General

This document describes how to configure the MX system for use in a HIPAA-compliant environment. This setup will insure privacy and security. The configuration will define the proper way to set up, configure and manage a Zultys MX to secure ePHI data both In Transit and At Rest.

Unless otherwise stated, these configuration requirements are applicable to any MX system type, (MX-E, MX-SE, MXvirtual) and installation of any type – Hosted by Zultys, Hosted by Partner or Premise.

NOTE:  Starting with MX Release 16.0.2, the MX  includes a number of features that address specific Technical Safeguards relating to HIPAA compliance. As such, premise MX systems can be deployed in HIPAA compliant environments PROVIDED the Partner is HIPAA compliant and the Partner/End User have addressed all Administrative, Physical and Technical HIPAA compliance requirements for the specific site.

Requirements

• MX firmware version Release 16.0.2 (or later versions)
  The MX system should always run the latest software version and all recommended patches associated with the version.
• ZIP 4xi phones (latest firmware and TLS/SRTP configured)
• Z 2 phones (latest firmware and TLS/SRTP configured)
• Polycom phones (latest firmware and TLS/SRTP configured)
• Public signed Security Certificate

Zultys is not responsible for the use, disclosure, or storage of any PHI stored locally on Customer’s systems. Customer is responsible to ensure all local/onsite software is up to date and encryption at rest or physical security is employed. The Customer is responsible to ensure the local site conforms to all necessary physical, technical and administrative safeguards as required by HIPAA.

Protected Data

HIPAA defines sensitive data that must be protected as data that could contain individually identifiable information. In the MX system, protected data is defined as follows:

• Protected Data in Motion
• Voice stream
• Fax Stream
• Voice/Faxes files in transmission
• Text Messages
• CDR Reports

• Protected Data at Rest
• Voice Mail
• Call Recording
• Fax
• Instant Message History
• CDR

Configuration  Settings

General

To configure MX system for HIPAA compliance, the following MX Administrator areas should be configured:

• Security mode
  • Password settings and passwords
• Network Security
• Certificates
• Phone provisioning
• SIP and RTP
• User profiles

Security mode

Security settings are configured in Provision | System Settings | Security

• Default password should be disabled
• Minimum password length should be set to at least 9 symbols.
• Password expiration time set to no more than 90 days
• Minimum length for Voice Mail PIN should be set to 6 digits or more
• Retention Policy should be set for 30 days or less
• Backward compatibility mode should be turned off
• If the system was upgraded from an early version of MX firmware or was in production with insufficient password restrictions, the Administrator should click the “Force users to change passwords” option.

Certificates

A public-signed certificate must be used for HIPAA environments. A self-signed certificate is not acceptable for use in HIPAA-compliant environments. Zultys best practice is to use the automatic certificate management feature.

Maintenance | Security Certificate Management

Phone setup and provisioning

The following list of phones are the only phone models that should be deployed in HIPAA compliant environments. For ALL listed phone models Dedicated HTTPS provisioning as well as SIP TLS and SRTP should be configured:

• Z 2 phones
• ZIP 4xi phones
• Polycom phones

In addition, all phone models should be deployed with the latest firmware versions that are available.

Provisioning

Phone provisioning should be set to HTTPS. Non-encrypted protocols such as TFTP or HTTP should not be used in a HIPAA-compliant environment. The Dedicated HTTPS port should also be configured.

Maintenance | Security Certificate Management | Phone Provisioning Certificates

Configure | Devices | Profiles |IP & Provisioning

HTTPS protocol and Dedicated port should be configured

TLS and SRTP

In Phone Provisioning both TLS and SRTP should be selected.

Configure | Devices | Profiles | “SIP” tab

Configure SIP Transport to TLS

On the “Audio and RTP” tab Voice Encryption (SRTP) check mark should be configured

SIP TLS and SRTP

TLS port should be configured and enabled

Provision | SIP and RTP | SIP Settings

SIP Security

SIP Security should be configured for the maximum level.

Provision | SIP and RTP | SIP Security

Codec Profiles

In codec profiles, configure the MX so that only secured codecs are configured for the customer’s location. Unsecured codecs can be used for communications with ITSPs.

Provision | Codecs | Codec Profiles

Verify Secure Codec content and configure Secure codec for use within and between locations.

Device Password

Auto-fill option for SIP Proxy Password is recommended. Any manually entered password should meet HIPAA security criteria.

Administrative password for device should be changed from the default to a unique one

User profiles and user settings

In all User Profiles the following settings should be configured:

• Voicemail transcription should be turned off
• Can Return Call from Voice Mail – off
• Can register unmanaged devices – off
• Store Instant Message History should be set to 30 days.

Voice Mail and Fax notifications with attachments are not allowed. This setting is configured by user, and controlled by Administrator, Configure | User | <Right Click> Notification Rules

Network Security

The following services must be disabled for all networks:

• TFTP
• CDR
• HTTP Update Server
• MXarchive

Provision | Network Security | Service Protection

Limitations

The following services, features and equipment should not be used or used with restrictions on all MX HIPAA compliant systems:

• Third-party phones cannot be used
• Zultys MG Gateways cannot be used
• MXreport access must be configured so that Secure User Access method is utilized. Direct CDR access and port 3306 should be disabled.
• MXreport scheduling reports via e-mail

NOTE: MXreport version 4.2+ is HIPAA compliant with regards to Scheduling reports and sending via e-mail.

• E-mail notifications for Voice Mail and Faxes should not include attachment
• Voice Mail transcription cannot be used
• SMS messaging can be used but cannot contain ePHI data
• MXarchive Server cannot be used
• MXmeeting cannot be used
• Data retention on the system must be limited to 30 days
• Laptops/desktops running ZAC must be HIPAA-compliant
• For MX-E and MX-SE physical access to the device must be strongly restricted
• For MX-V running on VMware or Hyper-V outside of Zultys Data Center, physical and logical access to Data Storage must be strongly restricted
• ZIP3 telephones cannot be used

Best Practices

Below is the list of best practices to keep the system well secured and insure that service is not interrupted:

• HTTP Update Server should only be enabled if the MX system is part of an MXnetwork.
• Do not use the Administrator account for day to day operations. Provide Users with named accounts with restricted Administrative rights. Provide only the least amount of access required for the user.
• Configure the MX system so that it is behind a firewall
• Use the MX built-in Network Security feature to limit access to MX components only to known IP sources
• Backup all data on a daily basis using scheduled backup. Maintain the backup in a secure location.
• Check the Audit Log daily for any unauthorized access
• Configure Zultys/Polycom phones so that they reside behind a firewall
• Enable Automatic Patch Installation
• Always keep the MX on latest software version with the latest patches installed
• Configure change password on login on the first provisioning of the system

Zultys also recommends that you download and review WP-2344 MX Security from the Zultys KBS website for additional security information relating to the MX system.