How important is your individual privacy to the big tech start-up selling video surveillance systems to places you visit? Is it important enough to get the details right? Is it important enough to protect passwords and access codes from hackers?
Camera Surveillance Vendor Might be a Business Associate
This protection was missing at one Silicon Valley company selling surveillance cameras. Verkada, Inc. failed to protect privacy and security because an international hacking collective was able to easily break in and gain access to live feeds of 150,000 surveillance cameras Verkada supplied to hospitals, police departments, prisons, schools, and companies like Tesla and Cloudfare, Inc., a software provider.
Some of the healthcare entities whose cameras were breached include Florida-based Halifax Health, Wadley Regional Medical Center in Texarkana, Texas, and Tempe St. Luke’s Hospital in Arizona. In one health system, hackers reported they looked through Verkada cameras focused on nine ICU beds.
A covered entity’s vendor in healthcare who creates, receives, maintains or transmits protected health information (PHI) is a business associate and is required to comply with HIPAA.
Basic Cybersecurity Protection includes Password Management
The hackers gained access through a “super admin” account, which let them access the cameras of all of Verkada’s customers. The group found a username and password for an administrator account publicly exposed on the internet.
The HIPAA Security Rule requires Administrative, Physical and Technical Safeguards to protect patient privacy and security. Password protection and access requirements are among the fundamental safeguards required in any HIPAA compliance program.
As horrifying as this hacking story is, the good news is that the hackers appear not to have been motivated by money – they didn’t threaten ransomware or sell videos on the dark web. As first reported by Bloomberg News which broke the story:
The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the hackers who claimed credit for breaching San Mateo, California-based Verkada. Kottmann, who uses they/them pronouns, previously claimed credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
Once Bloomberg notified Verkada of the hack, Verkada was able to disable all administrator accounts and stop unauthorized access.
The Security Rule is Easy to Follow if You Know the Steps
Covered entities who engage vendors need to know which ones are business associates (do they create, receive, maintain or transmit PHI) and if so, as a covered entity, you must conduct due diligence to ensure they understand and follow HIPAA.
Business Associates need to know and follow the rules too. Get the details right, because breaching security appears to be all too easy.