Making Unified Communications Secure for Hospitals and Healthcare Organizations
Today’s healthcare industry is in transition. Due to government requirements, doctors and hospitals are moving to electronic health records, and managing a load of regulations and concerns regarding those records, and interactions with their patients. Going electronic is ultimately a good thing – faster and better patient care, unified approaches from multiple providers, and the financial benefits of shorter patient stays and lower costs. But all that electronic data and traffic must be secure, and nothing can be lost or garbled. Unified Communications (UC) is just what the doctor ordered.
A Unified Communications solution helps the healthcare industry in many ways:
- Reduces errors and delays
- Speeds communication - internally and between providers and patients
- Integrates many communication tools
- Increases operational efficiency
- Can deliver information by voice, e-mail, text, and video, as appropriate
But a key concern for all involved – patients, doctors, and the government – is security. This is private information, sensitive details, and a breach can jeopardize someone’s identity or their very life. Even ignoring the impact to patients, providers who fail to comply with regulations can pay up to $4.8 million, - and that’s just for HIPAA. Let’s look at a few other specific concerns that can arise when with using UC in the healthcare environment:
- UC is real-time, which requires real-time security
- UC is applications-level, which requires applications -- layer inspection
- UC enables and supports a wide variety of communication devices
- UC enables work while at home or on the go, potentially using untrusted networks
- UC has to follow all compliance rules for all technologies it employs
- If UC connects across national boundaries, additional regulations must be observed
So how do we set about this herculean task of securing unified communications so the benefits can be reaped? While each implementation must of course be unique, the high-level answer is just four key capabilities.
UC solutions include encryption, but many organizations don’t use it. That’s just not an option in the healthcare industry. For these purposes, you must use Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP), covering signaling and media respectively. These two protocols are included or available on mobile devices, which handle the BYOD and endpoint security issues.
2. Access Control
By definition, the healthcare industry deals with people. And in this day and age, all but the newborns are likely to have a mobile device of some sort. It is critical that unauthorized users be kept out of the UC infrastructure. Thus both an application-layer access control is mandatory, working with standard firewalls and authentication plans. Additionally, border control (via an enterprise session border controller, or SBC) is a critical component of this part of your security, shielding your infrastructure and endpoints, and providing control over untrusted carrier trunks. (This will also enable the safe use of remote access by authorized users.) Moreover, the implementation of SIP trunks acts as a good tool for access control security.
3. Threat Detection
Hand-in-hand with the access control exposure – more people through the front-door means more exposure to risks. Hospitals especially, suffer vulnerability to toll fraud and eavesdropping. Part of the solution for eavesdropping is, of course, process-based (employees being careful about who is around), but UC has a security solution as well. Signature-based intrusion prevention at the application layer is an appropriate defense for these sorts of risks. Continuous scanning of the signaling and media traffic can also potentially detect patterns which might indicate an attack. An SBC is the right tool for this job as well.
4. Policy Enforcement
Security defense here focuses on two areas. First, of course, is making sure that the UC architecture always remains compliant with the regulations governing the healthcare industry. As mentioned previously, that includes differing regulations if national borders are crossed. And when a regulation is changed, the UC solution needs to change in real-time with it. By its nature, though, UC solutions tend to have centralized easy-to-manage architecture – whether hosted or not – allowing you to enforce the policies across all the networks and applications involved. The second area of risk is simple in concept: keeping the data and voice traffic separate. If the voice network is penetrated, make sure it provides no access to the sensitive data being used and stored.
Unified communications solutions can be a huge benefit to the healthcare industry. And to a certain extent, the industry is being forced to move in this direction by the regulations now in place. Making sure the transition is safe and secure will allow you to then take advantage of the myriad benefits UC brings to all industries (efficiency, flexibility, reduced cost, even call center optimization), without fear of disruption, noncompliance, or data exposure.