Skip to main content
Cisco Meraki Documentation

Privacy Concerns and Regulatory Compliance with PCI and HIPAA

When purchasing a networking solution, customers in healthcare, finance, and other industries need be keenly aware of how that solution fits into risk and compliance requirements. Meraki products are designed to meet requirements around authentication, integrity, encryption, reporting, and other requirements.

 

This article will cover:

 

 

  • Concerns about the cloud
  • Dashboard privacy
  • HIPAA
  • PCI

  

Concerns about the cloud

One of the greatest benefits of using Cisco Meraki is simple and centralized network management through the Dashboard. Customers can manage all of their devices and network information from a single location. For some customers with risk and regulatory concerns, this can pose some questions regarding what information is going through or being stored in the cloud.

 

Out of band management

Cisco Meraki’s out of band control plane separates network management data from user data. Management data (e.g. configuration, statistics, monitoring, etc.) flows from Cisco Meraki devices (wireless access points, switches and security appliances) to the Cisco Meraki cloud over secure and encrypted connection. User data (web browsing, internal applications, etc.) does not flow through the cloud, instead flowing directly to its destination on the LAN or across the WAN.

 

For more information: Out of band management 

 

Information in the cloud

As part of the Cisco Meraki cloud management platform, some information needs to be located in the cloud. This information is securely stored in a redundant fashion, and in data centers that are highly available. All communication to and from the Meraki cloud is encrypted with SSL. Information stored within the Cisco Meraki cloud includes:

 

 

  • Cisco Meraki device configurations
  • Traffic statistics
  • Organization and Network administrator credentials
  • User credentials (only when using Meraki authentication)

 

All other information, including voice/data traffic, flows normally within the customer network and does not pass through or get stored in the Cisco Meraki cloud.

  

Dashboard privacy

Any information stored in Dashboard is only accessible to users that have been granted access on the Organization > Administrators page. To provide quality support, Cisco Meraki technical support is also able to view your networks when needed to answer questions or assist in resolving issues. For customers requiring an additional level of privacy, all information found in Dashboard and the Cisco Meraki cloud can be blocked from access by Cisco Meraki technical support.

 

Prevent Cisco Meraki Support from viewing a Dashboard organization

 

HIPAA

Each Cisco Meraki product provides a variety of security functions to aid with HIPAA compliance, including but not limited to:

 

 

  • WPA2 encryption for wireless traffic
  • 802.1x network access control for user-based authentication when connecting to APs or switches
  • MAC blacklisting/whitelisting
  • Virtual network isolation with multiple SSIDs or VLANs
  • Wireless Intrusion Prevention w/ automatic containment of rogue SSIDs
  • IPSEC VPN between sites or for remote clients
  • User authentication against customer on-premise RADIUS or Active Directory server
  • Layer 3 & 7 firewall
  • User association and bandwidth usage information
  • Logging of configuration changes to Cisco Meraki devices/networks
  • Administrator password complexity, expiration, and timeout requirements
  • Two-factor authentication for administrator access

 

No Individually Identifiable Health Information (IIHI) on the network is ever sent  to the Cisco Meraki cloud.

 

Please read our HIPAA compliance whitepaper for more details on how Cisco Meraki products can be used to meet HIPAA compliance requirements.

 

PCI

Please read our PCI compliance whitepaper for more details on how Cisco Meraki products can be used to meet PCI compliance requirements.