Re: Secure HIPAA Solution for Sharing Psychology Clinical Videos

[Kevin Reedy <KReedy () EXCELSIOR EDU>]

I agree the 'secure end station' is a very tall order.

I just had this conversation regarding test question security, and we 
decided there is no way to truly share something remotely that is 100% 
secure, unless you have physical security controls in place at the far 
side as well.

What is to prevent someone from breaking out a phone and recording the 
video regardless of how secure the application/workstation is?

To be fair HIPAA doesn't actually require total secrecy the same way that 
protecting IP might.  Encryption in transit, authentication at the 
receiving side, and leaving no data behind seems to meet most 
interpretations I've come across.  Is there a concern the MD on the other 
end will intentionally, and improperly, share? 

-Kevin





From:   "Klein Keane, Justin" <Klein_KeaneJ () MLHS ORG>
To:     SECURITY () LISTSERV EDUCAUSE EDU, 
Date:   08/30/2016 08:34 AM
Subject:        Re: [SECURITY] Secure HIPAA Solution for Sharing 
Psychology Clinical Videos
Sent by:        The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>



Hello,
 
  With respect to: ?The solution would need to meet HIPAA requirements and

help ensure that the client device of the supervisor (that is not 
controlled by the University) is in a secure state when viewing patient 
videos?? You?re going to have a tough time with a cloud vendor.  A cloud 
sharing service will probably sign a BAA with you to ensure they store 
ePHI securely, but they can?t make any guarantees about the state of a 
client machine connecting to the service to access videos.  You could 
perhaps attempt to host the videos on a streaming server and at least 
guarantee they?re stored and transmitted encrypted using HTTPS, but again,

you can?t guarantee a client configuration.  If you?re looking for client 
security most healthcare organizations will resort to a thin client 
desktop (something like Citrix or a remote desktop session) so that the 
sensitive material never actually leaves the environment and is insulated 
from poor security configurations of a client device.
 
Cheers,
 
Justin C. Klein Keane
Security Architect
Enterprise Architecture and Security
Main Line Health Information Technology
https://www.mainlinehealth.org/
klein_keanej () mlhs org
484-596-2203
 
From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garmon, Joel
Sent: Tuesday, August 30, 2016 8:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL] Re: [SECURITY] Secure HIPAA Solution for Sharing 
Psychology Clinical Videos
 
Hi,
 
Many companies providing cloud storage such as Microsoft, Google, Box, 
Dropbox, etc are willing to sign a HIPAA business associate agreement 
(BAA).  Insuring that you have a reputable company and ask for a 3rd party

risk assessment is very important.


Thank you,
 
Joel Garmon
Director Information Security
Wake Forest University
336-758-2972
 
http://infosec.wfu.edu/
 
On Mon, Aug 29, 2016 at 5:56 PM, Erik Hanson <leprkhn () gmail com> wrote:
Spideroak offers HIPAA compliant cloud storage.
https://spideroak.com/about/hipaa
 
On Mon, Aug 29, 2016 at 12:53 PM Bohlk, Christopher J. <cbohlk () pace edu> 
wrote:
Hi All,
 
I was wondering if anyone is using a cloud or internal solution that they 
could describe and recommend for allowing Psychology students to securely 
share patient videos with off-campus supervisors during their Clinical 
training?  The solution would need to meet HIPAA requirements and help 
ensure that the client device of the supervisor (that is not controlled by

the University) is in a secure state when viewing patient videos? 
 
Please feel free to contact me directly if you do not wish to respond to 
the entire group.
 
 
 
Thanks,
Chris 
 
Chris Bohlk, CISSP, C|EH, GMON, GCCC, GSEC
Pace University
Information Security Officer
Information Technology Services (ITS)
235 Elm Road, West Hall 212A
Briarcliff Manor, NY 10510
(914)923-2649  Office
 
 

This message and any attachments contain confidential Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.