Is Cisco Webex HIPAA Compliant?
by Aware
HIPAA fines can cost up to $50,000 each and incidents of data leaks are on the rise. That means it’s never been more important for covered entities to review how they handle protected health information in the digital workplace. This is especially true in collaboration tools like Webex by Cisco.
While these tools provide companies with efficient ways to meet and work remotely, the ease with which they transmit information also introduces the risk of data leaks and regulatory noncompliance. This post explores what healthcare organizations need to know to meet their HIPAA obligations while using Webex by Cisco.
Contents:
- What is Webex by Cisco?
- Is Webex HIPAA compliant?
- Best practices for HIPAA compliance
- Does Cisco sign a BAA for Webex users?
- Is Cisco Webex suitable for telehealth?
- What Webex settings should administrators use for HIPAA security?
- 5 ways Webex protects sensitive information
- 5 security concerns when sharing PHI in Webex
- How Aware helps businesses protect PHI in Webex by Cisco
What is Webex by Cisco?
Cisco Webex is a cloud-based platform that offers video conferencing, online meetings, screen sharing, and messaging features. It is designed to enhance productivity and enable seamless collaboration among remote and hybrid teams. Some alternatives to Webex include Slack, Microsoft Teams, and Zoom.
Webex is used by 95% of the Fortune 500 and in industries ranging from government and education to healthcare and finance. As such, Webex contains several features designed to increase information security and protect the data of highly regulated organizations.
Is Webex HIPAA compliant?
HIPAA legislation safeguards protected health information (PHI), and applies to many covered entities—healthcare facilities, health insurance providers, and some government agencies. HIPAA recognizes PHI as uniquely sensitive information that should be stored, transmitted, and accessed according to higher standards than other types of data.
The HIPAA Privacy Rule outlines restrictions before covered entities can disclose a patient’s PHI. The Privacy Rule affirms the patient’s right to access their own health records and restricts how those records are shared.
Webex has comprehensive security features and controls to protect sensitive information, and Cisco has audited these features to ensure compliance with the HIPAA Privacy Rule. However, these features are not automatically enabled.
Healthcare organizations must take additional steps to configure Webex settings to align with HIPAA requirements.
These steps include implementing the safeguards provided by Webex to secure sensitive data, and providing the right training to ensure employees follow HIPAA guidelines when accessing or disclosing PHI. Finally, covered entities must sign a Business Associate Agreement (BAA) with Cisco.
Understand your HIPAA obligations in enterprise collaboration tools
Best practices for HIPAA compliance
Does Cisco sign a BAA for Webex users?
A Business Associate Agreement (BAA) is a contract between a covered entity (e.g., a healthcare provider) and a business associate (e.g., a technology vendor) that governs the use and protection of PHI. Cisco offers BAA agreements for qualified Webex users, demonstrating their commitment to safeguarding PHI and complying with HIPAA regulations.
Is Cisco Webex suitable for telehealth?
The same security features that make Webex suitable for use by HIPAA-covered entities also enable users to conduct telehealth appointments through Webex. Webex for Healthcare provides a range of secure collaboration features designed with telehealth in mind.
What Webex settings should administrators use for HIPAA security?
Workplace administrators play a vital role in ensuring their Webex environments remain HIPAA compliant. It is critically important for admins to understand their information security obligations under HIPAA and enable controls that comply with regulatory need. Some examples include:
- Enabling end-to-end encryption
- Enforcing 2-factor authentication (2FA) or multi-factor authentication (MFA)
- Enabling single sign-on (SSO)
These features help administrators limit the visibility of PHI to authorized personnel.
In addition to establishing necessary safeguards, those in the compliance officer role and those who manage compliance data should also be proactive about training employees on their obligations under HIPAA and how best they can protect PHI. This involves security measures such as creating strong passwords and changing them regularly and following other infosec best practices.
5 ways Webex protects sensitive information:
- Encryption: Webex employs industry-leading end-to-end encryption for messaging and user-generated content, and Zero Trust end-to-end encryption for Webex meetings. This ensures that communications and stored information, such as meeting recordings, remain secure and confidential.
- Access Controls: Webex offers granular access controls, allowing administrators to define specific user roles, permissions, and authentication methods to prevent unauthorized access to sensitive information.
- Secure Data Centers: Cisco operates highly secure data centers where Webex data is stored. These centers adhere to industry-leading security standards and undergo regular audits and assessments.
- Secure Meeting Features: Webex provides options such as password-protected meetings, waiting room functionality, and security controls to allow moderators to prevent unauthorized participants from joining and ensure meeting site and meeting content privacy.
- Compliance with Industry Standards: Cisco Webex complies with various industry standards and regulations, such as ISO 27001, SOC 2 Type II, SOC 3, and HITRUST.
5 security concerns when sharing PHI in Webex:
- Data Breaches: The number of breach victims reached 422 million in 2022, a threefold increase on the previous year. Cloud-based applications like Webex are particularly vulnerable to insider threats unless proactively addressed.
- Compliance Challenges: Webex enables users to sync files and data instantly across multiple devices within the Webex app. Ensuring compliance within this environment is a constant challenge for administrators who must ensure they implement the right controls.
- User Error: Human error, such as accidental sharing of PHI or misconfiguration of security settings, can inadvertently expose sensitive information and lead to HIPAA violations.
- Third-Party Integrations: When using Webex in conjunction with third-party applications or services, organizations must ensure that these integrations also comply with HIPAA regulations and do not compromise the security of PHI.
- Data Retention Policies and Data Disposal: Properly managing the data retention period and disposal of PHI past expired data ranges from Webex is crucial to comply with HIPAA regulations. Organizations must have policies and procedures in place to securely delete or archive data when it is no longer needed.
How Aware helps businesses protect PHI in Webex by Cisco
Aware supports HIPAA compliance within Webex Messaging using targeted AI/ML workflows based on industry-leading natural language processing (NLP). Aware’s proprietary NLP identifies PHI within Webex Messaging content in real time and triggers smart automations to notify stakeholders and mitigate the risk.
Modern business happens outside the 9-5, so Aware’s around-the-clock compliance automations ensure HIPAA-covered entities remain compliant 24/7 across the entire Webex Messaging collaboration platform, including in public and private spaces and group and direct messages.
With Aware, covered entities can:
- Ensure compliance teams receive real-time notifications whenever sensitive file sharing occurs thanks to AI/ML-enabled monitoring.
- Easily define acceptable use policies and automatically enforce them.
- Provide Rule-based enforcement to ensure compliance with HIPAA, but also wider regulations, such as HITRUST certification and GDPR, and common regulatory bodies like PCI SCC, FINRA, and SEC.
- Provide employees coaching in real-time about acceptable use and communications standards.
While Cisco provides a range of Webex security features and can be configured to meet HIPAA requirements, it is essential for organizations in HIPAA-regulated industries to assess and implement the necessary settings and controls to ensure compliance. By following cybersecurity best practices, training users, and deploying advanced AI-powered compliance automations from Aware, organizations can leverage the benefits of Webex while protecting sensitive health information.
Learn more about how Aware can secure all your workplace collaboration tools from a single AI-powered platform for unified compliance and security, plus next-generation business insights.