Protecting patients and staff from workplace violence, theft, and other risks is a top priority in today’s healthcare environment. Surveillance cameras are one of the most effective tools for achieving this goal – but how do you know which type to use? This blog post will explore the risks associated with surveillance cameras in healthcare facilities and best practices for implementing them effectively! 

Many customers ask questions about best practices of surveillance cameras and HIPPA expectations in the healthcare industry because patients are considered “PHI – Protected Health Information” and subject to HIPAA regulations. Nearby surveillance should protect the identities of innocent bystanders while still providing security for those in need. 

Installing surveillance camera systems in medical facilities can help prevent and deter theft and violent behavior. Hospitals, doctors’ offices, dentists, pharmacies—all are allowed to install cameras for most areas of the facility except those with obvious privacy issues such as bathrooms or computers. This means you could find them at entrances, exits, fire escape points, elevators, closets–even corridors! But what about waiting rooms? Yes, these have been subject to security breaches before, and cameras are allowed in waiting rooms. 

HIPAA safety rules require administrative, physical, and technical safeguards to protect patient privacy and security. Password protection is a basic security precaution required by HIPAA compliance programs for maximum protection of your information. Also, like every other type of electronic data, the files must be encrypted at rest, meaning even when it is not in use, it must be encrypted. Check with your camera system provider to make sure proper encryption is in place. 

If you’re concerned about camera location, remember that surveillance cameras cannot capture images of anyone who is changing clothes, injecting themselves, or other activities that compromise privacy. Surveillance footage should only be used for security purposes, and any recording can occur in public areas. To avoid privacy breaches from recordings on the premises, make sure there’s an adequate distance between monitoring devices and patient rooms at all times 

HIPAA violations can occur when health facilities place surveillance cameras in positions that capture private patient data displayed on computer screens. You should install cameras and avoid capturing computer screens within their field of view. The camera used to monitor patients must be accessible only by appropriate clinical staff members, not employees walking past or nearby during monitoring times because they have access to every room. 

The primary areas of risk when installing the cameras are: 

  • Installing the cameras in the wrong place 

  • Failure to configure and implement proper controls, policies, and procedures in compliance with regulation 

  • Failure to provide appropriate guidance and awareness training to employees who might be in charge of the footages 


The number of surveillance systems in the marketplace varies from consumerlevel systems such as Amazon Ring Doorbell to commercial graded systems such as ADT Systems. Whichever system you might choose must provide end-to-end encryption. For those using Amazon Ring, they have rolled out end-to-end encryption only this last January/2021. You can visit Ring’s support page to determine if your device supports end-to-end encryption and how to configure it. 

To summarize: a hospital, doctor’s office, dental practice, or pharmacy may install CCTV equipment anywhere except bathrooms or computer screens as long as it doesn’t violate HIPAA safety rules. Remember to use password protection and ensure the data is encrypted even when stored at rest. And never film patients while they change their clothing, operating rooms undergoing a procedure, or administering any drugs or medicine! 



Passwordless Technology – Why Should You Consider It? 


Passwordless authentication means that you never have to enter a password again in everyday digital life. You can use more secure authentication options, such as the fingerprint reader, face unlocks, or push notifications that you can respond to on almost any device, from Windows to Android and iPhonePasswordless authentication has some significant advantages, such as not having to remember complex passwords, there is less re-typing of passwords when the user mistypes them the first time, and it is safer.  

As the corporate world becomes aware of the security risks associated with stolen and shared passwords, alternative security systems are coming under the spotlight. Several alternative authentication methods do not include passwords, such as hardware tokens or objects where the user verifies his identity using a biometric method or a device such as a physical feature that belongs to him (such as a thumbprint). Although these methods involve different approaches, all Passwordless authentication methods have one thing in common: the user authentication data is never stored together with the password in the system.  


Passwordless authentication is the new buzzword in secure authentication and identity and access management (IAM). Passwords are the number one target for cybercriminals, according to the Verizon 2020 Data Breach Investigation Report8oof the breaches involve weak or stolen passwords. Passwordless replaces the deficiencies of traditional passwords to protect IT security more effectively.  


Most organizations still use traditional passwords as a central authentication method. However, Passwordless authentication methods and multifactor authentication methods will evolve. For example, please take a look at Trusona; it is a new technology that connects with different AD solutions allowing users to authenticate with QR code as an example, generated each time the user attempts to log in. Therefore the user will never have to have a password. Another example would be Yubico; they use open standards and multiple protocols to create a YubiKey, a small USB key you plug on the device you want to authenticate. It authenticates you based on your digital fingerprinting. The well-known problems with passwords should encourage companies to use IAM, MFA, and Passwordless authentication. 


Industry leaders are pushing for stricter authentication standards, such as the FIDO Alliance, which promises simpler, stronger authentication and advocates the abolition of passwords. FIDO organization is developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce passwords’ reliance on authenticating users.  


In general, binary authentications such as passwords, two-factor authentication (2FA), and multifactor authentication (MFA), which includes biometric data, are more vulnerable to fraud because of their binary nature. Currently, focusing on the complexity of passwords promotes the reuse of credentials, increases the total cost of ownership (TCO) associated with password resets and helpdesk calls, and does nothing to improve overall security.  


Some MFA methods are more secure than others and rely on SMS tokens, but not all. Legacy MFA solutions combine the storage of a secret password, PIN, or reply with a compromised secondary device such as a smart card, hardware token, or a one-time code sent via SMS to the user’s device.  


The security of a Passwordless authentication system depends on the proof of identity required in place of the password and its implementation. For example, secure push notifications from account holders are considered more secure than a password. SMS codes from mobile devices are considered less secure because SMS is an insecure communication channel, and there have been several documented attacks on SMS authentication systems.  


Passwordless technology promises that it increases usability, streamlines authentication, and increases security by removing the password as a vulnerability in the authentication.  


To make Passwordless technologically possible, the organization must have a solid foundation of Identity Management System. The leader in the market is Microsoft providing the platform of Identity Management that allows for interconnectivity with 3rd-party tools that enhance the end-user authentication experience. For organizations that have not yet considered Passwordless solutions, the time to look at it is now, even if you are only considering implementing it later. Future considerations might impact decisions you make now.