Re: Secure HIPAA Solution for Sharing Psychology Clinical Videos

["Klein Keane, Justin" <Klein_KeaneJ () MLHS ORG>]

Hello,

  With respect to: “The solution would need to meet HIPAA requirements and help ensure that the client device of the 
supervisor (that is not controlled by the University) is in a secure state when viewing patient videos?” You’re going 
to have a tough time with a cloud vendor.  A cloud sharing service will probably sign a BAA with you to ensure they 
store ePHI securely, but they can’t make any guarantees about the state of a client machine connecting to the service 
to access videos.  You could perhaps attempt to host the videos on a streaming server and at least guarantee they’re 
stored and transmitted encrypted using HTTPS, but again, you can’t guarantee a client configuration.  If you’re looking 
for client security most healthcare organizations will resort to a thin client desktop (something like Citrix or a 
remote desktop session) so that the sensitive material never actually leaves the environment and is insulated from poor 
security configurations of a client device.

Cheers,

Justin C. Klein Keane
Security Architect
Enterprise Architecture and Security
Main Line Health Information Technology
https://www.mainlinehealth.org/
klein_keanej () mlhs org<mailto:klein_keanej () mlhs org>
484-596-2203

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garmon, 
Joel
Sent: Tuesday, August 30, 2016 8:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL] Re: [SECURITY] Secure HIPAA Solution for Sharing Psychology Clinical Videos

Hi,

Many companies providing cloud storage such as Microsoft, Google, Box, Dropbox, etc are willing to sign a HIPAA 
business associate agreement (BAA).  Insuring that you have a reputable company and ask for a 3rd party risk assessment 
is very important.


Thank you,

Joel Garmon
Director Information Security
Wake Forest University
336-758-2972

http://infosec.wfu.edu/

On Mon, Aug 29, 2016 at 5:56 PM, Erik Hanson <leprkhn () gmail com<mailto:leprkhn () gmail com>> wrote:
Spideroak offers HIPAA compliant cloud storage.
https://spideroak.com/about/hipaa

On Mon, Aug 29, 2016 at 12:53 PM Bohlk, Christopher J. <cbohlk () pace edu<mailto:cbohlk () pace edu>> wrote:
Hi All,

I was wondering if anyone is using a cloud or internal solution that they could describe and recommend for allowing 
Psychology students to securely share patient videos with off-campus supervisors during their Clinical training?  The 
solution would need to meet HIPAA requirements and help ensure that the client device of the supervisor (that is not 
controlled by the University) is in a secure state when viewing patient videos?

Please feel free to contact me directly if you do not wish to respond to the entire group.



Thanks,
Chris

Chris Bohlk, CISSP, C|EH, GMON, GCCC, GSEC
Pace University
Information Security Officer
Information Technology Services (ITS)
235 Elm Road, West Hall 212A
Briarcliff Manor, NY 10510
(914)923-2649<tel:%28914%29923-2649>  Office