Often, your clients will discuss sensitive information using video conferencing. A security breach is bad news for them and bad news for you!
When a Canadian political party had their videoconferencing hacked in 2016, it was a wake-up call. The hacker eavesdropped on a video conference, then contacted a news organisation with proof and a story.
No actual harm was done in this instance, but it does highlights the need for security protocols.
Helping your users understand vulnerabilities related to video conferencing will be an increasingly important job function, and that makes a strong video conferencing security policy a high priority.
Here are some key concepts to keep in mind as you help clients in this area:
A Starting Point for Video Conferencing Security
Providing a level of safety and peace of mind for your clients to foster that sense of well-being:
· System audit services – video conferencing systems don't age well. There is a certain amount of maintenance you can recommend, certainly. But old systems eventually need to be replaced. If you are offering AVaaS, these audits and upgrades can be a standard part of service provided.
· Provide a domain-based approach – Domain-based security enables the system administrator to control access to video conferences through various levels of permission. Without the permissions, access to the conference will be denied.
This is one of many systems that can be put in place to thwart potential security breaches.
Further Best Practices
Beyond the audit and domain approach there are a number of other best practices for helping clients develop excellent video conferencing security policy:
· Establish a BYOD (bring your own device) policy – Chris Kelly writes, "Allowing employees to use their own devices for work can have a significant improvement on employee productivity and happiness as well as posing a significant competitive advantage, but there are security considerations that organizations must take into account".
"If there is no strict policy in place with regards to employees using their own personal devices then your company’s security could be at risk from unsecure networks, lost devices, forgotten or even complete lack of secure passwords."
Helping clients navigate a comprehensive policy to guard against attacks via employee owned devices.
· Staff Training - the key to any video conferencing security policy is proper training. A system of security protocols and device update protocols should be established and enforced.
Since this is your core business and not necessarily top of mind for most employees, consider a system of reminders and training sessions as part of your service package.
HIPAA Compliant Video Conferencing
In the healthcare industry, staying compliant with HIPAA regulations is something you need to understand.
Compliant services provide patients with the same level of privacy and confidentiality required for in-person visits. These standards also pertains to storage and dissemination of video materials.
A HIPAA compliant video conferencing security policy is a must if you are serving the health care community.
Best practices for HIPAA compliant video conferencing include:
1. Use encryption and other security precautions such as authentication, access auditing and reporting, well-defined per-user access controls, etc.
2. Secure prior approval for video transmissions. A video service provider cannot store video transmissions without explicit approval of the client..
3. Sign a business associate agreement (BAA). When a technology provider offers a service to a healthcare organization, it becomes a business associate as defined by HIPAA.
HIPAA requires contracts between healthcare providers and business associates so that all PHI and ePHI is safeguarded appropriately.
Whatever sector you are serving, a comprehensive video conferencing security policy is something not to be compromised upon.
Often users are not aware of the need. With input and direction from you, your systems will be more secure and staff will be better educated, and security breaches can be prepared for and avoided.