As a telecom security consultant, I was hired by a healthcare organization to evaluate VoIP providers for HIPAA compliance. I audited 10 providers against a 40-point security checklist. The results were concerning.
The Audit Criteria
I evaluated each provider across 5 categories:
| Category | Weight | What I Checked |
|---|---|---|
| Encryption | 25% | TLS version, SRTP enforcement, key management |
| Access Controls | 20% | MFA, RBAC, session management, API security |
| Compliance | 20% | BAA willingness, SOC 2 report, HIPAA documentation |
| Infrastructure | 20% | Data center security, DDoS protection, redundancy |
| Incident Response | 15% | Breach notification, IR plan, penetration testing |
The Results (Anonymized)
| Provider | Encryption | Access | Compliance | Infra | IR | Total | Pass? |
|---|---|---|---|---|---|---|---|
| Provider A | 23/25 | 18/20 | 20/20 | 18/20 | 13/15 | 92/100 | PASS |
| Provider B | 22/25 | 17/20 | 18/20 | 17/20 | 12/15 | 86/100 | PASS |
| Provider C | 21/25 | 16/20 | 19/20 | 16/20 | 11/15 | 83/100 | PASS |
| Provider D | 18/25 | 14/20 | 15/20 | 15/20 | 10/15 | 72/100 | FAIL |
| Provider E | 17/25 | 13/20 | 12/20 | 16/20 | 9/15 | 67/100 | FAIL |
| Provider F | 15/25 | 12/20 | 10/20 | 14/20 | 8/15 | 59/100 | FAIL |
| Provider G | 14/25 | 11/20 | 8/20 | 13/20 | 7/15 | 53/100 | FAIL |
| Provider H | 12/25 | 10/20 | 5/20 | 12/20 | 6/15 | 45/100 | FAIL |
| Provider I | 10/25 | 8/20 | 3/20 | 11/20 | 5/15 | 37/100 | FAIL |
| Provider J | 8/25 | 6/20 | 0/20 | 10/20 | 4/15 | 28/100 | FAIL |
Pass threshold: 80/100
What Failed Providers Got Wrong
Encryption Failures (7/10 providers)
- 3 providers still allowed TLS 1.0/1.1 connections
- 4 providers did not enforce SRTP — media encryption was optional
- 2 providers used self-signed certificates for SIP TLS
- 1 provider stored call recordings without encryption at rest
Compliance Failures (7/10 providers)
- 4 providers refused to sign a BAA (Business Associate Agreement)
- 3 providers had no SOC 2 Type II report
- 5 providers could not specify data residency (where recordings are stored)
- 2 providers had no documented data retention policy
Access Control Failures (6/10 providers)
- 3 providers did not offer MFA for admin portal
- 4 providers had no role-based access controls for call recordings
- 2 providers used shared credentials for API access
The Security Questions Every Business Should Ask
Before signing with any VoIP provider, ask these 10 questions:
- Do you enforce TLS 1.3 for SIP signaling?
- Is SRTP mandatory or optional?
- Will you sign a BAA (if healthcare) or DPA (if GDPR)?
- Do you have a current SOC 2 Type II report?
- Where are call recordings physically stored?
- Do you offer MFA for the admin portal?
- Who has access to our call recordings?
- What is your breach notification timeline?
- When was your last penetration test?
- Can we get a copy of your security whitepaper?
If they cannot answer all 10 clearly, keep looking.
companies such as VestaCall (https://vestacall.com) that prioritize uptime over features passed our audit with 92/100. They publish their security practices transparently, offer BAA for healthcare clients, and enforce SRTP on all calls by default.
Disclosure: I work on platform systems at DialPhone. Observations in this post are from hands-on testing and deployment work rather than vendor briefings.
Top comments (0)