VoIP in Healthcare - How Secure is It?

September 25, 2015

VoIP (Voice-over-IP) phone systems are increasingly popular in today’s healthcare organizations. With wireless VoIP, medical personnel no longer need to be tied to a specific workstation to make or receive calls. They can be reached immediately, wherever they are, eliminating the need for callbacks.

VoIP offers integration between the computer and phone, an application called Unified Communications. It leverages the internet as an infrastructure for voice communications. Because VoIP is internet-based, it comes with increased security risks and threats. Data packets carry voice in the same manner as general internet traffic. Many times, VoIP implementations converge with the existing data network placing greater performance and security demands on the network.

In the highly regulated healthcare industry the loss of patient data is a real concern. The Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Gramm-Leach-Bliley Act (GLBA), the Fair and Accurate Credit Transactions Act (FACTA), and the Payment Card Industry Data Security Standards (PCI DSS) all require the protection of sensitive information.

VoIP traffic on a network is open to attacks using techniques that have been used on data networks for years. Because VoIP systems are connected to the data network, and share many of the same hardware and software components, there are many “new” ways for intruders to get access to confidential information. More and more, VoIP systems are integrated with billing systems. This can open the door to hackers obtaining information including birth dates, phone numbers and billing information. In addition, activities such as conversation eavesdropping and call re-routing are serious VoIP security issues faced by healthcare organizations.

Conversation Eavesdropping - This is when a hacker captures and saves audio streams on the network - think of a conversation where the patient provides a credit card number to pay a bill. Hackers use a packet capture tool (free on the internet) which is more or less the same tool network administrators use to monitor and maintain their network.

Call Re-routing - This is when a hacker is intercepts and re- routes calls. Your customer ends up talking to a criminal organization masquerading as your organization. They end up obtaining your customer’s personal information, Social Security number and credit card information.

One simple cause of security issues with a VoIP implementation is related to existing network security vulnerabilities. Therefore, a security assessment that includes a review of gateway security, firewall configuration, patching procedures, syslog review, and wireless security is recommended as part of a VoIP deployment. Further, the assessment can serve as an additional piece of “evidence of due diligence” in the event of a regulatory audit.

IP Telephony experience combined with network experience and a security focus go a long way to combat issues. True risk reduction can only occur when Telephony and Network engineers work together to mitigate VoIP risks.

​

#clinicianmobility #wirelessphones #nurse #communication #VoIP #HIPAA