Navigating Video Conference Regulations
Navigate video conference regulations to get your teams talking. Vonage breaks down a number of video compliance hurdles and points the way forward.
In 2020, every industry has had to dabble in remote work and remote customer support. It’s hit some harder than others, and the use of video conferencing, in particular, raises questions in those industries subject to high levels of regulatory scrutiny. What are the video conferencing regulations I need to know? Is my current video solution compliant?
Finance, healthcare, education—all of these industries are tightly regulated by governmental and other mandates due to the sensitive nature of the data they produce, collect, and store. These industries in particular need to take video conferencing security and regulations into account as they build out their communications systems.
Our own data (download the report below) support the assumption that video usage is increasing rapidly; Vonage video usage increased by 232% in March 2020 over February 2020, with a 435% increase in peak minute usage.
This becomes more pronounced when looking at individual industries, and surprisingly, the most tightly regulated businesses had some of the highest usage increases. Overall Vonage video minutes in the healthcare industry, for example, increased by 727% in March 2020 over February 2020, with peak minutes up 947%.
This tells us that healthcare has a real and immediate need for this technology, in particular during a pandemic; but we believe the benefits of remote healthcare will ensure the practice continues after the current moment has passed. Virtual, real-time interactions between patients and healthcare providers will continue to be the ideal format for many people, including those with conditions that make travel difficult and those living in remote areas without easily accessible healthcare.
While the coronavirus drove everybody to video, not all industries have the same needs from their video providers. Educators, for example, largely turned to off-the-shelf, general purpose video conferencing tools rather than dedicated e-learning and education applications. The reason? Such applications simply weren’t ready to add video conferencing to their offerings. We predict that an ongoing need for e-learning will drive educational companies to add secure video capabilities to their existing applications (through the use of APIs, for example).
Other industries like healthcare and financial services didn’t have the option to use those general purpose video apps; they’re so highly regulated and monitored that they needed something more robust, something they could feel secure using.
What Regulations Apply?
Chances are, you or somebody else in your company has piles of documentation on regulations and liability issues. Your company’s compliance manager, for example, would be the first person to ask about video conference regulations specific to your field. When you know what laws you’re accountable for following, you can begin to look into video vendors.
In the United States, financial institutions are subject to the regulations and requirements of the Federal Reserve Board, often called “the Fed,” along with the Federal Deposit Insurance Corporation (FDIC), the Commodity Futures Trading Commission (CFTC), the Financial Industry Regulatory Authority (FINRA), the Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), and any number of state and local agencies covering banks, insurance agencies, and securities.
Healthcare providers are subject to the regulatory requirements of the Department of Health and Human Services, encompassing such regulations as HIPAA and HITRUST. Under the DHHS umbrella are offices like the Office for Civil Rights (OCR), Centers for Medicare and Medicaid Services (CMS), Office of the National Coordinator for Health IT (ONC), the Food and Drug Administration (FDA), and hospital accreditation agencies, all of which carry their own regulations and requirements for healthcare providers.
And these are just the United States’ regulatory bodies. Across the globe, countries have their own regulations and requirements.
What Are the Risks Inherent in Video Conferencing?
The Washington Post reported in April 2020 that “Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing.”
That’s enough to give anybody pause, especially those in highly regulated industries. Therapy sessions, telehealth calls, financial meetings—all these types of video conferences are risky when you look at video through this lens. You should always assume a video conference is being recorded (though it’s certainly not advisable to record somebody without their consent, a practice that in many states is illegal, some applications allow exactly that). Where are all those recordings going to end up?
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” writes Zoom chief executive Eric Yuan. Understandable; who could have seen this coming?
But COVID-19 came anyway and made video conferencing software necessary overnight; suddenly everybody was sheltering in place and couldn’t visit banks, therapists, or even doctors except in special cases. Off-the-shelf solutions were attractive on such short notice; just click and go. But how do you ensure security?
The truth is out-of-the-box solutions like these will never be the best options for highly-regulated industries.
Choosing a Vendor
If you can’t use off-the-shelf video conferencing, where do you go? What are the alternatives to make sure your organization is video compliant?
There are other options, more secure and more complex to set up. But a good vendor should make setup easy for you so you can start conferencing with confidence sooner rather than later.
You should expect a vendor to provide you with a Business Associate Agreement (BAA). The BAA outlines the assumption of liability by a vendor, so that in the event they’re responsible for a breach of personal health information (PHI) or personal identification information (PII), they’re obligated not only to inform but also to engage in defense on behalf of the customer (that’s you). Readiness to provide such a document is your first sign that the vendor you’re working with is a better fit than the “easy” solutions that potentially lack security.
This is known as a shared responsibility model, as made popular by Amazon’s AWS. It means the vendor shares responsibility in keeping your application compliant. That alone is worth a lot and will take a weight off your shoulders.
Further, the vendor should be able to provide, quickly and accurately, whatever documentation and assistance you may need to ensure your compliance. The vendor should work with you as a partner in seeking and maintaining compliance.
Finally, if your company already has its own customer-facing application, you’ve probably already ensured its security. Wouldn’t it be nice to simply add video chat as an equally secure feature, right in your existing app? Of course, if you don’t have such an application, the vendor should be able to provide a full solution.
Vonage’s Video API was built with regulations in mind. Our comprehensive documentation makes it easy for our customers to achieve and maintain compliance with whatever governing bodies they report to. Our global presence means this is true in countries around the world.
Further, because our APIs allow you to add video, voice, and messaging to your existing applications, we don’t need to store any of your users’ data for more than 72 hours. We have no user database, no historical usage data, and therefore present minimal risk to our customers in case of a data breach on our side.
Rather, we help you build or add to purpose-driven applications that incorporate our communications tools. And you never have to fear that adding a Vonage product to your toolkit will complicate your compliance requirements. We’re ready to sign Business Associate Agreements and promise you that with Vonage, you’ll build a fully compliant application that securely meets all your communications needs.
“Vonage provides the secure infrastructure, regularly tested by bug bounty hunters and penetration testers, certified to the standards required and regularly updated when new vulnerabilities have been identified (called zero day attacks),” says Andrew Rice, information security compliance manager at Vonage. “No solution can guarantee 100% security, but we can guarantee vigilance in protecting our clients’ privacy, which is why we are the trusted partner of banks, medical companies, and service organizations delivering fast and reliable conversations.”