VoIP Logic HIPAA/SSAE SOC II Compliance Overview for Service Providers

Transcription

1 VoIP Logic HIPAA/SSAE SOC II Compliance Overview for Service Providers

2 VoIP Logic and HIPAA/SOC-II The Health Insurance Portability and Accountability Act (HIPAA) regulations, Medicare Improvements for Patients and Providers Act (MIPPA, an extension of the HIPPA Act) and the SSAE Rev 16-SOC Type II (SOC-II) were established to protect individual and business confidential medical and financial information by those that are providing services in these two major service sectors. Figure 1: HIPPA homepage For HIPAA, Individuals, organizations, and agencies that meet the definition of a Covered Entity must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. Figure 2: SSAE Rev. 16 SOC-II homepage VoIP Logic HIPAA/SOC II Compliance Overview - 4Q 15 1

3 With SSAE 16 SOCII, Individuals, organizations, and agencies that comply with Service Organization Control regulations must be especially vigilant when it comes to audit, security and encryption measures related to an individual or company s financial details. There are also privacy concerns that are important to pay attention to, but the integrity of the financial information and the individuals who interact with that detail are of paramount concern. HIPPA/SOC-II Scope What most Hosted Voice Service Providers do not realize is that the HIPAA/SOC-II rules will likely apply to Covered Entities (such as a business, hospital or a doctor) as well as their business associates (the subcontractor of a business, hospital or a doctor). This means that if a Covered Entity engages a business associate to help it carry out its health care or financial activities and functions, there must be a contract in place that holds the business associate accountable for compliance with certain provisions of the HIPAA/SOC-II rules. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to a Covered Entity that involve the use or disclosure of individually identifiable health or financial information. HIPAA related business associate functions or activities, could include claims processing, data analysis, utilization review, and billing. For SOC-II, business associate services to a Covered Entity are typically auditing, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. This means that many Service Provider s customers may require HIPAA compliance as business associates for entities like SOC-II applicable financial sector businesses, hospitals or doctors, even if that is not their primary business or organization function (e.g. data analysis or billing companies). HIPPA/SOC-II in Hosted Voice VoIP Logic understands that its Service Provider Partners (SPPs) must comply with and/or be mindful of HIPAA and SOC-II requirements when supporting their business subscribers in the healthcare, financial and legal verticals. This need is particularly important where personal and business confidential information is involved. VoIP Logic HIPAA/SOC II Compliance Overview - 4Q 15 2

4 While utilizing the VoIP Logic Hosted PBX / Unified Communications (UC) platform, SPPs should review their overall network and component infrastructure to ensure they are able to support the Healthcare, Financial and Legal Sectors in ways that meet HIPAA/SOC-II requirements. In particular, as it applies to VoIP Logic s core system components, the following features should operate in a HIPAA/SOC-II compliant environment. Figure 3: Portal Messaging set-up screen Why HIPPA and SOC-II Compliance is important to SPPs HIPPA/SOC-II compliances are important sets of regulations for SPPs to review and consider when conducting infrastructure planning, market direction and sales focus. While there are some additional requirements to remain compliant, not creating a compliant platform can restrict an SPP from offering Hosted VoIP services in the Medical, Legal and Financial sectors. It should also be noted that because of the rules that apply to business associates for these industry sectors, some organizations may not seem to be included (such as Software Development companies) as part of the medical, financial and legal fields, but could be affected (positively if they are in compliance and negatively if not) as they attempt to win contracts in the noted market segments. Establishing an environment for HIPAA/SOC-II Compliance also provides real tangible infrastructure enhancements, such as secure collocation and servers, enhanced tools and business procedures which, even outside of regulatory compliances, assist in thwarting entry to the SPPs Platform at VoIP Logic, while providing additional assurances to SPPs customers that the confidential HIPAA/SOC-II information has multiple levels of protection. Important factors related to HIPAA Compliance: Voice Mail capture/storage and Call Recording capture/storage and Softphone utilization. There are two sub-sections of the VoIP Logic Hosted PBX / UC architecture on which SPPs should focus when they review how to comply with HIPAA. First, the Voice Mail Storage and Retrieval Platform and second, the Call Recording infrastructure (which is always aligned with a 3 rd Party Call Recording Storage provider, such as CTI). VoIP Logic HIPAA/SOC II Compliance Overview - 4Q 15 3

5 VoIP Logic s SPPs will also need to determine how to configure software clients (softphones) used to extend the communications functionality to a computer desktop or mobile phone. VoIP Logic offers the UC-One Soft Client, though many SPPs use CounterPath, Chrome plug-ins and many other forms of software SIP tools. It is imperative that these extensions support HIPPA complaint Voice Mail and Call Recording Storage and Retrieval capabilities. There is also an increasing concern with archiving of Instant Messaging and Recorded Web Collaboration events that may have applicability to HIPAA compliance. HIPAA compliance for the Voice Mail Storage and Retrieval Platform 1.) Location of the Voice Mail Storage system: For HIPAA requirements compliance, it is recommended that Service Providers utilize an internal voice mail storage system, which is accessible from within their Hosted PBX partition, for voice mail storage and retrieval, but not directly accessible from the Internet. VoIP Logic s Hosted PBX / UC Platform uses an internal voice mail server to store voice mail messages generated by the application server, because this server is internal to the Platform and is therefore not accessible from the Internet, this infrastructure forms the basis for HIPAA compliant protection of personal information that may be included in a subscriber s voice mail. If an SPP decides to implement a voice mail storage system outside of the VoIP Logic Hosted PBX voice mail network infrastructure, care has to be taken to ensure the transmission of the mail messages with the voice mail attachments occurs over a secure/encrypted connection, such as an encrypted VPN, between the core platform and the externally Hosted PBX voice mail storage system. The messages must also be encrypted on the external voice mail storage system to maintain HIPAA integrity. 2.) Subscriber access to voice mail via a phone-in Voice Portal: VoIP Logic Platform subscribers can access their voice messages for playback via the Hosted PBX Voice Portal. The access is granted (authenticated) based on the subscriber s extension or telephone number and passcode. Once the voice message is accessed it must be stored unencrypted on the VoIP Logic Hosted PBX platform voice mail storage system in order to access the voice message through the Voice Portal. There is no mechanism available to encrypt that voice mail while still enabling access via the Voice Portal. Message history of received messages is stored on the subscriber s device and in the case of the desktop, the file is not encrypted. VoIP Logic HIPAA/SOC II Compliance Overview - 4Q 15 4

6 In addition, when using externally hosted voice mail storage, Service Providers cannot invoke encryption of the messages, if they are to be accessible to the customer subscriber via the Hosted PBX Voice Portal. External storage of Voice Messaging that originates on the VoIP Logic Hosted PBX s Platform is not recommended in HIPAA compliant environments. Because of these vulnerabilities, it is highly suggested that SPPs restrict the use of the Voice Portal to accessing voice mails for retrieval only. Voice message archiving must also remain within the VoIP Logic Hosted PBX network architecture to maintain HIPAA compliance privacy and security integrity, if HIPAA compliance is to be maintained. Figure 4: Voice Mail Portal Messaging set-up screen 3.) VoIP Logic Unified Messaging functionality related to HIPAA Compliance: The Unified Messaging platform (which is the most common method of utilizing the VoIP Logic Hosted PBX Voice Mail system) allows SPPs and their subscribers (If allowed) the ability to configure the Voice Mail system to send a copy of voice mail messages as an attachment to an address that the subscriber can configure. The feature forwards voice mail as a.wav attachment to the address provided. The attachment is sent as an attachment to a clear text message. Also, encryption of the.wav file is not natively supported on the VoIP Logic Hosted PBX Platform. As such, it is highly recommended that SPPs restrict forwarding of voice mails for those subscribers that need HIPAA compliance. VoIP Logic suggests that Voice Messaging only be accessed and managed directly from the Subscriber s Desktop or Mobile Device in a listen only mode in order to keep the Voice Mail access and storage in HIPAA compliance. VoIP Logic HIPAA/SOC II Compliance Overview - 4Q 15 5

7 HIPAA compliance for the Call Recording and Retrieval Platform The VoIP Logic Hosted PBX Platform supports use of a third party Call Recording specialty companies using the SIP REC conveyance protocol. The VoIP Logic s Hosted PBX Media Server makes encrypted media streams available to third-party Call Recording platforms to support a Customer Subscriber s Call Recording needs. The actual storage of Call Recordings occurs outside of the VoIP Logic platform. As such, Service Providers should discuss the HIPAA compliance of the underlying Call Recording system with the Call Recording Storage and Retrieval platform provider that they wish to use. The CTI Group is the current interfaced on-board VoIP Logic Call Recording Storage and Retrieval platform provider partner for the VoIP Logic Call Recording Platform. They support SIPREC interoperable HIPAA compliant Call Recording solutions. It should be remembered that the Receptionist, Call Center Agent and Call Center Supervisor Hosted Seat Application are all related specialized client applications and should be configured in similar manner in relation to HIPPA compliance for Voice Messaging and Contact Center conversation recording and archiving. Figure 5: VoIP Logic Hosted PBX Platform Call Recording Interface set-up screen HIPAA compliance of the UC-One Soft Client 1.) The Collaboration components of the UC-One Soft Client enables Unified Communications functionality for Voice, Video, Instant Messaging, Presence and Desktop Sharing features in this software communications tool. The Collaborate Servers (which house the UC-One Collaboration components) are part of the VoIP Logic Platform core infrastructure. XMPP messages for Instant Messaging & Presence are exchanged between the desktop and mobile software applications and the Collaborate Servers within the core VoIP Logic Hosted VoIP infrastructure. VoIP Logic HIPAA/SOC II Compliance Overview - 4Q 15 6

8 2.) The VoIP Logic UC application can also provide control for Call Recording, which is enabled only for those Contact Center/ ACD subscribers who have been provisioned for his feature during the Implementation cycle. All communications between the software applications and Collaborate servers can be encrypted using XMPP/TLS & SRTP, if so configured and thereby kept HIPAA compliant. Messages for offline subscribers are stored locally on the server in-memory and in cleartext. Once a subscriber signs in, these messages are delivered and deleted from the Collaborate server s database. Messages transacted within any UC-One My Room sessions are written to the database. These messages are available indefinitely so subscribers have access to their message history. Care should be taken to ensure that any messaging that is accessed should be done so from the Collaborate Server Platform to comply with HIPAA/SOC-II requirements. Figure 6: UC-One IM Screen If there is a requirement to archive Instant Messages, this can be configured for the subscriber on the VoIP Logic Hosted PBX/ UC Communications platform so that messages are written to file and stored on the Profile Server (PS) on an hourly basis. Service Providers may assign by configuration which fields get stored, including date, time, from and to of the message. There is also an option to archive the message content itself. As with the other key Hosted PBX components, the PS is part of the core infrastructure and remains within the security perimeter of VoIP Logic Platform thereby keeping it HIPPA compliant. Figure 7: UC-One Contacts Screen VoIP Logic HIPAA/SOC II Compliance Overview - 4Q 15 7

9 The messages archived on the PS are encrypted. This store of messages on the PS is available for up to a week, after which the IM is deleted. SPPs can modify this configuration, if longer term archiving is required. This configuration allows UC-One Instant Messaging to maintain HIPAA compliance, as long as no IM s are forwarded off the VoIP Logic Hosted PBX Platform. The UC-One applications use HTTPS for passing subscriber login credentials. The password is not encrypted for transmission. As such, they should not be managed outside the VoIP Logic Hosted PBX platform. 3.) Desktop Sharing allows subscribers to share information on their screens with fellow subscribers within the enterprise as well as external collaborators from the Internet via a Guest Client. This allows the potential for external malicious attempts to access subscriber databases and content. It is highly suggested that UC-One Desktop Sharing capability be disabled for subscribers that require HIPAA Compliance, as storage is not secure. Summary of the key elements of HIPAA/SOC-II compliance for SPPs. It is important for SPPs to understand that VoIP Logic provides the fundamental core Hosted PBX/UC infrastructure to assist an SPP in creating a HIPAA/SOC-II compliant environment. However, configuration of the core components and potential extensions beyond the physical core to third party and/or unencrypted systems not under VoIP Logic s control most notably at the customer s place of service consumption, can compromise compliance. - In order to deliver HIPAA compliant services based on the VoIP Logic platform, the Service Provider should locate the Voice Mail storage within the VoIP Logic Voice Messaging Platform. - The SPP should use a HIPAA compliant Call Recording Platform Solution Provider that interoperates with the VoIP Logic Hosted PBX platform - SPPs should configure XMPP/TLS & SRTP for VoIP Logic UC-One APPs to impose subscriber requirements to password protect access to subscriber s Mobile or Desktop device VoIP Logic HIPAA/SOC II Compliance Overview - 4Q 15 8

10 - SPPs should configure the Desktop Sharing feature to be disabled to maintain HIPAA compliance, unless consistent, maintained encryption and screen capture control is enabled and demonstrated. - The VoIP Logic Guest Client, which is a browser based application for external participants in a UC-One Desktop Sharing session, does not allow for user initiated Call Recording. As such, Desktop Sharing should not be enabled in a HIPAA complaint environment. - SPPs should have subscriber policies established in their contractual documentation to cover application behavior by the subscriber to safeguard unauthorized disclosure of HIPAA/SOCII information. - SPPs are expected to configure their platform partitions and educate their subscribers on how to maintain control of the integrity of the data paths for the information related to call data records and especially recorded voice calls, whether as voice messaging or recorded voice conversations. VoIP Logic cannot insure integrity of the entire call record, recorded message or conversation content, as it does not have control over the entire data pathway. -SPPs should remind entities that must maintain SSAE-16 SOCII controls, must maintain integrity and encryption for their audit and related financial records across their infrastructure, not just the part provided by the VoIP Logic platform. - Finally, the SPP needs to work with the subscriber, to insure that they understand and are responsible for password protecting access to devices for an additional layer of access security, such that messages shared via Instant Messaging or Desktop Sharing features (if allowed) are accessible to the authorized subscriber only. Helpful Links: Here are the links to the U.S Government s Health and Human Services and SSAE websites for Service Providers to read in depth on HIPAA and SOC-II regulations: -HIPAA -SOCII Additional details related to how SPPs can work effectively with HIPAA/SOC-II regulations on the VoIP Logic Hosted PBX Platform can be found on the VoIP Logic SPP Portal on the VoIP Logic HIPAA/SOC-II Documentation page. VoIP Logic HIPAA/SOC II Compliance Overview - 4Q 15 9