Is Cisco Webex HIPAA Compliant?

HIPAA fines can cost up to $50,000 each and incidents of data leaks are on the rise. That means it’s never been more important for covered entities to review how they handle protected health information in the digital workplace. This is especially true in collaboration tools like Webex by Cisco.

While these tools provide companies with efficient ways to meet and work remotely, the ease with which they transmit information also introduces the risk of data leaks and regulatory noncompliance. This post explores what healthcare organizations need to know to meet their HIPAA obligations while using Webex by Cisco.

Contents:

• What is Webex by Cisco?
• What is HIPAA?
• Is Webex HIPAA Compliant?
• Does Cisco sign a BAA for Webex users?
• Is Cisco Webex Suitable for Telehealth?
• 5 Ways Webex Protects Sensitive Information
• What Webex Settings Should Administrators Use for HIPAA Security?
• 5 Security Concerns When Sharing PHI in Webex
• How Aware Helps Businesses Protect PHI in Webex by Cisco

Learn more about how Aware supports HIPAA compliance in Webex

What is Webex by Cisco?

Cisco Webex is a cloud-based platform that offers video conferencing, online meetings, screen sharing, and messaging features. It is designed to enhance productivity and enable seamless collaboration among remote and hybrid teams. Some alternatives to Webex include Slack, Microsoft Teams, and Zoom.

Webex is used by 95% of the Fortune 500 and in industries ranging from government and education to healthcare and finance. As such, Webex contains several features designed to increase information security and protect the data of highly regulated organizations.

What is HIPAA?

HIPAA legislation sets provisions for safeguarding protected health information (PHI). It applies to a wide range of covered entities, including healthcare facilities, health insurance providers, and some government agencies. HIPAA recognizes that PHI is uniquely sensitive information and should be stored, transmitted, and accessed according to higher standards than other types of data.

Sharing of PHI is covered under the HIPAA Privacy Rule, which outlines the restrictions required before covered entities can disclose an individual’s PHI. The Privacy Rule affirms the patient’s right to access their own health records and restrict how those records are shared.

Is Webex HIPAA Compliant?

Cisco Webex has implemented a comprehensive set of security features and controls to protect sensitive information and has conducted a HIPAA audit to confirm its offerings comply with the standards of the HIPAA Security Rule. However, out of the box, Webex does not come with HIPAA compliance enabled. Organizations in the healthcare industry must take additional steps to configure and use Webex in a manner that aligns with HIPAA requirements.

These steps include implementing the safeguards provided by Webex to secure sensitive data, and providing the right training to ensure employees follow HIPAA guidelines when accessing or disclosing PHI. Finally, covered entities must sign a Business Associate Agreement (BAA) with Cisco.

Understand your HIPAA obligations in enterprise collaboration tools

Read More

Does Cisco sign a BAA for Webex users?

A Business Associate Agreement (BAA) is a contract between a covered entity (e.g., a healthcare provider) and a business associate (e.g., a technology vendor) that governs the use and protection of PHI. Cisco offers BAA agreements for qualified Webex users, demonstrating their commitment to safeguarding PHI and complying with HIPAA regulations.

Is Cisco Webex Suitable for Telehealth?

The same security features that make Webex suitable for use by HIPAA-covered entities also enable users to conduct telehealth appointments through Webex. Webex for Healthcare provides a range of secure collaboration features designed with telehealth in mind.

5 Ways Webex Protects Sensitive Information:

• Encryption: Webex employs industry-leading end-to-end encryption for messaging and user-generated content, and Zero Trust end-to-end encryption for Webex meetings. This ensures that communications and stored information remain secure and confidential.
• Access Controls: Webex offers granular access controls, allowing administrators to define user roles, permissions, and authentication methods to prevent unauthorized access to sensitive information.
• Secure Data Centers: Cisco operates highly secure data centers where Webex data is stored. These centers adhere to industry-leading security standards and undergo regular audits and assessments.
• Secure Meeting Features: Webex provides options such as password-protected meetings, waiting room functionality, and security controls to prevent unauthorized participants from joining and ensure meeting privacy.
• Compliance with Industry Standards: Cisco Webex complies with various industry standards and regulations, such as ISO 27001, SOC 2 Type II, SOC 3, and HITRUST.

What Webex Settings Should Administrators Use for HIPAA Security?

Workplace administrators play a vital role in ensuring their Webex environments remain HIPAA compliant. It is critically important for admins to understand their information security obligations under HIPAA and enable controls that comply with regulatory need. Some examples include enabling end-to-end encryption and enforcing 2-factor authentication (2FA), multi-factor authentication (MFA), or single sign-on (SSO) to limit the visibility of PHI to authorized personnel.

In addition to establishing necessary safeguards, administrators should also be proactive about training employees on their obligations under HIPAA and how best they can protect PHI. This involves security measures such as creating strong passwords and changing them regularly and following other infosec best practices.

5 Security Concerns When Sharing PHI in Webex:

• Data Breaches: The number of breach victims reached 422 million in 2022, a threefold increase on the previous year. Cloud-based applications like Webex are particularly vulnerable to insider threats unless proactively addressed.
• Compliance Challenges: Webex enables users to sync files and data instantly across multiple devices. Ensuring compliance within this environment is a constant challenge for administrators who must ensure they implement the right controls.
• User Error: Human error, such as accidental sharing of PHI or misconfiguration of security settings, can inadvertently expose sensitive information and lead to HIPAA violations.
• Third-Party Integrations: When using Webex in conjunction with other third-party applications or services, organizations must ensure that these integrations also comply with HIPAA regulations and do not compromise the security of PHI.
• Data Retention and Disposal: Properly managing the retention and disposal of PHI stored in Webex is crucial to comply with HIPAA regulations. Organizations must have policies and procedures in place to securely delete or archive data when it is no longer needed.

How Aware Helps Businesses Protect PHI in Webex by Cisco

Aware supports HIPAA compliance within Webex Messaging using targeted AI/ML workflows based on industry-leading natural language processing (NLP). Aware’s proprietary NLP identifies PHI within Webex Messaging content in real time and triggers smart automations to notify stakeholders and mitigate the risk.

Modern business happens outside the 9-5, so Aware’s around-the-clock compliance automations ensure HIPAA-covered entities remain compliant 24/7 across the entire Webex Messaging collaboration platform, including in public and private spaces and group and direct messages.

Conclusion:

While Cisco Webex provides a range of security features and can be configured to meet HIPAA requirements, it is essential for organizations in HIPAA-regulated industries to assess and implement the necessary settings and controls to ensure compliance. By following cybersecurity best practices, training users, and deploying advanced AI-powered compliance automations from Aware, organizations can leverage the benefits of Webex while protecting sensitive health information.

Learn more about how Aware can secure all your workplace collaboration tools from a single AI-powered platform for unified compliance and security, plus next-generation business insights.