How to ensure that VoIP technologies aren't the weakest security link
Data security is a top concern for all organizations, but do you know how safe your professional communications are?
For many organizations, including those in the healthcare space, this extends far beyond email encryption, which really represents only the first rung on the security ladder. As organizations use more Internet-based communication technologies—such as voice messaging, video conferencing and Voice over Internet Protocol (VoIP)-based file transfers—security practices must extend to these as well.
As more organizations make the shift to VoIP as their primary communication tool, there are some unanswered questions about data security.
To understand where the gaps in VoIP communications exist, it helps to understand why so many organizations are making the switch. In essence, businesses are leaving behind plain old telephone systems (POTS) for VoIP because it’s a multimodal tool enabling video and voice calls as well as file transfers via a single tool, with an unbeatable uptime rating. Moving to VoIP is also part of an overall migration to the cloud, a process that brings with it convenience—and security concerns.
Organizations need a strong security-oriented migration strategy for communications, and that means choosing the right VoIP provider and understanding the mechanisms behind this mode of communication. IT professionals should also get training to mitigate major VoIP risks, such as phreaking, eavesdropping and DoS attacks.
In choosing the optimal VoIP provider for an organization, several key factors are involved. These include scalability and quality of calling, to be sure, but many VoIP companies can provide those features. Security is a tougher requirement.
One way to improve VoIP security, then, is by choosing an on-premise system rather than a hosted one, because this ensures that a VoIP system is behind business-approved firewalls and increases the available degree of security customization. On the other hand, with an onsite VoIP, if there’s a security breach, everything is right there, vulnerable to hackers.
An alternative to onsite VoIP for security is to choose a business VoIP with long-tail organization. Long-tail VoIP offers multi-level security, making it more difficult for system threats to break through. In comparison, short-tail systems only cover the sure risks—the threats that will absolutely impact an organization if systems are left unprotected. Long-tail covers a provider organization for “needle-in-a-haystack” situations, and that’s crucial in protecting critical patient information in the healthcare space.
Finally, even if an organization contracts with a great VoIP provider with high-level security, the only way to fully protect sensitive data is by understanding who or what is seeking to surreptitiously access that information. With VoIP systems, one of the leading risks is eavesdropping.
Eavesdropping via VoIP is exactly what it sounds like—hackers listen in on voice or video calls or tap into messaging systems to collect information. It’s a common problem because most VoIP systems aren’t encrypted, and that’s something every organization should look into correcting. Discuss encryption with potential providers; if a healthcare organization can’t add it, or if the provider doesn’t offer it as an option, then a serious security risk will remain open.
Another security issue facing VoIP is internal system exploits. Most VoIP systems run off cell phones or tablets for enhanced mobility, and device apps are vulnerable to open ports, which is essentially a data flow point that is unsecured and can be exploited as a security weakness. They can also be used to spoof caller ID and fraudulently collect sensitive information under the cover of a known entity.
Ultimately, the very flexibility that makes VoIP systems so appealing also makes these types of communication systems vulnerable; organizations that adopt VoIP as a communications standard need to consider implementing additional security practices to business data secure. Think of it as similar to a BYOD policy—what an organization gains in convenience it may lose in security, but professional guidance can help bridge that gap.