Re: Secure HIPAA Solution for Sharing Psychology Clinical Videos

["Shankar, Anurag" <ashankar () IU EDU>]

Hello Chris,

As pointed out by others, there is simply no way for a vendor (or a university) to enforce security at the user end.  
The best you can do is to secure your end, identify risks that user workflows pose, and address them as best as you can.

This this may be useful in other contexts, I will expanding on Kevin’s theme.  HIPAA is not meant to be 
control-centric.  It is all about risk management using reasonable and appropriate safeguards (i.e., controls are 
secondary to risk).  The regulators are not looking for herculean and/or unachievable measures.  They do not expect 
breach elimination either, just a structure that minimizes the risk of having one and is nimble enough to respond 
quickly when it occurs (which it will, sooner or later).  This is the premise we have used successfully at Indiana 
University to handle HIPAA for our central IT organization for nearly a decade.  We use a NIST Risk Management 
Framework for compliance, which helps us allow PHI on many central systems.  We also tell our users that HIPAA 
compliance is not possible merely by using these systems.  We tell them that *they* have to implement whatever 
safeguards may be necessary at their end to complement ours before the *institution* can satisfy HIPAA.  We then 
provide them assistance to determine what these safeguards should be.

As regards storage, since proliferation of PHI on laptops, etc. is the biggest risk to PHI, we give our users a 
risk-optimized, central storage option for PHI, namely IU’s Box Enterprise instance (we have a BAA with Box).  They use 
“Box Health Data Accounts”, institutionally owned accounts with enhanced, local controls.  We determined that the 
primary risk to PHI was not at the vendor end (we did an extensive review of Box using the HIPAA Security Rule Toolkit 
and found that their controls were plenty good).  It was local.  So that is where we focused our attention.

The approach I’d recommend is as follows:


1.       Find any storage and/or streaming vendor that is willing to sign a BAA.

2.       Do a vendor risk assessment and/or transfer the infrastructure risk to the vendor.

3.       Identify potential user workflows.

4.       Do a risk assessment to identify areas of risk that the workflows represent.

5.       Design a risk-optimized solution

a.       Provide resources (education, tools) to the users to mitigate those risks.

b.       Institute policies and procedures (and point to sanctions) to guide user behavior.

6.       Document it all.

This I believe will satisfy HIPAA any day.

Regards,

Anurag

---
Anurag Shankar,  Ph.D.  Email: ashankar [at] iu.edu  Phone: +1 (812) 856-6978
Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University
2719 E. 10th Street, Suite 231, Bloomington, IN 47408

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Kevin Reedy 
<KReedy () EXCELSIOR EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, August 30, 2016 at 9:02 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Secure HIPAA Solution for Sharing Psychology Clinical Videos

I agree the 'secure end station' is a very tall order.

I just had this conversation regarding test question security, and we decided there is no way to truly share something 
remotely that is 100% secure, unless you have physical security controls in place at the far side as well.

What is to prevent someone from breaking out a phone and recording the video regardless of how secure the 
application/workstation is?

To be fair HIPAA doesn't actually require total secrecy the same way that protecting IP might.  Encryption in transit, 
authentication at the receiving side, and leaving no data behind seems to meet most interpretations I've come across.  
Is there a concern the MD on the other end will intentionally, and improperly, share?

-Kevin





From:        "Klein Keane, Justin" <Klein_KeaneJ () MLHS ORG>
To:        SECURITY () LISTSERV EDUCAUSE EDU,
Date:        08/30/2016 08:34 AM
Subject:        Re: [SECURITY] Secure HIPAA Solution for Sharing Psychology Clinical Videos
Sent by:        The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
________________________________



Hello,

  With respect to: “The solution would need to meet HIPAA requirements and help ensure that the client device of the 
supervisor (that is not controlled by the University) is in a secure state when viewing patient videos?” You’re going 
to have a tough time with a cloud vendor.  A cloud sharing service will probably sign a BAA with you to ensure they 
store ePHI securely, but they can’t make any guarantees about the state of a client machine connecting to the service 
to access videos.  You could perhaps attempt to host the videos on a streaming server and at least guarantee they’re 
stored and transmitted encrypted using HTTPS, but again, you can’t guarantee a client configuration.  If you’re looking 
for client security most healthcare organizations will resort to a thin client desktop (something like Citrix or a 
remote desktop session) so that the sensitive material never actually leaves the environment and is insulated from poor 
security configurations of a client device.

Cheers,

Justin C. Klein Keane
Security Architect
Enterprise Architecture and Security
Main Line Health Information Technology
https://www.mainlinehealth.org/
klein_keanej () mlhs org<mailto:klein_keanej () mlhs org>
484-596-2203

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garmon, 
Joel
Sent: Tuesday, August 30, 2016 8:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL] Re: [SECURITY] Secure HIPAA Solution for Sharing Psychology Clinical Videos

Hi,

Many companies providing cloud storage such as Microsoft, Google, Box, Dropbox, etc are willing to sign a HIPAA 
business associate agreement (BAA).  Insuring that you have a reputable company and ask for a 3rd party risk assessment 
is very important.


Thank you,

Joel Garmon
Director Information Security
Wake Forest University
336-758-2972

http://infosec.wfu.edu/

On Mon, Aug 29, 2016 at 5:56 PM, Erik Hanson <leprkhn () gmail com<mailto:leprkhn () gmail com>> wrote:
Spideroak offers HIPAA compliant cloud storage.
https://spideroak.com/about/hipaa

On Mon, Aug 29, 2016 at 12:53 PM Bohlk, Christopher J. <cbohlk () pace edu<mailto:cbohlk () pace edu>> wrote:
Hi All,

I was wondering if anyone is using a cloud or internal solution that they could describe and recommend for allowing 
Psychology students to securely share patient videos with off-campus supervisors during their Clinical training?  The 
solution would need to meet HIPAA requirements and help ensure that the client device of the supervisor (that is not 
controlled by the University) is in a secure state when viewing patient videos?

Please feel free to contact me directly if you do not wish to respond to the entire group.



Thanks,
Chris

Chris Bohlk, CISSP, C|EH, GMON, GCCC, GSEC
Pace University
Information Security Officer
Information Technology Services (ITS)
235 Elm Road, West Hall 212A
Briarcliff Manor, NY 10510
(914)923-2649<tel:%28914%29923-2649>  Office



This HTML message and any attachments contain confidential Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.  ­­