Securing Unified Communications for Healthcare Table of Contents Securing UC A Unique Process... 2 Fundamental Components of a Healthcare UC Security Architecture... 3 Making Unified Communications Secure Enough for Healthcare... 5 Avaya UC Solutions Help Healthcare Organizations... 6 Blending Opportunity with Security... 6 Learn More... 7 Secure unified communications that protect patients from privacy violations and healthcare providers from the consequences of noncompliance Unified communications (UC) is a mission-critical tool for today s healthcare organizations. Although it has advantages that apply to all industries and organizations, it is especially important for the healthcare industry because delayed or misinterpreted communications can affect patients health and even their lives. UC facilitates more effective communications and can help lower costs, in addition to helping meet the demand for better productivity and improved care. In response to government mandates, hospitals are transitioning to electronic health records (EHR), and increasingly, are delivering critical voice, e-mail, text, and video via mobile applications. UC helps address the challenges inherent in electronic distribution, such as the need to integrate the right communication tools into the context of the user and task. It can reduce errors and delays, and make operations more efficient creating a single interface for communications via smartphones, laptops, tablets and traditional telephone interfaces. All this means faster, more accurate communication, which in turn can translate into prompt, safe patient care. UC helps save time and resources, allowing staff to fully and efficiently utilize resources, shorten patient stays, and lower costs. Since most UC systems are auditable, it also helps healthcare organizations comply with government mandates such as the United States Health Insurance Portability and Accountability Act of 1996 (HIPAA). Whether or not healthcare providers can exploit these advantages hinges on another critical concern security. Healthcare organizations and the communications systems they use handle the most private and sensitive kind of information. Protecting that information from alteration, loss, and unauthorized access is a matter of law as well as compassion and common sense. Failure to comply with laws and regulations puts the organization at avaya.com 1
financial risk. Based on a February 2011 research report by the Aberdeen Group 1, poor communications security has the potential for serious consequences in the healthcare industry as well as in other industries. According to the report, the average maximum cost for a single lapse in regulatory compliance can cost: $2.1 million for Sarbanes-Oxley $1.5 million for Global Privacy Regulations $1.4 million for Securities and Exchange Commission Regulations $1.3 million for PCI DSS $1.1 million for HIPAA Securing UC A Unique Process When adopters begin using unified communications, many focus on the benefits realized by deploying the core technology, and are slow to recognize specific security concerns and the best practices to address them. As UC becomes more and more common across industries, some security insights are universally applicable. UC applications operate in real time, and must be secured in real time. UC operates at the application layer; therefore, it requires application layer inspection for proper security. UC is based on an endlessly changing combination of device types, creating more doors to guard. UC can use untrusted networks that are outside the IT department s control. (As in other industries, healthcare workers now continue to work while on the move or at home.) Compliance rules that apply to more traditional IT and communication types apply to unified communications as well. All these insights apply to healthcare operations, but healthcare also has its own unique requirements. UC security in the healthcare realm is not, for instance, the same thing as data network security, which is a primary concern in corporate UC implementations. The healthcare industry needs real-time, application-layer security for applications and devices sharing the same 1 Aberdeen Research Brief: Unified Communications Security: A Best-in-Class Strategy to Unleash Value February 2011 avaya.com 2
infrastructure. In addition, information security mandates and compliance rules are arguably more extensive and stringent than those in any other industry HIPAA in the United States, the Personal Health Information Protection Act (PHIPA) in Canada, the Data Protection Act (DPA) of 1998 in the United Kingdom, Data Protection Directive 95/46/EC for members of the European Union, and similar regulations enforced by national and local governments around the world. Complying with legal mandates is not easy. Hospitals are already bring-yourown-device (BYOD) environments, and unified communications solutions allow more smartphones, tablets, videophones, and soft clients into the mix as well as more end points. In addition, hospitals must contend with threats that are common across industries, such as identity theft, research espionage, and toll fraud, as well as many more pressing concerns. Hospitals must be on alert for denial-of-service attacks, which can affect the critical communications that direct patient care, or the privacy risk posed when doctors, nurses, and pharmacists send protected patient data over an unauthorized instant messaging application that uses a cloud-hosted application on the Internet. Fundamental Components of a Healthcare UC Security Architecture An effective UC security architecture for healthcare settings requires four critical capabilities: encryption, access control, threat detection, and policy enforcement. Encryption for privacy Although all unified communication devices offer encryption, some organizations don t use it. Particularly in healthcare institutions, internal users are seen as well intentioned and benevolent care givers who can be trusted with sensitive data. However, the risk of a single malevolent insider with access to life-critical, ultra-private information is unacceptable. From a security architecture standpoint, healthcare UC requires applicationlayer encryption, such as Transport Layer Security (TLS) for signaling and Secure Real-Time Transport Protocol (SRTP) for media. This is the most common encryption standard implemented in UC gear. Since clients that support TLS and SRTP encryption are available for smartphones, tablets, and avaya.com 3
other devices, adherence to these standards helps resolve the security issues associated with the proliferation of end points. TLS and SRTP are used to secure voice communications, as well as instant messaging and video traffic from intelligent endpoints. Access control and authentication for devices and users Access control is particularly important for hospitals, where there is a continuous turnover of patients and visitors, most of whom carry one or more communication devices. A healthcare UC architecture should include application-layer access control to complement standard network-level firewalling and authentication schemes. Equally important is session border control. The feature can be used to terminate SIP trunks, as well as provide a point of demarcation and control between trusted enterprise networks and untrusted carrier trunks. The architecture should also include the ability to hide topologies and conduct network address translation (NAT), which can effectively shield the healthcare organization s UC infrastructure, end points, and users from external parties. In addition, hospitals that use mobile UC end points can direct the session border controller to grant secure remote access to devices even if those devices are outside the enterprise. Threat detection and mitigation Toll fraud and eavesdropping are also key security concerns for hospitals. With a transient visitor population and easy public access to premises, vulnerability to toll fraud puts hospital funds (and ultimately patient care) at risk. Because patient information is among the most sensitive type of data, it must be stringently guarded against eavesdroppers. The appropriate defense is a signature-based intrusion prevention system that operates at the application layer and continuously scans signaling and media traffic to detect the patterns that indicate an attack. Policy enforcement The healthcare environment is heavily regulated, and at the same time, characterized by an extremely stringent demand for performance. A healthcare UC architecture must be able to act on regulatory mandated policies in real time without affecting speed and quality of delivery. This requires a centralized, easy-to-manage UC architecture to consistently apply policies avaya.com 4
across applications and networks. UC security should also enforce virtual LAN separation of voice and data traffic, to prevent attackers from hopping from the voice VLAN to the data VLAN, where they can gain access to any system on the network, including critical data repositories. Making Unified Communications Secure Enough for Healthcare Avaya has identified UC practices that can help healthcare organizations prevent intrusions and operational disruptions while maintaining compliance with privacy and security mandates. Secure all end points, especially those most often used for remote access such as smartphones, tablets, and laptops Use specialized UC security appliances that can encrypt both media and signaling connections in real time and on the fly, without requiring virtual private networks (VPNs) and tunnels for e-mail, IM, VoIP, and video communications Deploy SIP trunks for network and communications security, demarcation, and control Deploy enterprise session border controllers (SBCs) that contain integrated capabilities for policy enforcement, access control, failover, and deep packet inspection Figure 1 shows how SIP trunks and enterprise SBCs can provide comprehensive UC security when deployed together. SIP trunks protect enterprise VoIP communications by applying TLS or SRTP encryption. SBCs, especially if they contain the integrated components addressing the four elements of UC security described above, offer many benefits, including enforcement of enterprisespecific security policies. They also provide a layer of independence from service providers, enabling multiple SIP trunk provider access points, and support enterprise-specific call flows that service providers may not. By operating in real time, SBCs can secure VoIP and other UC applications over any network to any device. They help enforce enterprise security policies and compliance with industry privacy and security guidelines, without compromising performance. avaya.com 5
Avaya UC Solutions Help Healthcare Organizations REMOTE WORKER Hacker ROGUE DEVICE Properly encrypt the transmissions between INTERNET VoIP/UC applications and end points, including PSTN signalling and media Deploy SIP trunks with the industry s best security, demarcation, HOSPITAL Avaya SBCAE Avaya SBCAE SIP TRUNK PBX and control Support HIPAA Recording Compliance compliance by properly logging and protecting all private patient data communications Infected Softphone/PC Actively enforce security policies to prevent unauthorized applications or patient information Figure 1. Unified communications security with sip trunking and sbc controls leakage Scan and act on all Blending Opportunity with Security signalling and traffic based Today s communications travel in a multivendor, multiple-device, interoperable on updated threat and world. It spills into the controlled environment of the hospital or clinic, and attack markers provided brings opportunities to enhance patient care. Unifying these communications by the VIPER Lab can help healthcare organizations increase flexibility, reduce cost and complexity, and enhance user experience. But UC needs to be secure. By addressing the four dimensions of UC security, healthcare institutions can capture UC benefits, and at the same time, protect patient data from unauthorized access and patient care from disruption. avaya.com 6
About Avaya Avaya is a global provider of business collaboration and communications solutions, providing unified communications, contact centers, networking and related services to companies of all sizes around the world. For more information please visit www.avaya.com. Learn More To learn more and to obtain additional information such as white papers and case studies about Avaya Session Border Controller Advanced for Enterprise please contact your Avaya Account Manager or Authorized Partner or visit us at www.avaya.com/usa/product/avaya-aura. 2012 Avaya Inc. All Rights Reserved. All trademarks identified by,, or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. 05/12 UC7078 avaya.com 7