HIPAA/PCI Compliance on SignalWire

Overview

As a telecommunications technology company in the modern age, SignalWire knows how critical it is to protect customer privacy and comply with best practices for secure data transmissions. That is why the SignalWire platform is designed to be HIPAA compliant and satisfy all PII and data privacy regulations the framework mandates! SignalWire APIs and WebRTC communications services are all encrypted by default via HTTPS, TLS, and/or SRTP/DTLS.

Access Control

When you invite a new user to your SignalWire space, the admin can specify the projects that they should be allowed to view limiting accessibility to resource logs to only those who have been granted permission. The API also requires each request to be authenticated with a Space URL, Project ID, and most importantly, an API Token.

We highly recommend that each application that programmatically accesses SignalWire use their own API tokens so that you can easily see when these tokens have been used and remove them when/if necessary. Additionally, take care to make sure only those who NEED access to a project have it.

📘

The Principle of Least Privilege

The principle of least privilege (POLP) is a concept in computer security that limits users' access rights to only what are strictly required to do their jobs. Implementing this is a huge help in HIPAA and PCI compliance both, as well as a solid business practice!

HIPAA

HIPAA (The Health Insurance Portability and Accountability Act) applies to covered entities and business associates as defined below:

Individuals, organizations, and agencies that meet the definition of a covered entity under
HIPAA must comply with the Rules' requirements to protect the privacy and security of health
information and must provide individuals with certain rights with respect to their health information.

If a covered entity engages a business associate to help it carry out its health care activities and
functions, the covered entity must have a written business associate contract or other arrangements
with the business associate that establishes specifically what the business associate has been
engaged to do and requires the business associate to comply with the Rules’ requirements to protect
the privacy and security of protected health information.

📘

SignalWire is a Business Associate!

If you need a BAA signed for HIPAA compliance, reach out to [email protected] to get started.

SignalWire is HIPAA compliant by design from the ground up. No PII (Personally Identifiable Information), private resource logs, or other records are publicly accessible - you must have specific access granted by a Space Admin to see logs in the portal and you must have API credentials to use the API. PII and PHI (Personal Health Information) that may be contained in resources can also be deleted from the logs (message bodies, fax media, message media, etc). Recordings must be manually enabled and they can be deleted from the space altogether or paused during the collection of sensitive data.

PCI

PCI Compliance comes from the Payment Card Industry Data Security Standard (PCI DSS) and applies
to all entities that store, process, and/or transmit cardholder data. Similar to HIPAA, it aims to protect
the end-users information from abuse and theft.

The SignalWire platform is PCI compliant as we use 3rd parties to collect and store all PCI-sensitive information. Additionally, we implement access control, restrict access to cardholder metadata, protect stored cardholder metadata, and encrypt the transmission of cardholder metadata across open, public networks.

The extremely popular online payment processor Stripe has published an excellent guide on PCI compliance. To learn how to make sure your business is practicing best practices for PCI compliance as well, review it here!

Examples

To further restrict access to sensitive data, you can delete resources from SignalWire via the API or in the dashboard. Here are some examples of how to do this!

You can also secure the callbacks for inbound faxes to further protect your application!

Conclusion

Following privacy regulations is a crucial part of integrating modern communications technology with your applications, especially if the data you are passing is PCI, medical, or legal. This protects both your customers and your company from unintended repercussions of insecurely transmitting data!


Did this page help you?