Keeping video surveillance networks secure can be a daunting task, but there are several methods that hospital IT and security managers as well as integrators working with medical facilities can use to greatly reduce the risk of an attack.
Below are eight tips medical facilities can follow in order to keep their IP video surveillance network secure.
Increase protection with more, stronger passwords
Strong passwords are the most basic security measure, but unfortunately ignored by many users. Many surveillance systems are deployed in the field with default passwords on equipment, including cameras, switches, recorders, and more. Doing so makes it easier for tech teams to access cameras; it also makes it easier for unauthorized parties to log into a camera or security network.
At the very least, all surveillance network devices should have unique passwords documented in a secure location. This prevents access to the network using simple password guessing and requires a more skilled attacker with more complex methods. Passwords should be unique per device. Having a single password for all invites a nightmare if that one password is lost.
If you are concerned about keeping track of every password, you can use a password manager such as LastPass, Dashlane, or LogMeOnce to store all of your passwords. Password managers can protect the repository of passwords with a strong password and two-factor authentication, while maintaining complex passwords that are unique to each device. These password managers offer very strong security, although not perfect.
Maintain regular backups
No matter how good your security practices are, it is almost inevitable that you will get hacked. Having timely, complete backups will assure that any outage is minimal.
Malware such as ransomware is on the rise. Ransomware encrypts the files on your system and then asks for payment before a key is sent to unlock the data. If you have regular backups, you can tell the ransomware hackers where to go. Without backups you may have to pay up.
Control physical access to servers and switchers
Control physical access to the most vulnerable areas of a network - rooms, closets, or racks where surveillance servers and switches are mounted. If doors cannot be secured, at least restrict access to individual rack cages and switch enclosures.
Many facilities employ electronic access control to server or network equipment rooms. However, even without electronic access control, mechanical keys and locks can do a good job of protecting sensitive areas.
Prevent unauthorized remote access with firewalls
Many surveillance systems are purposefully not connected to the Internet; instead they are connected to a separate local area network (LAN). This reduces risk but may make service more difficult as updates to software and firmware — otherwise downloaded — must be loaded over USB or other means.
The connected systems are typically behind a firewall, which limits inbound/outbound traffic to specific IP addresses and ports that have been authorized. Properly implemented, this strategy may prevent the vast majority of attacks.
Disable unused services
Unnecessary services on viewing workstations and servers should be turned off. These may include manufacturer-specific update utilities, Microsoft update services, web services, etc. These unneeded services may act as a backdoor for hackers or viruses, consume additional processor and memory, and increase startup time. They should be disabled or set to operate only when manually started.
Operating system and firmware updates
Operating system and firmware updates are a matter of some debate, with some users installing every available update while others wary that these updates may break VMS software or camera integrations.
However, these updates often include patches to newly discovered security vulnerabilities, such as the Heartbleed Secure Sockets Layer (SSL) vulnerability, which affected millions of computers worldwide. Patches for these significant issues should be installed.
Other, more routine, updates may be optional. Users especially concerned about compatibility issues should contact their camera/recorder/VMS manufacturers to see their recommendations for applying updates.
Improve security with VLANs And QoS
Virtual LANs (VLANs) improve security by segmenting traffic into multiple virtual networks. IP based surveillance equipment or general office LAN traffic may exist on the same physical switch but the VLAN ensures the networks are invisible to each other and unreachable.
Note that when using VLANs, bandwidth constraints may exist. Because of this, VLANs are often deployed in conjunction with Quality of Service (QoS), which prioritizes network traffic so video quality is not impacted.
Create and enforce a security policy
All the steps above are even more effective when documented as part of a written and strictly enforced security policy. Users should always have a security policy in place that is taught and can be accessed by all employees. If a hospital does not have a security policy in place, an integrator may choose to create one as part of their documentation. Integrators would then require it to be followed in order for the warranty to be enforced and to limit liability in case of a breach.
By following a good security policy you can avoid the high costs of network hacking. The most effective tool is employee awareness and their following of good network “hygiene”: never load files or applications from unknown sources, question anyone who asks for personal information or passwords, and think twice before clicking a link or downloading a file.
About Bob Ehlers
Bob Ehlers is RGB Spectrum’s vice president of business development. In his role, Ehlers is responsible for exploring new partnerships and strengthening RGB Spectrum’s presence in the marketplace. He previously served as RGB Spectrum’s vice president of marketing.
Prior to joining RGB Spectrum, Ehlers was founder and CEO of HauteSpot Networks Corporation, a leading developer of wireless solutions for IP video surveillance. He was instrumental in the development of innovative wireless routing products and patented several protocols for mesh and mobile networking devices. Prior to founding HauteSpot, he held various marketing and product line management positions with companies including Intel, Performance Technologies and Ziatech.
About RGB Spectrum
Founded in 1987, RGB Spectrum provides innovative solutions for the display, recording, and distribution of audio and video content. RGB Spectrum's products are preferred by major, global organizations in corporate, security, medical, educational, government and defense/aerospace markets.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.