cameraWe are all being watched.  Cameras are everywhere today.  With the advent of dashcams, home security camera systems, CCTV in cities and businesses we are caught on camera somewhere every day.  What does that mean when you also have privacy concerns to address like, I don’t know maybe, HIPAA?

HIPAA For MSPs by David Sims Smile You Are On Camera
00:00:00 00:00:00

Adding cameras in your office is getting so much easier now.  However, easy doesn’t mean secure.  We know that around here.  I watch an ID show, See No Evil, regularly.  It shows how police are able to use all those cameras from homes and businesses to track people and see what happened to them leading up to their demise.  The sheer number of cameras they have to choose from is surprising and growing.

Cameras are great for safety and they do help you feel more secure because you can see what is going on right now as well as what happened previously.  Of course, I have cameras around my home.  In fact, they are from three different providers.  Not the topic for today but I do have a method to my madness.  If one of them is found to have major problems, I shut those down and rely on the others.  But, could I do that where patients are treated or a lot of PHI is being used in the room?  Maybe, but there must be a proper risk analysis and risk management plan in place.

What are the risks with a camera around PHI?

As we have said repeatedly, you start an SRA with identifying where all of your PHI exists.  Since we are only worried about the cameras and not your entire network, we focus on those devices and how we plan to use them.  We call these a mini-SRA.

It is important to note that one of the things considered to be PHI is a full face picture of an individual. As facial recognition grows that will become more important to remember.  There are many debates happening right now about police and TSA using facial recognition.  This isn’t a super secret tool that only law enforcement can access.  Expect that to become a thing for businesses sooner rather than later.  Yet another rabbit hole we could go down!

So, we know we have patient faces to be concerned about being on camera.  Also, computer screens and paperwork are loaded with PHI.  You need to know if they could end up on camera to be seen and saved elsewhere. Oh, and don’t forget they can also capture audio.

Now, we need to understand what PHI we will be capturing and where it will be stored.  Can you position all cameras so that they never have a patient’s face or computer screens or paperwork captured in the picture?  If you are using audio that gets even more complicated.

There is some debate about using cameras only in public areas and does that count as PHI.  Just like everything else in HIPAA, that depends.  You will need to explain why you think that is the case.  You should also put some notices up that video surveillance in place.

If you are only interested in monitoring staff actions, it may be easier to place cameras away from patients completely.  But, make sure the audio isn’t captured.  Also, what can the camera see on the computer screens and paperwork on a desk?

Of course, just adding the devices to your network requires you to evaluate all the ways they could create an opening for attack or malware to spread on your network.  Even though you may not have PHI plans for the devices they are connecting to your network.  You should always do a mini-SRA for any device connecting to your network just like we are doing this.

What kinds of risk management plan do you need for a camera?

Now that you have identified all the ways PHI may end up on your camera, you either document how you are going to prevent it from happening or protect it when captured. Either way, you have to make sure the devices connecting to your network do not open you up to attack or malware as part of your plan.  That is what risk management is all about.

If you are storing or recording PHI, you must define clearly how that data will be protected from improper disclosures just like any other data.  That includes live data as well as the recorded data.  Those decisions must follow the same process you go through with any other PHI.

When it comes to the technical security of a security camera things get a bit more tricky than you would expect.  For example, if you hire a security company to install the security camera they do not always worry about network security just the things the camera can see.  Ironic, we know.  However, they are not always familiar with network security and just connect the camera system to the network and go with it.  If you have had that done, back up and make sure your IT folks understand how those cameras have been set up.

Another issue that often gets skipped is keeping the camera system up to date on firmware and other software updates.  In order to function like they do all of those devices have software built into them.  They have to be updated regularly just like anything else you plug into your network.

What about access to the cameras internally and externally?  How and where do you get to the images?  Your connection must be secure and access to the information and the devices themselves must be secured properly.  David just played with Shodan this morning while I was writing this.  He visited people sleeping, living rooms, businesses and much more in just a few minutes.  These cameras were live on the internet for anyone to look at if they wanted.

It is very important to make sure these systems are properly secured.  Just a couple of years ago malware that targeted IoT devices picked up a bunch of security cameras and infected them.  The criminals scan the internet for devices they can find that have default usernames and passwords.  Then, they load the Mirai software on them. Now, the devices become part of a botnet.  They used the botnet to attack networks with a DDoS attack.  They told all of those devices, about 100,000 of them, to send requests over and over to a specific internet server.  When that happened the server was overwhelmed and it just shut down.  That server happened to be very important on offering services to a big chunk of the internet.

That case involved some guys who sold services to fix and prevent DDoS attacks.  They were attacking companies with Mirai. Then they would be hired to fix it as if some other criminals were actually attacking the company.  They did get caught when they went big with the 100k attack on the main Dyn server.  They were all from the US, BTW.

As with all other tech, make sure you understand clearly what you are agreeing to with these devices on their privacy practices.  Especially, if you plan to put in some of the consumer designed devices.  We’re not saying you can’t use them but you need to understand how they work and what they open your office up from a security standpoint.  It would be very bad if you added security cameras for securing your office and THOSE devices were the ones that caused a security breach.

You should make certain that someone has covered exactly how to secure and maintain those devices.  You also want to add them to your regular reviews or audits to make sure the security controls in place are still active and adequate.

Well, there you have it.  At least two things we taught you today.  How to handle using security cameras in your office and how to do a mini-SRA.