Is WebEx HIPAA Compliant?

Is Webex HIPAA compliant? Is the online meeting and web conferencing platform suitable for use by healthcare organizations or should the service be avoided? In this post we assess the security controls and features of the platform and determine whether use of Webex could be considered a HIPAA violation.

What is Webex?

Webex by Cisco is a web and video conferencing and collaboration platform that helps businesses connect with remote workers and partners as if they are in the same room.

With tools such as Webex, healthcare organizations can communicate quickly and easily with the workforce, no matter where employees are located. Regional operational meetings can be conducted, medical education can take place online, and healthcare employees can be trained on new processes and procedures. These platforms can also potentially be used for communicating with patients.

However, before any collaboration tools can be used in connection with protected health information (PHI), healthcare organizations must be certain that the tools support HIPAA compliance. So how does Webex fare in this regard? Is Webex HIPAA compliant or should the platform be avoided by HIPAA-covered entities?

Webex Security

Cisco has implemented a host of security controls to ensure all communications take place securely and information cannot be intercepted. Any information sent from a Webex application to the Webex cloud occurs through an encrypted channel which supports TLS 1.0, 1.1 and 1.2 protocols and uses high strength ciphers such as AES-256. Media packets are encrypted using AES 128. There is also the option of end-to-end encryption, which if applied, means Cisco will not decrypt any media streams.

All media streams can be recorded for future reference and meet HIPAA audit requirements. Data is also protected at rest with encryption and audio, video, and data streams are stored separately.

Administrators can configure the platform to provide the desired level of security, including rate limiting on login attempts, the automatic deactivation of accounts after a defined period of inactivity, password policies can be enforced, 2-factor authentication can be used, and strict access controls set to carefully control who has access to the platform.

Cisco also provides full documentation on functionality, technology, and security to help healthcare organizations with their risk assessments.

Cisco will also sign a business associate agreement with HIPAA covered entities and their business associates.

Is Webex HIPAA Compliant?

Webex incorporates administrative and technical safeguards that meet HIPAA requirements; however, it is up to covered entities to ensure the platform is configured correctly and that it is used in a manner compliant with HIPAA Rules.

Provided that is the case, and a business associate agreement has been entered into with Cisco covering the use of Webex for Healthcare, Webex can be considered a HIPAA compliant solution and can be used by healthcare organizations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.