WebEx and HIPAA Compliance
WebEx is web and video conferencing and collaboration software that allows businesses link up with remote workers and partners as if they are in the same room.
With software like WebEx, healthcare groups can communicate speedily and easily with the workforce, no matter where employees are based. Regional operational meetings can be conducted, medical education can happen online, and healthcare workers can be trained on new processes and procedures. These platforms can also possibly be used for communicating with patients.
However, before any collaboration tools can be implemented in connection with protected health information (PHI), healthcare groups must be certain that the tools support HIPAA compliance. So how does WebEx fare on this? Is WebEx HIPAA compliant or should the platform be avoided by HIPAA-covered groups?
Cisco has put in place a range of security controls to ensure all communications take place securely and data cannot be intercepted. Any data sent from a WebEx application to the WebEx cloud happens through an encrypted channel which supports TLS 1.0, 1.1 and 1.2 protocols and uses high strength ciphers including AES-256. Media packets are encrypted using AES 128. There is also the option of end-to-end encryption, which if implemented, means Cisco will not decrypt any media streams.
All media streams can be saved for future reference and meet HIPAA audit requirements. Data is also secured at rest with encryption and audio, video, and data streams are held separately.
Administrators can set up the platform to provide the desired level of security, including rate limiting on login attempts, the automatic deactivation of accounts following a defined period of inactivity, password policies can be enforced, 2-factor authentication can be put in place, and strict access controls set to carefully control who can log onto the platform.
Cisco also supplies full documentation on functionality, technology, and security to help healthcare groups with their risk assessments.
Cisco will also complete a business associate agreement with HIPAA covered groups and their business associates.
WebEx includes administrative and technical security measures that adherer to HIPAA requirements; however, it is up to covered groups to ensure the platform is configured properly and that it is used in a manner compliant with HIPAA Rules.
Once this is the case, and a business associate agreement has been completed with Cisco covering the use of WebEx for Healthcare, WebEx is HIPAA compliant and can be used by healthcare groups.