Confidentiality in the Zoom World of Cybersecurity

Carol McGinnis, PhD, NCC, BC-TMH, LCPC, is an associate professor and clinical mental health track coordinator in the graduate counseling program at Messiah College, Mechanicsburg, Pennsylvania, where she has taught online for more than 10 years. McGinnis holds an MS in cybersecurity and a PhD in pastoral counseling and currently serves as president-elect for the Maryland Counseling Association (MCA).

Eric Ward, MS, is an assistant professor at the Community College of Baltimore County, Baltimore, Maryland, where he teaches cybersecurity (computer security), network security, and information assurance courses for applied associates degrees. Eric has an AA, BS, and MS in cybersecurity and is completing his PhD (now ABD) in information technology and cybersecurity at Capella University.

The cybersecurity principles of confidentiality, integrity, and availability (CIA) are very important when providing counseling services or teaching online using Zoom. Carol McGinnis and Eric Ward offer this short overview of how these principles apply to what we are already doing as counselors and educators:

Confidentiality in the world of cybersecurity includes an understanding of technical insurance of personal identifiable information (PII) that belongs to the student or client. This is fairly easy to achieve through review of the business agreement from the provider. Zoom offers plenty of content related to its security and offers a specific feature that can be enabled for every session with a little icon that is viewable by the student or client during the meeting. As the counselor or educator, we have an understanding of what kind of information may be shared ahead of time, and the responsibility falls to us to ensure that the participant can prepare the environment in a way that will also protect their PII. Doors and windows need to be closed, chat may need to be used if the “walls have ears,” and nonverbal communication can go a long way in protecting this PII. 

Integrity is something that we all have concern about because we want to make sure that everyone can be seen and heard and that the engagement does not suffer from a weak signal, bad equipment, poor lighting, or interrupted audio. We have a good amount of control over some of these things (signal, lighting, and audio), yet technology fails, and having a sound back-up plan is very important to have in mind. This involves having a plan ahead of time for an interrupted session/meeting and the expectation that a drop in signal may occur from time to time. Including a plan for phone contact can be very important. It is also helpful to have an activity for the student or client to engage in while the effort to reconnect is occurring: 1. breathe; 2. repeat “I can do this”; and 3. write down thoughts and feelings that are happening. 

Availability is about making the online environment as easy and accessible as possible. Asking the client or student to log in using his or her first name (or a pseudonym) with a pre-made Zoom link can be very easy to do—especially with a smartphone or tablet. Refrain from passwords for access to the room because this can be unnecessarily frustrating if the client or student is feeling compromised. Setting the room to always have the participant’s video on is advisable because we want to avoid spending a lot of time in troubleshooting. Practice in “running the room” is imperative to make sure we know how to walk someone through these pieces if they do need to happen.  

Additional considerations include: 

• Using the waiting room feature is very important because it empowers the counselor or educator to permit access for the student or client accordingly. This helps to prevent a hacker or unauthorized person who may have the Zoom link from entering the room.   
• Sharing of the Zoom link must be carefully done to ensure that only the student or the client will have access to that room and the waiting room feature and provides an additional layer to the confidentiality that you are responsible for providing. For counseling, it is best to have one room for individual sessions with the understanding that the chat function will only clear after you leave the room and come back. Be mindful about the use of chat if the same room is used for different clients.   
• Students or clients need to be instructed on the importance of using robust passwords to protect their communication that may be deeply personal (e.g., protected health information). Take time to demonstrate how a robust password can be made: at least 10 characters, one number, one capital letter, and one symbol. One way to do so: 
  • Think of a favorite line from a book or movie that you HAVE NOT noted on social media: “Did you say ‘earn more sessions by sleeving?’” (Roxanne, 1987) 
  • Note the first letter of each word: DYSEMSBS? 
  • Change at least one letter to a number and one to a symbol: DY$3M$B$? 
  • Select one or more letters to be upper versus lower case: Dy$3M$b$? 
  • Add a preceding symbol to expand the password to at least 10 characters: ?Dy$3M$b$? 
  • That is a robust password that would be difficult to crack using a dictionary or brute force attack. Replacing some letters with numbers for a word or phrase is not enough! Birthdays and anniversaries are some of the easiest to crack.   
• Removing participants from a Zoom meeting needs to be understood and practiced to ensure that unauthorized entities can be taken out of that space in a timely fashion.    
• Setting participant expectations is critical: Can they eat during the meeting? Have other people in the room? Smoke/vape? Is there a dress code? What are they NOT permitted to do while in Zoom (e.g., no driving, no restroom behavior, no pajamas)? 

There are many websites available for additional information on setting your Zoom meeting rooms up to provide optimal confidentiality, integrity, and availability. Some of these are listed here: 

Zoom Blog 

Advanced Zoom Security Settings 

Zoom HIPAA Compliance Guide