Privacy Concerns and Regulatory Compliance with PCI and HIPAA
When purchasing a networking solution, customers in healthcare, finance, and other industries need be keenly aware of how that solution fits into risk and compliance requirements. Meraki products are designed to meet requirements around authentication, integrity, encryption, reporting, and other requirements.
This article will cover:
- Concerns about the cloud
- Dashboard privacy
Concerns about the cloud
One of the greatest benefits of using Cisco Meraki is simple and centralized network management through the Dashboard. Customers can manage all of their devices and network information from a single location. For some customers with risk and regulatory concerns, this can pose some questions regarding what information is going through or being stored in the cloud.
Out of band management
Cisco Meraki’s out of band control plane separates network management data from user data. Management data (e.g. configuration, statistics, monitoring, etc.) flows from Cisco Meraki devices (wireless access points, switches and security appliances) to the Cisco Meraki cloud over secure and encrypted connection. User data (web browsing, internal applications, etc.) does not flow through the cloud, instead flowing directly to its destination on the LAN or across the WAN.
For more information: Out of band management
Information in the cloud
As part of the Cisco Meraki cloud management platform, some information needs to be located in the cloud. This information is securely stored in a redundant fashion, and in data centers that are highly available. All communication to and from the Meraki cloud is encrypted with SSL. Information stored within the Cisco Meraki cloud includes:
- Cisco Meraki device configurations
- Traffic statistics
- Organization and Network administrator credentials
- User credentials (only when using Meraki authentication)
All other information, including voice/data traffic, flows normally within the customer network and does not pass through or get stored in the Cisco Meraki cloud.
Any information stored in Dashboard is only accessible to users that have been granted access on the Organization > Administrators page. To provide quality support, Cisco Meraki technical support is also able to view your networks when needed to answer questions or assist in resolving issues. For customers requiring an additional level of privacy, all information found in Dashboard and the Cisco Meraki cloud can be blocked from access by Cisco Meraki technical support.
Prevent Cisco Meraki Support from viewing a Dashboard organization
Each Cisco Meraki product provides a variety of security functions to aid with HIPAA compliance, including but not limited to:
- WPA2 encryption for wireless traffic
- 802.1x network access control for user-based authentication when connecting to APs or switches
- MAC blacklisting/whitelisting
- Virtual network isolation with multiple SSIDs or VLANs
- Wireless Intrusion Prevention w/ automatic containment of rogue SSIDs
- IPSEC VPN between sites or for remote clients
- User authentication against customer on-premise RADIUS or Active Directory server
- Layer 3 & 7 firewall
- User association and bandwidth usage information
- Logging of configuration changes to Cisco Meraki devices/networks
- Administrator password complexity, expiration, and timeout requirements
- Two-factor authentication for administrator access
No Individually Identifiable Health Information (IIHI) on the network is ever sent to the Cisco Meraki cloud.
Please read our HIPAA compliance whitepaper for more details on how Cisco Meraki products can be used to meet HIPAA compliance requirements.
Please read our PCI compliance whitepaper for more details on how Cisco Meraki products can be used to meet PCI compliance requirements.