Keeping VoIP Compliant with Strict Legislation

Suggesting VoIP solutions to companies within healthcare, finance, government, and retail is tricky. Businesses and organizations operating within these verticals are under high levels of legal scrutiny because they frequently transmit sensitive customer and patient data. In order to comply with legislation, they need a hosted voice system that uses strong cryptography and security, such as SSL/TLS or IPsec, to protect data during transmission over public networks and while at rest.

Without having these protective measures in place, these businesses run the risk of having sensitive
information stolen through call interception and eavesdropping. As a result, they’re more vulnerable to being slapped with compliance violations that can cause them thousands to millions of dollars in fines. For instance, the least significant penalty dealt out for a HIPAA violation is $100 per record, with an annual maximum of $25,000 for repeat violations, according to the American Medical Association.VoIP solutions for Vertical Markets

Protect your customers from losing money to avoidable fines, and damaging their reputations in the eyes of the public. Educate them on the security risks and compliance issues surrounding VoIP, and match them with the right carriers that suit their needs. Follow this per-vertical breakdown of compliance configurations, and sell your customers the VoIP systems they need to be compliant.


Healthcare is one of the most heavily regulated industries, especially when it comes to the handling of patient records. Because of this, VoIP systems must comply with The Health Insurance Portability and Accountability Act (HIPAA) guidelines. In order to comply, HIPAA requires the solution must:

  • Ensure the confidentiality, integrity, and availability of electronic protected health information.
  • Protect against reasonably anticipated threats and hazards.
  • Prevent unauthorized uses or disclosures of electronic protected health information.

When selecting a compliant VoIP system for your customers, keep in mind that HIPAA is looking for all of the following:

  • Encryption – All data must be encrypted, in motion and at rest.
  • Access Controls – Must be in place so different categories of users can use the system.
  • Audit Logs – There must be logs of all call data.
  • Unique User IDs – Phones must be authenticated with certificates which gives them unique user IDs.
  • Business Associate Agreements (BAA) – A HIPAA-approved BAA must be offered by the service provider if it is a cloud-based VoIP system.


Since organizations within the finance industry are frequent targets of cyberattacks, government organizations have cracked down on the handling and transmission of electronic financial data. The Gramm-Leach-Bliley Act (GLBA) is in charge of this, requiring risks associated with solutions like VoIP to be evaluated as part of a financial institution’s periodic risk assessment.

Financial institutions must:

  • Ensure the security and confidentiality of customer data.
  • Protect against any reasonably anticipated threats or hazards to security or data integrity.
  • Protect against unauthorized access to, or use of, data that would result in substantial harm or inconvenience to any customer.

In order for a VoIP system to comply with the above, the IT Examination Handbook on Information Security recommends financial institutions should employ encryption to mitigate risks of disclosure or alteration of sensitive data. These encryption implementations should include:

  • Encryption strength that is reliable enough to protect information from disclosure.
  • Effective key management practices.
  • Sufficient protection of the encrypted communication’s endpoints.


Organizations within the government hold more sensitive data than any, hence why the Federal Information Security Management Act (FISMA) was created in 2002. Specifically, this legislation defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats.

For a VoIP system to be FISMA compliant, the National Institute of Standards and Technology (NIST) recommends consideration of the following in its Security Considerations for Voice Over IP Systems document:

  • Development of appropriate network architecture.
  • Proper deployment of physical controls, like barriers, locks, access control systems, and guards.
  • Employment of VoIP-ready firewalls and other appropriate protection mechanisms.
  • Removal of “softphone” systems where security and privacy are concerned.
  • Implementation of WiFi Protected Access when implementing mobile phones.


According to The Nilson Report 2015, global card fraud losses will exceed $35 billion in 2020. Because these costs continue to increase, the Payment Card Industry Data Security Standard (PCI DSS) acts to ensure retail organizations increase controls around cardholder data to reduce credit card fraud.

PCI DSS is unique in the fact that it was written with only data networks in mind. However, due to the widespread adoption of VoIP technology and mobile IP devices like smartphones, its security regulations now apply to VoIP networks. This is because VoIP systems can transmit payment card information, completing transactions quicker than traditional POS devices and significantly reducing wait times.

If a retail business wants to take advantage of VoIP card processing, they must do the following to remain compliant with PCI DSS.

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Encrypt transmission of cardholder data across an open, public network.
  • Restrict access to cardholder data by business need to know.
  • Assign unique ID to each person with computer access.
  • Track and monitor all access to network resources and cardholder data.

Finding the Right Solution

TBI works with a some of the best VoIP carriers on the market, including 8x8, RingCentral, Mitel, Verizon, West, Arkadin, Masergy, and Fuze. Whether you’re looking for strong cryptography to help your customers protect data in motion and at rest or you need sufficient protection for encrypted endpoints, each of these industry-leading vendors offer solutions that will help you clients stay compliant.

As your customers’ trusted consultant, it’s up to you to ensure they’re working with the right vendors with the most compliant VoIP systems. Start the conversation with our channel managers to learn more about these solutions, and safeguard your customers from damaging their reputations and losing money to avoidable fines.

For more information on selling to specific verticals, check out our Network Planning Considerations for 5 Verticals blog.


About the Author
Adam Dawson is TBI’s Marketing Communications Manager. As the organization’s wordsmith, he is responsible for creating engaging content and carrying out internal and external communications programs. This includes circulating information to TBI’s agent partners, educating them on hot topics in the industry, and guiding them to the best provider products and solutions for their portfolios. You can reach Adam at or connect with him on LinkedIn.