Data Security and Governance in Clinical Video Infrastructure

1. ENCRYPTION AT SOURCE

Recording applications do not store raw, unencrypted video.

Immediate encryption during capture

The recording applications for iOS, Android, Windows, macOS, and fixed camera integrations capture the camera and microphone feed and encrypt the stream at the source device.

Encryption occurs before upload to any server environment.

This design reduces exposure in the event of:

  • Device theft or loss
  • Interception during transmission
  • Unauthorized local access

Encrypted upload and deletion from device

The encrypted stream is transferred to the designated server environment. After successful upload, the local encrypted file is permanently deleted from the recording device.
 
No persistent video archive remains on smartphones, tablets, or PCs used for recording.
Personal encryption keys in practical terms.
 

Each video is associated with a cryptographic key structure tied to user identity and role permissions within the institutional deployment. In practice:

  • The creator of the video is assigned ownership at creation.
  • Access to the video requires explicit authorization by the owner, in accordance with institutional policy.
  • Decryption for viewing occurs only for authenticated and authorized users.
  • Keys are managed within the institutional deployment, not shared across tenants.
This model supports explicit, consent-based access and aligns with the principle of data minimization and controlled disclosure.

2. DATA OWNERSHIP MODEL

Dedicated institutional deployments.
Each institution operates on a dedicated system, separated from other deployments.

There is no shared multi-institutional data pool.

Institution-controlled server provider
 
The institution determines the hosting environment. Deployment can occur:
 
  • On EU-based cloud infrastructure
  • On the institution’s preferred cloud provider
  • On hospital or university on-premise servers
Wherever the server is hosted, data ownership remains with the institution.
No vendor data rights.
 
The vendor does not claim ownership of recorded data and does not have rights to use, reuse, analyze, or disclose institutional video data.
 
Access by the vendor for support purposes is controlled, auditable, and governed by contractual agreements and role-based authorization.
 
Creator-level ownership and consent-based access.
In many deployments, the creator of a recording retains primary ownership rights within the system.
 
Access to a video requires explicit consent or role-based authorization configured by the institution. This enables:
 
  • Controlled sharing for supervision or peer feedback
  • Restricted access in summative assessment contexts
  • Clear revocation pathways

3. SERVER LOCATION
AND DEPLOYMENT FLEXIBILITY

EU hosting options.

Institutions may select EU-based hosting environments to support GDPR compliance and data residency requirements.

On-premise deployment
 
The system can run on hospital or university servers. This allows integration within existing network segmentation, firewall policies, and identity management systems.
Institutional cloud provider support.
 
Deployments can integrate with institutional cloud providers, enabling:
 
  • Centralized identity management (e.g., SSO)
  • Network access control policies
  • Logging and monitoring alignment with existing SIEM tools
Separation from other institutions
Each deployment is logically and operationally separated. Cross-institution data access is not possible by default.

4. RETENTION AND LIFECYCLE CONTROL

Institution-defined retention policy
The institution defines retention periods based on:
 
  • Academic year cycles
  • Assessment regulations
  • Research protocols
  • National legal requirements
Retention rules can differentiate between:

  • Formative training videos
  • Summative assessment recordings
  • Research data
Alignment with academic cycles
 
Retention can align with semester boundaries, OSCE cycles, or program milestones. This allows structured deletion after defined review or appeal periods.
 
Role-based access and revocation

Access rights follow institutional role definitions, such as:

  • Learner
  • Supervisor
  • Examiner
  • Administrator
  • Research lead
When a role changes or a user leaves the institution, access can be revoked centrally. 

This supports lifecycle management and least-privilege access.

5. LEGAL DEFENSIBILITY USES CASES

Informed consent documentation

Recording informed consent discussions can strengthen documentation of:
 
  • Information disclosure
  • Patient questions
  • Voluntary agreement
This supports institutional risk management when consent processes are later challenged.
OSCE appeals and review processes
 
In structured examinations such as OSCEs, recordings provide a reviewable record. In case of appeal:

  • Examiners can conduct a second review.
  • Decisions rely on observable evidence rather than recollection.
This reduces ambiguity in high-stakes assessment contexts.
 
Research protocol compliance

For research deployments, recordings can be managed in accordance with approved research protocols, including:

  • Defined access lists
  • Ethics committee–approved retention
  • Cross-institution collaboration within controlled access boundaries

6. THREAT MODEL AWARENESS

The architecture explicitly addresses common threat scenarios.

Risk: Recording device lost or stolen.
Mitigation: Immediate encryption at source and deletion after upload. No persistent unencrypted data remains on the device.
Risk: Unauthorized user attempts access to video data.
Mitigation: Role-based access control, authentication integration, and encryption-based access restrictions.
Risk: Accidental sharing or misconfiguration.
Mitigation: Explicit consent-based sharing model and structured role definitions limit broad exposure.
Risk: Data visible across tenants.
Mitigation: Dedicated deployments and separation between institutions.
Risk: Uncontrolled vendor visibility of institutional data.
Mitigation: No vendor ownership rights; access governed contractually and technically, with auditable controls.
Security Questions for Your IT Team
 
Before adopting any clinical video infrastructure, your IT team should be able to answer:
 
  1. Is video encrypted at the source before transmission?
  2. Are encrypted files automatically deleted from recording devices after upload?
  3. Does the institution retain full ownership and control over stored data?
  4. Can the deployment run on our chosen cloud or on-premise infrastructure?
  5. Can we define and enforce retention periods aligned with academic or legal cycles?
  6. Are deployments separated from other institutions at both logical and operational levels?
 
Technical Security Review
 
If your IT, DPO, or compliance team would like to review the architecture, encryption model, or deployment options in detail, we invite you to schedule a technical security review call. We will provide documentation, deployment diagrams, and answer specific governance and integration questions relevant to your institution.
Contact Us
Scroll to Top