In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s public-facing website in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.”
“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada representative said in a statement. “Our internal security team and external security firm are investigating the scale and scope of this potential issue.”
Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.
I have always remained a vocal proponent for pushing through “security by design principles”. I have intentionally highlighted these aspects because as medical practitioners, we need to be alive to the spectre of the providing default accounts. The audits need to include the network diagrams and define ways and means to separate the critical billing/health records from the other functional units in the system. These are serious issues and if the hospital in question had “HIPAA compliant” video feeds, they should understand the scope of problem. It was terribly easy for the “hackers” to get to the root access.
I think this comes as a wake up call for all of us.