2 Ways to Create HIPAA-Compliant Video Streaming


Telemedicine has seen gigantic growth over the past year. Spurred by the need to prevent the spread of COVID-19, many medical consultations moved online to prevent in-person contact.  Doctors and patients turned to virtual visits as a safe and convenient alternative to continuing medical care while limiting the spread of the virus. Though the pandemic… Continue reading 2 Ways to Create HIPAA-Compliant Video Streaming

Telemedicine has seen gigantic growth over the past year. Spurred by the need to prevent the spread of COVID-19, many medical consultations moved online to prevent in-person contact.  Doctors and patients turned to virtual visits as a safe and convenient alternative to continuing medical care while limiting the spread of the virus.

Though the pandemic forced the widespread adoption of telehealth, it is likely to persist into the future and continues to be an important health-care service. The expansion of telehealth has shown how useful e-visits can be for routine check-ups and could have the potential to increase access to health care. In fact, a recent study conducted by the American Medical Association concluded that 24% of health-care office visits and outpatient volume could be delivered virtually and an additional 9% delivered “near virtually.”

Patients and the overwhelmed parents of little patients have all appreciated the convenience of not having to travel to a doctor’s office. Additionally telemedicine offers great benefits to expand access to rural areas far away from physical medical services as well as providing better care for residents of long-term health facilities. Benefits of these kinds serve to help doctors and patients as well as medical organizations in general.

It’s not just patients and doctors who are embracing telehealth. Medical providers are increasingly seeing the advantages as well. In fact, 57% of providers view telehealth more favorably than before COVID-19. According to WebMD, the Wall Street Journal recently reported that the global market is projected to grow from $25.4 billion this year to $55.6 billion by 2025. That kind of growth is certainly a substantial market indicator.

One of the most important components to telemedicine is ensuring that all sensitive medical information remains secure. Maintaining compliance with the HIPAA Privacy Rule is essential to safeguarding patient records. HIPAA sets national standards for the protection of “individually identifiable health information,” which includes information about a patient’s mental or physical health, medical treatments, or payment history.

Health providers continue to shift their recordkeeping and patient messaging to an online model, meaning HIPAA compliance has expanded to the digital realm as well. As such, your telehealth application and the network it runs on needs to meet that standard. Additionally, you may need to ensure compliance with state privacy laws that might be even more stringent. There are two key aspects that can help keep confidential data safe and secure pertaining to where the data is hosted and how it is transported.

Note: The features highlighted below concern only technical safeguards that can be configured with Red5 Pro. They are not a substitute for due diligence when it comes to making sure that your telehealth application and network are conducting HIPAA-compliant video streaming.

Improve Data Security Through Encryption

Encryption is the keystone to a secure system. As we have covered in a previous post, WebRTC is the best streaming protocol to use for browser-based applications. WebRTC provides real-time latency of under 500 milliseconds which is essential for real-time interactivity. Moreover, for security reasons, WebRTC streams are always encrypted.

Encryption is a way of scrambling data so that only authorized parties can understand the information. In technical terms, it is the process of converting plaintext to ciphertext. In simpler terms, encryption takes readable data and alters it so that it appears random. This requires the use of two encryption keys, one public and one private. Those keys are a set of mathematical values that the sender and the recipient use to encrypt and decrypt the messages. Encryption needs to be random, to prevent unauthorized users from accessing the data, and predictable so that the information can be used correctly by authorized recipients.

WebRTC performs the encryption process in the browser; no additional configurations are required. Further enhancing security, WebRTC does not require any plug-ins which eliminates the concern of third-party software and potential side effects such as data tracking or viruses. In general, plug-in connections pose a potential security risk as they could be exploited.

However, standard encryption may not be enough to fulfill HIPAA. To address this, WebRTC supports AES (Advanced Encryption Standard) protection, also known as bank-grade protection. AES eliminates the risk of using third parties or hacking a DIY platform to manage all the functions related to authenticating devices and authorizing users. Instead, WebRTC uses the video transport protocol SRTP (Secure Real-Time Protocol) to send and receive encrypted content over the three channels WebRTC devotes to video, audio, and data.

In order to decode the encrypted data so that it can be correctly interpreted, a key exchange must be performed. Encryption keys are managed through a version of the IETF’s TLS (Transport Layer Security) protocol known as DTLS (Datagram Transport Layer Security). DTLS uses UDP (User Datagram Protocol) for packet transmission.  Alternatively, you can use TCP for this process. UDP is also used by WebRTC. This key exchange happens automatically with instantiation of a WebRTC stream.

Furthermore, the same WebRTC security architecture will be replicated regardless of your hosting provider. The ability to support cross-cloud solutions increases flexibility. It also enables the establishment of the same security features in different regions since the WebRTC security implementation is standard. More details on the security features of WebRTC can be found on the Red5 blog.

Self-Hosting Your Telehealth Application

The best way to ensure full data security is to host your telemedicine app on your own servers. Having root control over the back-end infrastructure allows you to fully customize the security on your telemedicine application. This includes the implementation of features like custom authentication, AI processes, and watermarking video images.

Most importantly, it prevents outside access to your streams; a top priority for security. Self-hosted streaming ensures that sensitive data stays entirely within your network. Using a platform-as-a-service (PaaS) hosting provider is certainly easy, but that means that at some point patient data will be on their servers. Since a scalable WebRTC-based application will run through a server, the stream is also decrypted server side. In that case, the PaaS provider you are relying on has access to all the videos you stream through it.

Another reason that you might want to manage the service yourself is that you might need recordings of the sessions for the patient to review later, or for the medical staff to review for compliance reasons. This recording is essentially a part of the medical record. You won’t want to trust third-party vendors with access to this data.

While self-hosting is arguably the strongest choice for ensuring data security, it should be noted that cloud-based hosting providers such as Google Cloud and AWS offer HIPAA-compliant platforms as well. Although these platforms would be a little more convenient to use, they would also limit customization options to some degree. In fact, they may not support the full range of API packages — and the accompanying features — you are looking to integrate into your application. In that case, hosting-agnostic solutions would provide the flexibility and basic feature set you need to configure the proper security features.

Ensuring that you meet the standards for HIPAA-compliant video streaming depends on encryption and secure hosting. Whether self hosting or using a specific cloud platform, safe-guarding sensitive data is crucial. Patients need to know that their personal information is secure, let alone the legal implications of not providing effective security.

The pandemic forced the widespread adoption of telemedicine in order to maintain a degree of basic care. However, now that it has been established, the benefits to doctors, patients, and medical organizations will still be valuable in a post-pandemic world. Thus it is important to continue to expand the availability of telemedicine. A critical part of securing the future of telemedicine is making sure that sensitive data remains safe, which means setting up a secure infrastructure.

Interested in building your own telemedicine application? Reach out to us at info@red5.net or schedule a call. We’d love to show you what’s possible with Red5.