Healthcare Technology Featured Article

September 29, 2014

Is Your Communications Provider Ignoring the Elephants in the Room? 10 Questions to Ask

A herd of elephants is living in the boardrooms of many businesses. They go by the names “Regulatory Compliance,” “Security,” and “Reliability,” and you ignore them at your own peril. Lots of business VoIP providers, unified communications vendors, and even hosted call center software providers want you to join them in ignoring the pesky pachyderms.

While every company has different needs, here are some good “conversation starters” to ask providers of business phone systems, unified communications and call center software.

1. Can you recommend particular configurations of our system to help us comply?

Providers that make compliance a priority can often supply you with expertise or suggestions to help you comply, and they’re more likely to have a compliance officer who can explain how their services are set up to facilitate compliance.

2. Are you a HIPAA-compliant business associate? If so, can you put it in writing?

Many business VoIP service providers aren’t, and doing business with them could jeopardize your compliance if you use their services. Very few providers of unified communications and call center software offer such agreements.

3. What has your communications company done to ensure compliance?

For telecommunications providers, compliance is an extensive, ongoing process. First, they must they make sure their company complies. And in many cases, they need to verify that their own chain of third parties is also compliant with the latest HIPAA business associate and other regulatory requirements, and they need to have signed Business Associate and other agreements to show they are a compliant business VoIP service.

4. Do you have a dedicated security and compliance officer?

It is still fairly rare for business VoIP service providers or call center software vendors to have such a position, and rarer still that the person in the position has been given authority to make significant changes to achieve new levels of compliance.

5. Which security and compliance metrics do you support?

Providers should meet all applicable HIPAA, FIPS, and FISMA compliance specifications. While it is rare to support all three, at least one well known VoIP provider provides optional FISMA (moderate) and FIPS-2 (level 2) data-in-motion and data-at-rest encryption.

6. Has your compliance been assessed by objective experts?

If so, who did the assessment? Look for actual third-party verification by respected experts, so that you don’t jeopardize your own company’s compliance. Salespeople are often confused about the new rules themselves, and could mislead you, so you should ask for independent confirmation.

7. What reliability level can you support?

To be safe, ask for at least “four nines.” This means that the company meets a standard of 99.99% uptime. This is an especially important question to ask call center software providers, since contact centers often need to be available even in emergencies. And of course, the last thing you need is for your business phone service to go down.

8. What kind of failover capabilities does your service provide?

It is a good practice to have failover between multiple datacenters. In the event of an issue with the data center, phones could automatically and seamlessly fail over to the next closest data center. It’s also a good idea to ask where, roughly, the data centers are located. In this regard, diversity is good. The more widely dispersed the data centers, the lower the odds that any natural disaster or outage would affect them all.

9. What methods does your service provider offer for business continuity?

When natural disasters or outages strike, you want to be able to keep going, so look for service with multiple ways to stay connected. Ideally, calls can be forwarded to cell phones or other sites, and can be moved by transporting your IP phone to any other site with an Internet connection. Also, is there a mobile app so that employees can use their business phone service on their smartphones?

10. What kind of customer references can you provide? And what do they say about your ability and willingness to work with any special needs your organization has?

If a provider’s references won’t talk about the provider’s ability to provide security, reliability and compliance, that’s almost as big a red flag as unwillingness to address the issue. Check to see if the provider’s clientele includes air ambulance services, airports, insurance companies, call center software customers and legal firms, since these companies typically pick only services that meet their extremely high standards.  They’re also the kinds of firms that need their business VoIP service to stay up and running even in the event of local or regional emergencies.

And above all, don’t talk to providers who can’t see the elephant herd in the room.

Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US business VoIPproviders. Prior to this, Mike was a business leader with Visa, Global Information Security and Compliance. In addition, Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. A frequent Information security speaker and a three-term IT Services Management Foundation President, he also sits on the Board of Directors of the Silicon Valley ISSA, and is active in ISACA, FBI/DHS InfraGard, US Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee.


Edited by Maurice Nagle
By TMCnet Special Guest
Mike McAlpen, Executive Director of Security and Compliance at 8x8 ,

FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]

UMA is a revolutionary marketplace that connects patients and doctors -- without the hassle of insurance. UMA connects patients to doctors conveniently and efficiently. Learn More >>