Where HIPAA, PCI, and SOX Meet Cloud Communications Security
It turns out that if your cloud communications provider is not HIPAA, PCI, and SOX compliant, then if these regulations apply to you, chances are that you are not compliant either.
With the ever-increasing regulation and concern around healthcare, finance, and credit card information security, I recently had the good fortune of speaking with a few individuals who pointed out how communications systems are right on the forefront of some of these security issues. The context of our discussion was cloud communications security and whether security is a forethought or an afterthought for CIOs considering cloud communications.
It turns out that if your cloud communications provider is not HIPAA, PCI, and SOX compliant, then if these regulations apply to you, chances are that you are not compliant either. One of the key issues revolves around persistent data... that is data at rest and data in motion that "persists" or stays around.
For a communications solution, data at rest would include stored voice messages or e-Faxes. Per these regulations, such data must be encrypted, or you are not in compliance. Furthermore, if these voice messages or faxes are sent somewhere by email, then as "data in motion," they must also be encrypted. Several million people now handle medical records daily, and per HIPAA regulations, they can go to jail if they are not HIPAA compliant.
Where Sarbanes-Oxley meets communications data security is primarily with sets of controls surrounding who has access to data. A cloud communications solution provider would have names and phone numbers for executives or traders in a customer organization offering financial services. If the cloud providers offered email service as well, then they would also have sensitive emails on their cloud-based storage systems. SOX controls, among other things, assure that only those who are authorized have access to these types of data.
The primary concern for a cloud communications provider is when an employee leaves the company, there are controls in place that immediately restrict access to these kinds of information. Again, if your cloud solution provider is not SOX compliant, chances are that your organization is not either.
I understand the HIPAA compliance and the SOX compliance requirements for a cloud provider, but I thought PCI compliance for a cloud-based communications provider was a bit of a stretch. PCI compliance focuses on credit card security and avoiding data breaches like those we've heard about recently from companies like Target. But does a cloud communications provider need to be PCI compliant? Apparently they need to consider it if any credit card data passes through their systems.
For example, if a customer of a cloud communications provider accepted credit cards, then customers of the cloud provider's customer might leave voice mails, emails or faxes containing credit card information. Such data are again considered data at rest and data in motion, and they must be encrypted and handled properly in order for the cloud provider's customer to be PCI compliant. Thus, if the cloud-provider is not PCI compliant themselves, then the cloud-provider's customers may not be PCI compliant either and would be subject to fines and the expenses associated with a credit card data breach.
The discussion on cloud-provider security was while preparing for a very interesting webinar on Wednesday, July 30 in which I will be discussing security with cloud communications provider 8x8 in a webinar hosted by No Jitter and Enterprise Connect. To learn more, sign up for this webinar.