowed from malware to install without proper user consent) and Windows client (a vulnerability that could leak Windows login credentials).

What Zoom Has Done

To Zoom's credit, they've responded aggressively:

  • Implemented meeting passwords and waiting rooms by default
  • Added the ability to lock meetings and remove participants
  • Hired a former Facebook CISO as a security advisor
  • Committed to a 90-day security improvement plan
  • Acquired Keybase to build actual end-to-end encryption
  • Allowed users to opt out of data routing through China

Should Your Practice Use Zoom?

It depends on what you're using it for:

Staff meetings, non-clinical discussions: Zoom is fine with updated security settings (passwords, waiting rooms, locked meetings).

Telehealth/teledentistry with patients: Use Zoom for Healthcare (the HIPAA-compliant version with BAA), not the free consumer version. Alternatively, use purpose-built telehealth platforms like Doxy.me, VSee, or Teledent.

Sensitive business discussions: Consider alternatives with stronger encryption: Microsoft Teams, Google Meet, or Signal for smaller calls.

Zoom Security Settings Checklist

If you use Zoom, configure these settings:

  1. Require meeting passwords for all meetings
  2. Enable waiting rooms so you approve each participant
  3. Disable "Join Before Host"
  4. Disable screen sharing for participants (host only)
  5. Lock the meeting once all expected participants have joined
  6. Don't share meeting links on social media or public channels
  7. Use the latest version of Zoom (updates include security patches)
  8. If using for HIPAA purposes, use Zoom for Healthcare with a signed BAA

Zoom's rapid growth exposed security problems that existed before the pandemic but didn't matter when 10 million people used it. At 300 million users, everything matters. Use it wisely, configure it properly, and consider alternatives for sensitive communications.