Hackers reportedly breach hospital surveillance cameras, exposing the security risks of connected devices

Hospitals have suffered waves of cyberattacks as hackers target medical IT systems looking for valuable patient data. Now, hospitals have to consider another alarming threat—security cameras.

Disturbing news broke Tuesday that a group of hackers claimed to have breached a massive trove of security camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools, Bloomberg reported.

Hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself. In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed, the publication reported. A spokesman for Halifax confirmed Wednesday that it uses Verkada cameras but added that “we believe the scope of the situation is limited," Bloomberg reported.

The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into.

For hospitals and health systems, the security camera breach raises red flags about the vulnerabilities of connected devices that are increasingly used in healthcare, said Jeff Horne, chief security officer of Ordr, a company that provides security for connected devices.

RELATED: From weaponized AI to threats against the vaccine rollout, here are 6 cybersecurity trends to watch in 2021

"Security is not one-dimensional, and while organizations might point to the faults in Verkada’s practices, the ownness is not solely on the supplier or manufacturer—although this point can be argued at length," he said. "Organizations must look at the rapid growth of connected devices as an opportunity to start maintaining a continuous and accurate inventory, a true understanding of how those devices communicate, automate alerts based on any device or group of devices that act outside of a set baseline, and automate proper segmentation of devices as to not let lateral movement inside your network via the devices, and always make sure that admin maintenance accounts are secured properly."

Third-party vendors raise the stakes 

Third-party attacks accounted for more than a quarter of healthcare breaches over the last year, resulting in nearly 12 million healthcare records being exposed, according to cybersecurity firm Tenable.

In fact, 75 breaches were linked back to third-party vendors. The breach of a single company accounted for over 10 million records exposed and has been traced back to 61 healthcare customers.

The Tenable Security Response Team analyzed publicly available healthcare breach data from January 2020 to February 2021 and detailed the findings in a March 10 blog post.

Even if a company takes strong security measures, a third party could make that organization vulnerable by sharing data and systems, noted Rody Quinlan, Tenable’s security response manager and the report's author.

“A third-party breach is just as damaging as a direct attack, as the end result is the same: compromised data,” Quinlan told Fierce Healthcare. “Threat actors can choose to hold this personally identifiable information (PII) for ransom and extort the vendor or root company. This PII also holds monetary value and can be sold and leveraged in scams and identity theft.” 

RELATED: Could patients be at risk during a hospital cyberattack? It depends how far hackers are willing to go, expert says

In fact, Quinlan noted the monetary value of PII from people who have scheduled or received vaccines. Knight Ink cybersecurity researcher Alissa Knight recently called personal health information the most valuable data on the dark web and “10 times more the price of a credit card for a single PHI record.”

Healthcare data breaches can cost a company $7.13 million on average, according to IBM Security’s 2020 data breach cost report.

In its report, Tenable found 237 breaches occurred in healthcare in 2020 with 56 breaches so far in 2021 as of Feb. 28. Ransomware was a key problem and accounted for 55% of the healthcare breaches in the Tenable data.

“Unfortunately, bad actors capitalized on the critical services that healthcare facilities were offering by locking and holding their systems for ransom,” Quinlan said.

In particular, bad actors attacked healthcare organizations with a type of ransomware called Ryuk, which targets and encrypts files to make them inaccessible. Users can only recover the data if they store backups on a separate system and network, Quinlan noted.

“In the case of healthcare, this can mean a lack of access to hospital systems and patient medical records which can be life-threatening in some instances,” Quinlan said. “Ryuk leverages these scenarios to demand a ransom in return for a decryption key to restore access to affected systems.”

Of the healthcare organizations breached, 30% were healthcare systems, 19% were hospitals and 6% were mental health care facilities. In addition to the ransomware threats, 21% of the cases were due to email compromise/phishing, 7% consisted of insider threats and 3% were caused by unsecured databases.

The COVID-19 pandemic coincided with an increased security threat to healthcare organizations in 2020. Greater demand for telehealth, COVID-19 contact tracing data, medical manufacturing and medical research on a cure for COVID-19 has fueled the rise in healthcare breaches, according to Quinlan.

“The demands placed on the sector skyrocketed practically overnight, which made it a ripe target for bad actors,” Quinlan said. “This is precisely why we saw such a surge in attacks targeting hospitals and other healthcare facilities.” 

To address cybersecurity threats in healthcare, organizations should prioritize vulnerabilities they face and patch target vulnerabilities, according to Quinlan. Companies should also conduct regular security checkups and provide security awareness training, he advised.

“Addressing the human vulnerability is a step in the right direction, providing security awareness training highlighting the risks of malicious email and phishing campaigns,” Quinlan said. “Business-critical vulnerabilities should also be identified, prioritized and remediated as these are likely to be key actor vectors leveraged to gain entry or compromise systems.”