Hippa sales advice

This is a tricky issue...and I'll admit that my (extensive) experience in healthcare telecom has shown that most companies don't consider it as much as they should.

Paramount to secure communications is the ability to encrypt the RTP stream. People are often surprised when I can sit down and in five minutes be listening to VoIP phone calls anywhere in their network. I am not aware of any way to do this within Asterisk...but then again, I haven't looked into it either. (Asterisk is a pet project for me...I push it, but not to extremes)

A VPN tunnel should be OK...though a private network would give full compliance. I've established multiple networks for HIPPA aware companies that use VPN connections. In many cases, it's impractical to bring in a private connection.

With VM to email, if the customer uses encryption on their email (e.g. through Domino), it will be much safer...but again, that data traversal can be sniffed right out of the network. This is more of a network security issue than anything. You'll want to make sure you encrypt your mail authentication at the very least...but most companies opt to not go with VM to email due to the security implications involved. Also, you'll want to make sure your default VM access codes are forced to authenticate, as opposed to the open VM access that Asterisk provides out of the box.

Aside from that, if a company is very serious about HIPAA compliance, I would not advise going in with an Asterisk server. A Cisco CallManager would be much more suitable as it has inherent mechanisms for encryption at both the RTP level and the voicemail to email level.

Scott,

I don't really have to defend whether HIPAA states encrypted RTP is a requirement...it's not...but at the forefront of healthcare telecom, these discussions ARE taking place. As I said in my first paragraph, it's not common for companies to look at it much...but the big ones (700+ extns) are taking a hard look at encrypted traffic these days. It helps when you bring in a security guy and show them just how vulnerable things are.

Whether or not YOU'VE seen it in your area is irrelevant. A high end VoIP company is going to look for unique angles they can provide to their customer base and sell it to them. Administrators & decision makers, who are looking at the security & reliability of their communications on a whole, are typically open to such discussions and some even go for it.

All I mean by open VM access is that the default VM entry code permits single stage authentication. It's preferred to use two stage in most cases and require the user to enter both their mailbox and password.

I will 100% agree that at the doc office and so on, compliance is a joke. Even in some large organizations it's a joke. But when a major provider is taking credit card transactions for medical services through an IVR with a major call center backend, believe me, encryption at every level is a major discussion.

There are a number of legitimate points made in this discussion. Namely that HIPAA doesn't have specific technology guidelines. One step further, there is absolutely no such thing as a "HIPAA compliant" solution. A bunch of ignorant companies have marketed processes, products, and services as "HIPAA compliant." That's usually a clear signal to stay away.

That said, I disagree with revco's notion that Asterisk would be unsuitable for "covered provider" applications due to the lack of SRTP support. First of all, communications systems are explicitly excluded from the HIPAA Security rule (see CMS interpretation at http://tinyurl.com/6dkj7f). The Privacy rule effectively mandates "reasonable and appropriate administrative, technical and physical safeguards". I would argue that a reasonable VLAN, NAC, and network architecture structure wouldn't in any way violate the reasonable standards approach. I've never seen a legal opinion or a hospital compliance officer position that would preclude doing straight RTP.

As an idea of baseline comparison, many of the most widely used electronic medical records systems, such as Meditech, use antiquated and unencrypted protocols, such as straight telnet, to move actual PHI between clients and storage locations. From the perspective of relative risk, it seems more clearly problematic to be able to simply sniff direct PHI than voice communications that may or may not actually involve PHI.

That said, I agree that covered entities don't probably pay as much attention or understand the risks of VoIP as well as they should. I'd certainly advocate ensuring hospitals, physician practices, etc understand the risks of using unencrypted voice streams. That said, I don't think Asterisk should be excluded solely on the basis of not supporting SRTP.

Hopefully all of this will go away when the SIP over TCP and SRTP patches, both actively being developed, are finally mainlined.

Josh

Joel,

Did you read this thread? What specific requirements are you trying to meet?