Many people are aware that sharing any information or transmitting any message across the web carries at least some security risk. The obvious question that follows might be this: Is VoIP calling secure? Are other IP telecommunication methods secure? Thanks mainly to sophisticated encryption from end-to-end, IP-based communication can be secure enough. In regulated industries, specifically finance and healthcare, business owners may wonder about regulatory compliance and how an IP telephone system would affect their ability to comply with rules on protecting sensitive consumer data.
Security and Compliance Concerns
Anything that puts more of the business’ information online makes that business a little more vulnerable to data loss or hacking attempts. However, VoIP phones and systems do not necessarily raise a company’s risk. Voice communication tends to be encrypted from end-to-end once over the internet. However, this does not prevent hackers from using other means to access a company’s network.
Chat, instant messaging, and file sharing are also vulnerable to cyberattacks. Outlook and other email clients integrate with IP (Internet Protocol) telephone systems, streamlining communication but introducing some well-known risks that are normally associated with computer networks:
- A cybercriminal could attempt to access the company’s networked computing resources and use that access to send out spam or junk voicemail messages.
- Some hackers have been able to access payment accounts, banking information, or confidential business information through VoIP phones.
- The hardware a larger business uses to manage IP telecom services could also be compromised to send out spam emails or to overwhelm a third party’s servers through something called a distributed denial of service attack.
Protecting your business from cybersecurity threats is a never-ending battle against hackers. Aside from saving money and enhancing productivity, any change in technology needs to also keep a business in compliance with applicable rules and standards. Violating one of those regulations by using non-compliant chat software or cloud-based computing is never worth the financial and reputational risk. The same logic applies to selecting a new IP telephone network or even just VoIP phones managed by a third party.
Regulations tend to cover any form of data transmission, even voice calls and instant messages. If you work in a regulated industry, specifically healthcare or finance, you also must think about date security regulations. Losing data to a malicious actor is bad enough; even worse is being fined by the government and suffering major reputational damage from losing patients’ medical data or credit card records.
Most any business that handles financial data, health information, or intellectual property must be concerned with cybersecurity standards and regulations. Anyone in healthcare, law or financial services probably knows the general rules they need to comply with.
The most important of these may be HIPAA (Health Insurance Portability and Accountability Act) The rules cover most any entity that handles Individually identifiable health information such as biometrics, medical records, and medical images as well as the usual personal information like name, address, and Social Security number. Voicemail, conference calls, chat logs from IM (Instant Messaging) conversations and databases all need to be protected from unauthorized access.
The HITECH (Health Information Technology for Economic and Clinical Health) Act, which became law in February of 2009, extends HIPAA to cover more businesses, namely business associates of firms regulated by HIPAA.
Payment processing firms, payday lenders, credit unions, and banks must comply with data protection rules described in the Gramm-Leach-Bliley Act (GLBA) and others. A covered business can satisfy many of the requirements with specific business processes and policies. Some requirements can only be satisfied through software and hardware that has the right cybersecurity abilities.
Because of widespread data protection requirements like those, many VoIP vendors promote HIPAA compliance, in particular. This is worth knowing about because your phone system must not comprise your ability to comply with relevant data security requirements, such as end-to-end encryption of messages.
How IP Telephone Technology Maintains Security
The secret to IP telephone security is encryption. Servers that store records, such as chat messages, need to be encrypted. Databases your VoIP system accesses should also be secured by restricting rights to edit or delete them at least. The best technology-based defense against hacking is a familiar one – encryption. Calls should be encrypted from the caller’s phone to the server that manages phone traffic and then to the listener. In fact, this is a requirement for HIPAA compliance. Phones must also be able to record all call data. The same holds true for chat conversations, instant messages, and video calls or conferences. Those communication methods can be hacked and have been.
Security and Regulatory Compliance are Easy with the Right Tools
In short, IP-based telephone calling and other IP-related telecom services can be quite secure. The technology can also be made compliant with HIPPA and other relevant data protection rules. In fact, some vendors like Zultys will make it a point of advertising this. If you would like to talk about implementing a VoIP telephone system in your business, DirecTech can help. Contact us to schedule a free consultation.