Even with patient portals, telehealth, and secure messaging, telephone call centers are still the lifeblood of modern medical practices. In their time of need, patients want to talk to a real human being without delay. So, it’s no surprise that practices scrambled to keep their call centers up and running seamlessly during 2020, when COVID-19 concerns made the conventional single-site call center an impossibility.
Now, with nearly a year of operational experience under the industry’s collective belt, the major kinks have been worked out of the distributed call center model. Since it’s likely that this model will persist, at least to some degree, for the foreseen future, this is great news! However, security concerns are rampant in this new architecture. By putting telephony equipment outside of practices’ secure network environment, new vulnerabilities have been introduced. What can be done to mitigate these risks before exploitations become common?
VoIP Technology
The key technology behind distributed call centers is Voice-over-Internet Protocol, or VoIP. This technology allows voice calls to traverse modern data networks and the Internet, which enables phone handsets that are located anywhere, even in employees’ homes. This flexibility comes with a tradeoff, however. By extending the footprint of a practice’s phone system, the security perimeter is also expanded.
With legacy architectures, phone equipment could be protected by a restricted-access network behind permanent corporate firewalls, potentially with no access from the Internet whatsoever. This configuration allowed for a manageable security perimeter. In a distributed call center model, access to the practice’s phone system is extended to devices in arbitrary locations, including untrusted home networks, public WiFi, and even other countries. It’s easy to enable this scenario, but much more difficult to implement it securely.
Eavesdropping
The first security concern in this scenario is likely obvious: eavesdropping. Phone calls occurring on devices in unsecured networks, such as an employee’s house, are linked back to the practice’s phone system over the Internet. In order for the content of these conversations, which could contain Protected Health Information (PHI) or other sensitive information, to be confidential, the calls must use end-to-end encryption.
This encryption could be provided by a VPN device or through an encryption engine built into the VoIP endpoints--the phones on desks-- themselves. However, most off-the-shelf hosted Private Branch Exchange (PBX) products do not have encryption enabled by default, and leave calls vulnerable to interception. Addressing this limitation is a must for secure VoIP implementations.
Central Provisioning Server
Next, we have to take a look a bit deeper into the VoIP system architecture. In order for remote endpoints to be managed effectively, these devices must periodically check in with a central provisioning server, which provides up-to-date configuration data for each individual handset. The provisioning files held on this server contain secure credentials used by the phones.
In the wrong hands, these files could provide the keys necessary to commit toll fraud, social engineering, and other attacks against the practice, or even against its patients directly. So, system engineers must carefully secure central provisioning servers--a practice that was not required when these servers were protected by deployment solely in limited-access corporate networks.
Call Processing Servers
Provisioning servers aren’t the only components that require additional security, however. The call processing servers themselves, in a distributed environment, are newly exposed to the Internet. These servers may have been originally configured with a secure network environment in mind, and could lack the necessary additional security layers demanded when exposed to the public Internet.
The Internet is full of malicious activity, including constant attempts to “brute-force attack” the credentials for VoIP endpoints. Any phone system with Internet access will undoubtedly see hundreds or thousands of attempts to compromise credentials on a daily basis. There are multiple risks here: if a credential compromise is successful, toll fraud and malicious activity will immediately follow. But even if it’s not, the mere process of these bad actors scanning the system can lead to exhaustion of resources.
The Internet is full of malicious activity, including constant attempts to “brute-force attack” the credentials for VoIP endpoints. Any phone system with Internet access will undoubtedly see hundreds or thousands of attempts to compromise credentials on a daily basis. There are multiple risks here: if a credential compromise is successful, toll fraud and malicious activity will immediately follow. But even if it’s not, the mere process of these bad actors scanning the system can lead to exhaustion of resources.
The result is degraded service quality, or even a complete outage. This situation, called Telephone Denial of Service--TDoS for short--is even being utilized to actively target 911 call centers, causing a service interruption, according to DHS. A situation where private practices are targeted in a similar way, with an associated ransom demand, is not hard to imagine.
VoIP Endpoints
Now, a word on the endpoints themselves. Today’s VoIP phones are sophisticated little devices, each with a built-in operating system and many software components. Many of these devices even have built-in browsers and Bluetooth connectivity. As such, they are a target for use in attacks not only against the telephony features they enable, but against other computing devices attached to the same local network as the phones.
A compromised phone is the perfect jumping-off point for an attacker to use when gaining access to protected resources. To guard against these risks, endpoints must be kept up to date with firmware that addresses ever-present emerging security vulnerabilities. This process requires a diligent VoIP provider or VoIP system administrator who rolls out updates on a regular basis. The old “set it and forget it” deployment just doesn’t work anymore.
Securing All Connected Components
Finally, today’s call center systems involve much more than just telephone handsets and voice calls. Management portals, soft phones, messaging, call center analytics, customer relationship management (CRM) integrations, and more are all essential to the smooth operation of a modern call center. Each of these components must be evaluated and secured when access is provided outside of a corporate network environment, and should include layered security measures such as multi-factor authentication.
What would happen if an attacker gained access to, for example, all of the call recordings of your patient scheduling queue? Even seemingly benign and convenient features, such as voicemail-to-email, must be evaluated in order to protect PHI. Voice messages from patients containing a Social Security number could easily make their way to an unsecured mobile device or personal email account.
Work with Experienced Healthcare VoIP Providers
Numerous details must be addressed in order to implement a secure distributed call center. As a practice manager, what is the path to compliance? Engaging an experienced healthcare VoIP provider, such as PEAKE, is the most direct path to success.
PEAKE has operated secure Internet-facing VoIP implementations since 2008, when the industry was in its early stages. Through years of experience, we have not only implemented industry best practices, but tested them against real scenarios over long periods of time. As with most security issues, “an ounce of prevention is worth a pound of cure.” At PEAKE, we’re ready to develop a plan to ensure the long-term secure operation of your practice’s distributed call center.