A herd of elephants is living in many boardrooms. They go by names like “Regulatory Compliance,” “Security,” and “Reliability,” and you can’t afford to ignore them. Lots of unified communications and business VoIP providers want you to join them in turning a blind eye to the pesky pachyderms. Here’s how to handle the herd.
How Secure, Compliant and Reliable Is Your Business VoIP Provider?
It’s often difficult to know exactly how to separate the real deal from the pretenders when it comes to the security, reliability and compliance of your unified communications or business VoIP provider. What should you ask to distinguish a helpful provider from those that would rather avoid the issue?
10 Questions for Your Business VoIP Provider
While every company has different needs, here are some good “conversation starters” to ask providers of business VoIP and other unified communications services. Vendors who give quick, simple, verifiable answers to these questions are more likely to be trustworthy when it comes to HIPAA and other compliances than those who try to change the subject, give overly complex answers or simply say they’ll “get back to you” and don’t immediately follow up.
1. Can you recommend particular configurations of our unified communications to help us comply with HIPAA and other requirements? Providers that make compliance a priority can often supply you with expertise or suggestions to help you comply, and they’re more likely to have a compliance officer who can explain how their services are set up to facilitate compliance.
2. Are you a HIPAA-compliant business associate? If so, can you put it in writing? Many providers of business VoIP and unified communications aren’t compliant, and doing business with them could jeopardize your compliance if you use their services. And for HIPAA, it’s important to ask for a Business Associate Agreement (BAA), and avoid vendors who won’t put it in writing. Otherwise, you won’t be able to show that all of your service providers comply, which puts your own compliance at risk. (While some business VoIP providers provide so-called “conduit service” without signing a BAA, most experts say that customers of such a service are probably still risking their compliance.)
3. What has your business VoIP provider done to ensure compliance? For most unified communications providers, HIPAA compliance is an extensive, ongoing process. First, they must they make sure their own company complies. And in many cases, they need to verify that their own chain of third parties is also compliant with the latest HIPAA business associate and other regulatory requirements. Finally, they need to have signed Business Associate and other agreements to show they are a compliant business VoIP provider or unified communications service.
4. Do you have a dedicated security and compliance officer? It is still fairly rare for business VoIP companies to have such a position, and rarer still that the person in the position has been given enough authority to make significant changes to achieve new levels of compliance.
5. Which security and compliance metrics do you support? Business VoIP providers should meet all applicable HIPAA, FIPS, and FISMA compliance specifications. While it is rare to support all three, at least one unified communications vendor does: 8x8 provides optional FISMA (moderate) and FIPS-2 (level 2) data-in-motion and data-at-rest encryption, is fully HIPAA compliant, and offers BAAs.
6. Has your compliance been assessed by objective experts? If so, who did the assessment? Look for actual third-party verification by respected experts, so that you don’t jeopardize your own company’s compliance. Business VoIP salespeople are often confused about the new rules themselves, and could mislead you, so you should ask for independent confirmation.
7. What reliability level can you support? To be safe, ask for at least “four nines.” This means that the unified communications or business VoIP service meets a standard of 99.99% uptime. Because of course, the last thing you need is for your business VoIP service to go down during a crisis. Many insurance offices, for example, use business VoIP because its flexibility and reliability can be an asset if they need to set up temporary claims offices or need to evacuate their own offices before disaster strikes. Just make sure you pick the right VoIP providers, since uptime and flexibility varies by provider.
8. What kind of failover capabilities does your business VoIP vendor provide? It’s a good practice to have failover between multiple data centers. In the event of an issue with the data center, phones could automatically and seamlessly fail over to the next closest data center. It’s also a good idea to ask where, roughly, the data centers are located. In this regard, diversity is good. The more widely dispersed the data centers, the lower the odds that any natural disaster or outage would affect them all.
9. What methods does your business VoIP or unified communications provider offer for business continuity? When natural disasters or outages strike, you want to be able to keep going, so look for service with multiple ways to stay connected. Ideally, calls can be forwarded to cell phones or other sites, and can be moved by transporting your IP phone to any other site with an Internet connection. Also, is there a mobile app so that employees can use their business phone service on their smartphones? Some business VoIP users, for example, have actually worked through disasters while waiting for flights at airports and other emergency locations.
10. What kind of customer references can your business VoIP provider supply? And what do those references say about the provider’s ability and willingness to work with any special needs that your organization has? If a provider’s references won’t talk about the provider’s ability to provide security, reliability and compliance, that’s almost as big a red flag as unwillingness to address the issue. Check to see if the provider’s clientele includes companies that need their business VoIP service to stay up and running even in the event of local or regional emergencies.
What Else Is Your Business VoIP Provider Not Telling You?
How you run your company is your business, but you really shouldn’t settle for any business VoIP provider who won’t give you full answers. Business VoIP can achieve a high degree of reliability, security and compliance, if you pick the right provider. But if a unified communications vendor or business VoIP provider can’t be honest about anything as important as security, reliability and compliance, that has to make you wonder what else they’re trying to avoid.