OK, yesterday’s freakout about Zoombombing is so… yesterday.
Today’s freakout is about Zoom recordings showing up on youtube and other places they don’t belong, as described in this Washington Post article.
Two pieces of quick good news:
- If you are not recording Zoom sessions, you have (almost) nothing to worry about.
- This problem has nothing to do with Zoom.
OK, why “(almost) nothing to worry about”? Your patient could be recording your sessions, either using Zoom to record (in which case you would see a little red dot “recording” indicator) or using a third-party screen recorder (in which case you would have no way of knowing, unless they told you). It is worth reminding patients to be very careful about recordings, no matter what the medium.
The bad news about this problem having nothing to do with Zoom is that that means it has to do with Zoom users, that is, us.
Zoom has two ways of recording: “locally” (on your computer’s hard drive) and in “the cloud.” You should not use cloud recording. (Although to date there has been no security problem with Zoom cloud recordings, there is always some vulnerability there.) The problem being reported in the article was apparently people making local recordings, and the recordings showing up in the cloud, in areas that were not password-protected. It is not clear how that happened, but the way they found them in the article was that Zoom has a standard way of naming recordings, so they just searched through open cloud archives for file names in that format. There is absolutely no reason to believe that Zoom is responsible for the recordings winding up where they did, and plenty of reason not to believe it.
More good news: if you have the free version of Zoom or the $200/mo HIPAA-compliant version, cloud recording is disabled. If both are available to you (like with the $15/mo “pro” account that I have), it will prompt you with the two options. Just choose “record locally” every time. Alternatively, you can disable cloud recording in the settings (but apparently only in the web interface), under Personal > Settings > Recording.
When you store recordings locally, you should always store them on an encrypted hard drive. The most super-careful way to do this would be to have an encrypted external hard drive that you plug in only when you are moving recordings to it or from it. If you handle any patient data, ever—like even phone numbers—your main hard drive and your phone should be encrypted. Please do not ask me how to do this. There are multiple how-to guides on line, and lots of people who can help you. Please note that this more than simply needing a password to get in to your laptop; even with a password to get it, it is possible to remove the hard drive and read the data (e.g. if you throw it away) unless the drive itself is encrypted. In any case, whatever drive you store it on, you should be aware of whether and how it is backed up. Cloud back-ups like iCloud are a potential problem.
OK, back to Zoom, let’s go to the settings. Unlike the previous post where I told you that you had to use the web interface, for this one, you need to go to setting in the app where you will be doing the recording. In my case that is the Mac’s “zoom.us” app. I assume it’s similar on Windows, and I have no idea about tablet or phone apps, which I would not encourage, anyway. I get to settings by clicking on my face with a green dot in the upper right-hand corner, and then clicking on settings. You might not have your face, maybe it’s your initials. Once at Settings, go to Recording. You will see a number of useful settings:
- “Store my recordings at:” This is the folder where recordings get stored. Probably best to move that from the default folder to wherever you want to store them.
- I recommend you check off “Choose a location to save the recording to after the meeting ends.” I will explain why below.
- I would uncheck “Record a separate audio file for each participant” unless you are planning to do a lot of fancy editing.
- Check “optimize for a 3rd party video editor,” so that Zoom will convert to a standard format rather than their own proprietary format.
- I would check “Add a timestamp to the recording.” This puts the date and time in the lower-right-hand corner of the recording. It is incredibly helpful for video recordings of psychotherapy.
When you end the session, Zoom will convert the recording to a standard format. If you selected “Choose a location to save the recording to after the meeting ends,” as suggested above, Zoom will prompt you about where to save it after the conversion. The conversion usually takes only about a minute for me. The default location is the one you chose in “Store my recordings at:”. I just always click “Save,” rather than choose a new location, but being prompted is very helpful because it reminds me to take the next step. On the Mac, Zoom opens the folder where it saves the converted videos. Each converted video is actually put in a folder, which has a long standardized name that includes the date, time, meeting name and ID. The standardized format of the name is what helped them to find recorded zoom calls that had been uploaded to non-password-protected areas in the cloud.
If you go into the folder, you will find a file called “zoom_0.mp4”. That is the only thing you want from there. Rename it to something that you identify as being from that patient but that is not immediately identifying (I use the first three letters of the patient’s last name and the first letter of the first name, which is how Leigh McCullough used to label her VHS tapes.) I also include the date, both for reference and so that it doesn’t collide with other filenames. Remember: you can’t put slashes in computer filenames, so I use dates like “2020-04-05” so that they sort correctly.
In the same folder where Zoom is putting the converted video, I have made one folder for each patient that I’m recording. After I rename the file, I drag it into that patient’s folder. Then I delete the entire folder that Zoom created. Now I have the video, and the standardized Zoom name is gone. Remember to empty your trash every so often.
If you want to share the video with the patient, the sharing process is another point of possible vulnerability. As mentioned above, the patient having the video is a point of vulnerability as well. Most of the patients that I share video with are pretty tech-savvy. At this point, I use Google Drive to share with them. I have G Suite with a HIPAA BAA, so my Google Drive is covered, though sharing folders with people “outside my organization” may be a gray area in terms of HIPAA. I have created a Google Drive folder for shared video, in which there is a sub-folder for each patient. I share that patient’s sub-folder with them (not the entire shared video folder, obviously), and after the video converts and I rename it, I put it in their folder on Google drive. (On my Mac I use “Google drive stream,” so it looks like a normal drive, and I have an alias for the patient’s google drive folder inside the patient’s video folder, which makes it very easy but if this means nothing to you please ignore it.) I encourage patients to copy it out of the drive folder and to delete it from the drive folder once they have, so as to minimize its time in the cloud. Another way to share video would be to mail a thumb drive, but if it’s not encrypted I think that might be the least secure of all. I haven’t used it, but “Firefox Send” may be a good option, though I would use an additional password, that you arrange with the patient beforehand.
—Nat Kuhn