Private Cloud Web Conferencing
A private cloud web conferencing option is another component of HIPAA compliant video conferencing. While the HIPAA Security Rule does not require HIPAA compliant video conferencing to be cloud-based, a private-cloud option nevertheless offers a heightened level of security. This is because in a private cloud, information is stored behind the provider organization’s firewall. A private cloud option also contains features allowing a provider to control the location of stored documents and recordings. A private cloud also allows a provider to select “no content storage.” This means that, at the conclusion of a telehealth session, any shared content or files are deleted from the system. A private cloud option is particularly useful for encounters consisting of patient care, meetings, or consultations – in other words, encounters where ePHI is commonly exchanged and disclosed.
HIPAA compliant video conferencing should contain password controls. These controls provide for the password to be changed after a set number of days, and ensure that passwords be of a minimum length and contain certain alpha-numeric content (e.g., upper-case or lower-case letters, numbers, and/or symbols). Additional password controls include time-limited password entry for users, meaning that if a user cannot input the correct password within a set period of time, the user will be locked out. Another type of password control is one that locks a user out after a predetermined number of unsuccessful logins. Password controls can provide even greater security; an organization can require password input to (among other things) download shared documents and meeting recordings.
Provider/Host Security Controls
Provider/host security controls allow a healthcare organization to lock out a videoconference or telehealth session until the host arrives. These controls also provide the option to require separate passwords for the various attendees to a videoconference: the host, the presenters (if any), and the participants. Requiring separate passwords is especially useful for meetings with a higher degree of formality, such as webinars, where the number of participants and/or presenters may be high.
Securing the Operating System
Many people who have watched a PowerPoint presentation or attended a live video conference have probably observed the presentation or video conference failing to start on time. Often, the delay can be attributed to an operating system issue. Essentially all videoconferencing systems run on an operating system, whether general-purpose, such as Windows, or mobile, such as iOS or Android. For videoconferencing, the OS must be properly configured and administrators must identify and remedy software vulnerabilities. To minimize the vulnerability of video systems to security issues, administrators should use properly configured firewalls and strong administrator credentials. Operating systems should be run with the latest versions of relevant service packs and security updates. For mobile devices, firmware should be updated to the most recent version.