MV in Healthcare Design Guide and FAQ
This document consolidates the most relevant technical information for using MV cameras within the healthcare industry.
If any questions are left unanswered, please contact your Cisco Meraki Sales representatives.
Privacy and Data Protection Considerations
Cisco Meraki is committed to data protection, privacy and security; the Meraki cloud-based architecture is designed from the ground up with data protection, privacy, and security in mind.
The Cisco Meraki technical architecture and its internal administrative and procedural safeguards assist customers with the design and deployment of cloud-based networking solutions. The cornerstone of Meraki’s privacy driven architecture is our out-of-band control plane. This means only network management information (not user traffic data) flows from devices to the Meraki cloud, dramatically limiting the amount of personal data that is transferred to the Meraki cloud.
For more information see Security, Reliability, & Privacy Information for Meraki Cloud Services.
Considerations for healthcare providers using MV cameras in active clinical spaces
Where is my camera footage stored?
Audio and video images recorded during remote patient observation by Meraki MV cameras are stored in an encrypted format on the local camera device’s flash memory. These recordings are accessible only to authorized users as configured in the Meraki cloud. Recordings are overwritten based on camera flash storage capacity, video quality, and retention settings. For healthcare providers only interested in active monitoring, on-camera video retention can be disabled.
When is camera footage sent through the Meraki cloud?
It is sent when an authorized Meraki Dashboard user views the footage remotely or when network segmentation blocks local communication between the camera and the administrator’s computer. When authorized users access content remotely, a small cloud icon appears in the bottom left of the Meraki Dashboard viewing pane, alerting the monitoring staff that footage is being transmitted externally through the Meraki cloud. Given that any cameras placed in an active clinical setting could reveal protected health information, a healthcare provider can choose to disable remote access to camera footage at an organizational level.
How is access to camera footage logged?
The Meraki Dashboard gives healthcare providers access to extensive video access logging. It is important on a network with cameras in every patient room or clinical users with customized permissions to have a clear auditable log of access to video through the Meraki Dashboard. This solution includes a video access log which provides information about actions related to cameras and video content directly on the Meraki Dashboard.
Can Meraki personnel access camera footage?
Due to the sensitive nature of placing cameras in patient rooms, entities benefit directly from the design functionality of the Meraki MV platform, which precludes all Meraki personnel from viewing a health provider’s camera footage, including Meraki technical support engineers and software engineers. If remote assistance or troubleshooting is required, healthcare providers must specifically authorize access to camera footage in the support case window of their Meraki Dashboard when requesting Meraki support. Access to such footage is revoked as soon as the support case is closed and logged in a customer-facing Meraki Dashboard log.
Installation, deployment, and design considerations for healthcare providers placing cameras in an active clinical setting
Which MV camera/s are best suited for remote patient observation?
Several Meraki MV cameras can observe a typical 300 - 400 square foot 28-37M2 single patient room.
Cisco recommends cameras with the highest flexibility and image quality for use in healthcare. The most flexible cameras include a tool free varifocal lens which can be adjusted at time of installation to cover the desired field of view at the highest optical resolution. These cameras include;
MV22X – Indoor varifocal camera with video resolution up to 4MP (2688x1512),
MV72X – Outdoor impact and weather resistant varifocal camera with video resolution up to 4MP (2688x1512),
MV22 – Indoor varifocal camera with video resolution up to 1080p (1920x1080), and
MV72 – Outdoor impact and weather resistant varifocal camera with video resolution up to 1080p (1920x1080)
Health providers willing to vary camera models based on room placement and role can also implement remote patient observation with smaller form factor cameras with fixed focal length lenses. These cameras include;
MV12W/MV12WE – Indoor compact dome camera suitable for single patient rooms with a wide angle fixed focal length lens with up to 1080p video resolution (with two storage options), and
MV12N – Indoor compact dome camera, suitable for remote monitoring of individual beds in shared rooms and wards with a narrow fixed focal length lens with up to 1080p video resolution.
When proposing cameras, do consider the following:
Facilities operations and bio-medical engineering teams will have the best local knowledge of patient room configurations, engage with these teams early to understand room configuration requirements for remote patient observation.
Carefully review as-built drawings to understand possible obstructions in deployment areas. For more information on conducting a site survey, please see the site survey section in our Designing Meraki MV Smart Camera Solutions documentation.
If the deployment conditions are challenging, ensure you are picking the right camera with the right mounting solution. More information on mounting options can be found in our MV Mounting Options and Guidelines documentation.
What is the best camera placement in a patient room?
To maximize the patient field of view, cameras should be placed on suspended ceilings above the footwall and adjacent patient beds. Understanding that locations might need to be selected in proximity to physical network cabling or alternately AC power, cameras can be placed on the footwall in locations which provide a field of view, but which minimize exposed cabling or room remediation.
What is the best way to mount cameras in patient rooms?
Every MV Camera includes a mount plate inside the box to be attached to a flat surface like a wall, ceiling or (for some cameras), a junction box.
Much like wall mounting, MV cameras can be mounted directly on the ceiling with the standard mount plate that comes in the box. Different MV cameras can use this mounting plate can be used in conjunction with a T-Rail mounting clip, or telescoping arms.
Health providers may need to implement customized mounting solutions based on existing room layouts and to limit in-room construction activities. Please note: the mounting plate is an important part of cooling the camera.
For complete information on physical Meraki MV Camera installation, please see the Ceiling Mounting section in our MV Mounting Options and Guidelines documentation.
How do I power cameras without ethernet cabling?
The MV cameras require a Power over Ethernet (PoE) input to turn on. If no direct ethernet cabling is available, the cameras can still be powered on using PoE converters such as the 802.3at PoE injector. After installed, follow the MV Wireless Configuration Guide to deploy cameras wirelessly.
Can MV cameras be deployed to leverage existing Wi-Fi infrastructure?
Installing new network cabling in active patient rooms is expensive and time consuming. To potentially avoid challenges related to facilities construction, infection control, and expensive room shutdowns and remediation, Meraki MV cameras provide wireless operational capabilities, but require preliminary staging to support this connectivity.
To configure wireless camera support, configure wireless settings in the Meraki Dashboard, connect the cameras to the LAN for configuration download, and then mount cameras, connected to power, within range of an access point.
In room power for wireless cameras can be provided in two different ways:
If replacing an existing analog camera, one can use the Meraki Low Voltage Power Adapter to convert low voltage (12/24V) power into Power over Ethernet for connection to Meraki MV cameras, or
The Meraki 802.3at Power over Ethernet Injector can be used in combination with existing AC power outlets.
Can MV Cameras be installed for portable use on a medical pole or cart?
Cameras can be installed on portable poles or carts provided mounting instructions are followed.
Power and connectivity can be facilitated when cameras are placed in their temporary location as follows;
Cameras can be directly connected to existing uplinked Power over Ethernet ports.
Wireless cameras can be connected directly to in-room AC outlets with the Meraki 802.3at Power over Ethernet Injector.
Wireless cameras can be connected directly to the AC outlets of a portable medical grade power supply with the Meraki 802.3af Power over Ethernet Injector.
How do health providers use continuous power with MV Cameras?
Cisco Meraki recommends that MV cameras deployed in patient rooms leverage PoE switching connected to facility based redundant or emergency power.
Wireless cameras connected to AC power which require continuous operation should leverage red designated emergency power outlets or a medical grade power supply connected to white/black house power outlets.
What are the bandwidth requirements for MV Cameras?
Cisco Meraki recommends direct streaming to support individual camera or video wall within a healthcare provider network. This limits upstream bandwidth requirements by streaming video over local network resources.
Local network bandwidth requirements can be calculated as an aggregate of configured individual camera bitrates.
Operationally, each camera requires 50kbps of upstream bandwidth to support the collection of metadata, thumbnails and configuration data.
To support export operations and cloud archiving activities each camera will require a minimum of 1Mbps of upstream bandwidth.
Healthcare customers should consider that streaming performance can be based on upstream bandwidth, the number of viewers, and the health of the hospital network.
To avoid possible issues related to camera streaming over local wired and wireless networks healthcare providers should consider other clinical networking workloads and leverage QoS to tag and queue camera traffic as either;
Broadcast Video CS5, or
Multimedia Streaming AF3
For more information on streaming video with MV cameras, please see our Video Streaming documentation.
How can a healthcare provider organize devices within their Meraki Dashboard?
The top level in a Meraki dashboard is the organization. Each organization is divided into multiple different Meraki device & camera networks.
Typically, customers divide their networks into physical network locations. In a healthcare provider setting, these networks could be deployed to identify a geographic hospital site or facility, or they could be used to identify specific nursing units.
Cameras within a network should have contextual names to simplify access for camera admins. In a healthcare setting these could be described as nursing unit name and location:
How are Meraki dashboard permissions defined?
Organization administrators have complete access to a healthcare provider’s organization, and all its networks based on permissions.
Read-only: User able to access most aspects of network and organization-wide settings, but unable to make any changes.
Full: User has full administrative access to all networks and organization-wide settings. This is the highest level of access available. This type of account is equivalent to a root or domain admin, so it is important to carefully maintain who has this level of control.
Please see our Managing Dashboard Administrators and Permissions documentation for more information on best practices regarding organization administrator accounts.
Network administrators have access to individually defined networks and their devices. These users can have complete or limited control over their network configuration, but do not have access to organization-level information (licensing, device inventory, etc). These administrators have access to specific networks based on the following permission types;
Full: User has access to view all aspects of a network and make any changes to it.
Guest ambassador: Presented with the user management portal only. These users can list Meraki authentication users, add users, update existing users, and authorize/deauthorize users on an SSID or Client VPN.
Monitor-only: User only able to view a subset of the Monitor section in Dashboard and no changes can be made.
Read-only: User able to access most aspects of a network, including the Configure section, but no changes can be made.
Camera-only: A specialized with camera-only privileges. Camera-only admins are unable to make changes to cameras as they are given read-only rights. Further specific limits to view access include;
View and export any footage,
View any footage, and
View live footage,
Access can be limited to specific cameras including;
All camera in this network,
Individual cameras, and
Cameras by tag
For further information about camera-only administrators, please see our Restricting Access to Cameras article.
What is required for a health provider to start deploying cameras?
Cisco Meraki provides a best practice design guide to support the deployment of MV cameras. While the technical installation and deployment can be performed quickly, health providers should reference this Best Practice Design Guide for Designing Meraki MV Smart Camera Solutions article to support their camera implementation.
How do we disinfect cameras?
Isopropyl alcohol can be used to disinfect cameras however harsh chemical detergents could damage optical and electronic components.
To avoid streaks or damage to the optical dome, cameras should not be cleaned with chemical wipes.
What is the recommended cleaning procedure?
While the polycarbonate camera domes have a hard UL-746C compliant coating, healthcare providers should ensure that housekeeping staff have access to several clean, soft, dust-free cloths (chamois, microfiber cloth, optical cloth).
Using one of these soft cloths, cameras should be cleaned with a light pressure using water and a mild detergent like dish soap.
Following cleaning, cameras domes should be dried with an alternate soft cloth to remove any streaks from the optical dome.
All MV cameras can be cleaned as part of a healthcare provider’s daily cleaning from a systems approach to patient rooms.
More information about cleaning MV cameras can be found in our Guidance for Cleaning/Decontaminating Cisco Meraki Hardware documentation.
What can you do to improve image quality?
Please follow the guide in our Troubleshooting MV Image Quality documentation.
What if my video walls are not loading properly?
Ensure you are following the Hardware Guidelines documentation and the bandwidth requirements.
How are motion alerts configured for use in patient rooms?
Motion alerts describe a functionality of Meraki MV cameras and have not been tested to meet the requirements of a “clinical alerting” solution.
Cisco Meraki recommends that motion alerts in clinical environments be limited to physical security use cases.
Can I configure motion alerts to be sent to through services other than email?
When required Meraki webhooks provide a powerful and lightweight way to subscribe to alerts sent from the Meraki Cloud. More information can be found in our Webhooks documentation.
How does streaming video work?
MV camera use HTTP live streaming (HLS) to deliver video from the camera to the Meraki Dashboard. When the browser is in the same local network as the camera, it will detect that automatically and initiate a direct stream. If the browser is remote, it will initiate a cloud proxy.
Please refer to the Security section for questions about secure video access.
For more information on streaming video, please see our MV Video Streaming article.
Can the MV cameras record in dark patient rooms?
Under the camera settings, you have the option of turning on night mode by enabling the IR cut filter and making the camera more sensitive in darkness. You can also turn on infrared illuminators to improve visibility.
How bright is the IR illumination?
Infrared (IR) illuminators are lights to illuminate dark scenes. The infrared range of wavelengths on the electromagnetic spectrum are invisible to the human eye but can be seen by cameras. Infrared illuminators allow cameras to see in the dark when humans cannot.
There is visible red light coming from cameras when the LEDs are turned on. If this illumination is disturbing to patients it can be disabled in the Meraki Dashboard.
Do the MV cameras record audio?
Cameras do not record audio by default. Cisco Meraki recommends that audio recording remain disabled on MV cameras deployed to active clinical spaces.
How do you disable video recording?
MV cameras are configured by default to continuously record video. Cisco Meraki recommends that a quality and retention profiles be created to disable video recording on MV cameras deployed to active clinical spaces. By default, MV cameras will record 24/7 until their storage capacity is reached. However, on an individual camera, you can set a recording schedule with no hours selected. You can also create a quality and retention profile and apply this configuration on all relevant cameras.
For more on MV video retention, please see our Video Retention documentation.
How do you prevent remote camera viewing?
By default, authorized users can access Meraki MV cameras from anywhere at any time through the secure cloud proxy. Cisco Meraki recommends healthcare providers disable cloud proxy functionality by restricting upstream access to port 30001 to deny cloud proxy streaming.
At the Meraki Dashboard Organizational level, healthcare providers can block access to from specific public IP addresses, private IP addresses cannot be used to block access.
How do health providers grant live video access without a Meraki Dashboard login?
By default, only authorized Meraki Dashboard users can view live video. Cisco Meraki recommends that access to cameras deployed in an active clinical setting be controlled by an Enterprise Single Sign On (SSO) solution or a valid Meraki Dashboard login.
The capability provided by email links enabling authorized Meraki Dashboard admins to share an external live video streams come with the following considerations:
This technical capability allows authorized users with live and historical camera viewing privileges to share a link to live video streams externally to any email address. This action is logged with the action “External stream link generated”.
These temporary links provide external access to live streaming video for anyone with the link.
These links do not limit the number of external participants viewing the live video stream.
These links provide unauthenticated access and do not confirm the identity of remote viewers.
These links contain no warnings and do not require any acceptance of terms and conditions prior to access.
These links can be easily be forwarded to others over email, messaging, and social media.
In addition to possible images of patients, the streams provided by these links include the following information:
Meraki Dashboard Organization Name,
Provisioned Meraki Network Name,
Meraki MV Camera Name, and the
Physically Installed address of the camera
Access for these live links is logged by original email and IP address as “External stream link viewed”.
To revoke access the links must be manually removed prior to automatic expiration after 24 hours.
How do health providers revoke access to cameras and live video streams?
By default, only authorized Meraki Dashboard users can view live video. Cisco Meraki recommends clinicians and staff use supported enterprise single sign on solutions to authenticate users and log access to the Meraki Dashboard. When policies require it, access should be revoked from the SSO solution as part of a healthcare providers standard operational procedures.
In cases where user logins are required to be stored as Meraki Dashboard users, access can be quickly restricted by forcing a logout and removing the dashboard account.
In the event that external live video access has been configured, it can be quickly revoked using the external live stream sharing feature. For more information on sharing video, please see our Sharing Video documentation.
How do I export video for use with third party media management systems?
Cisco Meraki recommends that a quality and retention profile be created to disable video recording on MV cameras deployed to active clinical spaces.
If video recording is configured, Cisco Meraki recommends that health providers manage exported archival video footage based on organizational content management policies. You can create an export of the video outlined under the Export Video section in our Sharing Video documentation.
When archival footage is accessed through the Meraki Dashboard, access is logged and restricted to authorized users. Once exported and downloaded by a health provider, video footage is no longer controlled by the Meraki Dashboard. While it is possible to validate that footage remains unaltered following export, this footage is no longer encrypted, and access is no longer logged.
Please note that these exports are stored for a year in the Meraki cloud ecosystem once footage is exported from the camera for download.
Is there a log of who views footage on any camera?
Yes, check the Video access log.
Can MV cameras integrate with existing video viewing software?
Video viewing software which supports external RTSP can be integrated with MV camera footage. To enable this feature, please refer to the External RSTP documentation.
Can MV cameras be viewed by third party media players such as an Apple TV to easily display on a standard dedicated display?
This capability is provided through external RTSP. Please refer to the External RSTP article for more information.
How is video secured on MV cameras?
Everything is encrypted by default. We encrypt video at rest and in transit, for both direct streaming and cloud proxy streaming. In addition to restricting access to specific cameras, you can also check who’s viewing what using the Video access log.
Each camera utilizes a unique URL to stream video via an encrypted tunnel to users. For streaming video, we utilize SHA256 hash, RSA2048, secp384r1 key parameters, diffie hellman 2048 key exchange, and AES 128 cipher. At rest, we use AES256 for encryption. To obtain this URL, users must authenticate to Dashboard and view either a video wall or individual camera page. The user would then attempt to establish an SSL/TLS session with the camera and request video utilizing the URL Dashboard provided. This unique URL is created on first time initialization of the camera and when the camera is moved between networks and organizations.
It is recommended to follow network security best practices upstream of the cameras. For an additional layer of security, you can also apply firewall rules that limit the devices that can interact with the cameras.
For general Meraki Security, please reference https://meraki.cisco.com/trust.