Subscriber Discussion

HIPAA Compliant Cloud Video Storage?

UI
Undisclosed Integrator #1
Aug 12, 2017

I am bidding on a marijuana retail store and we are required to record 30 days of video to a HIPAA compliant cloud server, can anyone provide any direction for me on this. 

UI
Undisclosed Integrator #1
Aug 12, 2017

also, can anyone define "cloud" for me in this scenario? If there is a separate building nearby that I can send a signal to via a Ubiquity radio and record to that would that qualify as cloud

Avatar
Luis Carmona
Aug 19, 2017
Geutebruck USA • IPVMU Certified

If there is a separate building nearby that I can send a signal to via a Ubiquity radio and record to that would that qualify as cloud.....

Not by common Information Technology industry vernacular, so I would not try to stretch that definition.

Many people have the misconception that HIPAA has this list of technical specifications that if you just read and follow, you're compliant. It doesn't. Most of what is relies on are what would someone of reasonable knowledge and experience consider to be a reasonable effort to keep information secure. It doesn't specify protocols, it doesn't specify encryption levels or handshaking methodology.

For example: HIPAA does not specify what bit level encryption you have to use, like 56bit, 128bit, or 256bit. But industry standards generally consider anything less than 128bit encryption is not acceptable. So on that basis 56bit could be considered not HIPAA compliant.

Last time I read it, it even made allowances for considering the size of the company. For example, a hospital racking in a few hundred million a year would be expected to buy much more expensive cyber-security equipment than a small, private practice doctor's office pulling in only a couple hundred thousand a year. As long as in both cases they use reasonable care in protecting patient data.

I would recommend at the very least reading the HIPAA law and that will give you a good basis to go on. At the very least when someone tries to sell you a $2000 Cisco Catalyst switch under the premise it is HIPAA compliant, you can ask them to tell you what part of the HIPAA law says what is required in the Cisco switch versus a $200 Netgear switch.

 

(1)
UI
Undisclosed Integrator #2
Aug 12, 2017

I found this helpful in general and have no affiliation.  The Eagle Eye team may have a solution.

As for a Cloud Backup for grow and recreational marijuana I have seen people use s nearby building and transmit to it, no HIPPA required though.

Cloud can be defined as "someone else's computer" but for this application the encryption and BAA seems a little different. 

https://www.sookasa.com/resources/hipaa-compliant-cloud-storage/

 

U
Undisclosed #3
Aug 12, 2017

if it is a recreational marijuana retail location, how is HIPAA involved?

sounds to me like you are being subjected to guidelines copied from medicinal marijuana dispensary requirements - that should have no bearing on recreational retail establishments. 

UI
Undisclosed Integrator #1
Aug 13, 2017

I guess retail is not the right word, this is medicinal 

UI
Undisclosed Integrator #1
Aug 14, 2017

Monday morning bump. 

Avatar
Hans Kahler
Aug 14, 2017
Eagle Eye Networks

Full disclosure, I work for Eagle Eye.

Eagle Eye would be glad to see if we can help in this situation.  We have a variety of user permissions and the ability to restrict access to video.   We don't have a 'HIPPA' compliance option, but many of our customers have used our system in areas where HIPPA is a concern.  

I'm not an expert, but typically the main HIPPA concerns are around who can view the video, but I don't know about this specific scenario.  

You can get in touch with us via the contact form on our website.  https://www.eagleeyenetworks.com/company/contact/

(1)
UI
Undisclosed Integrator #4
Aug 19, 2017

Found this link, may be helpful.

HHS.gov

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions