THE OFFICE OF AUDIT, COMPLIANCE & PRIVACY SERVICES
 
 
www.uvm.edu/compliance
 
Privacy Matters Newsletter
 
Video Conferencing Platforms
 
Risks and Solutions: Why It's Important To Use UVM-Supported Software

Our office has received several calls and questions related to privacy and videoconferencing. Here is some information that we hope will help you understand the risks and why it's important to use UVM supported software.


First, we recognize the need to be flexible and not place unnecessary restrictions that impede our abilities to do our jobs. However, we still have an obligation to uphold University data privacy and security standards. Safeguarding the sensitive information that we have been entrusted with is one way that we can keep each other safe.


The activity of "bad actors" attempting to exploit vulnerabilities in online video conferencing platforms continues and will likely increase with the exponential growth in this form of communication during this period of social distancing. While recent news called out Zoom, the bad actors are actively attacking all platforms including Skype, GoToMeeting, WebEx, Google Hangouts, and Teams. Keep in mind that UVM not approving certain video conferencing platforms for use institution-wide is not intended to impede your ability to do your job. It is to ensure we are protecting sensitive University information so that we can continue to keep students, faculty, and staff safe.


Regardless of the videoconferencing platform used, there are things we can all do to reduce the risk of privacy and security incidents.




UVM Supported vs. Not UVM Supported
 

UVM supports Microsoft Teams institution wide and considers this to be the primary preferred video conferencing platform. In limited instances, where a unit has executed an approved contract and implemented appropriate IT safeguards, Zoom may also be used. However, Teams is not Teams is not Teams. Zoom is not Zoom is not Zoom. Using the UVM supported version of a video conferencing platform is NOT THE SAME as using your own version or subscription to a platform with the same name. Often, it is not the platform that provides an appropriate level of protection; rather, it is how it is configured and how it is used that reduces our risk. You will know that you are using the preferred platform if you are logging in to Teams using your @uvm.edu or @med.uvm.edu login, or if you are logging into Zoom using your @med.uvm.edu login.


If you are using an instance of Teams or Zoom that is not centrally supported, you increase the risk that sensitive University or personal information will be inappropriately accessed, used, or disclosed.


If you are invited to a meeting from an outside party that utilizes a different platform, it is OK to accept those invitations. In those cases, the third party inviting you to use the platform has accepted the risk. However, if there is a concern that UVM sensitive, personal, or regulated information will be discussed or transmitted, there is no reason why you couldn't offer to schedule it through UVM's platforms for data privacy and security reasons.


Solutions: What Can I Do?
  • Make UVM's version of Microsoft Teams your preferred platform. You can get it here: https://www.uvm.edu/it/kb/article/teams/. For LCOM users, reach out to that Help Desk if you need assistance with LCOM Teams environment, https://comis.med.uvm.edu/footprints. If you are using a version of Teams that was obtained elsewhere, you may be putting data at risk unnecessarily.
  • Use Zoom only with a valid university contract in place. If you are not sure whether your version of Zoom is UVM approved, contact your local IT department support.
  • Use other video conferencing platforms only if and when they have been approved by UVM. While using university-supported video conferencing tools does not eliminate the risk entirely, it greatly reduces it.

Here are some video conferencing best practices:

  • Do not make meetings or classrooms public. Require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. Set screensharing to "Host Only."
  • Ensure users are using the updated version of remote access/meeting applications.
  • Monitor attendees and if there is someone on that you do not recognize, end the session and schedule a new one.
 
You are responsible to know UVM policy and contractual limitations, and to take additional precautions when and if required. If you have any questions about this PRIVACYMATTERS, contact the Chief Privacy Officer at privacy@uvm.edu.