Ontario’s Information and Privacy Commissioner has released a five-point security checklist for wireless video surveillance systems, following a freak drive-by interception of a wireless transmission at a health clinic that showed a patient providing a urine sample.
Ann Cavoukian’s office has also made available a fact sheet on the Commissioner’s official Web site to further increase awareness among health-care providers about wireless video surveillance.
Cavoukian last week issued a Health Order to a methadone clinic in Sudbury, Ont., after her office was notified by a CBC reporter that someone with a backup camera in their car had noticed an image of a patient urinating in a washroom. The driver was reversing their car in the clinic’s parking lot at the time, says Cavoukian.
“Before they called me, the CBC obtained a private investigator and in an attempt to replicate the same experience, got a car with a backup camera, went to the same place – they backed up and saw virtually exactly the same scene,” she explains.
Cavoukian adds that the reporter and investigator waited a few minutes and saw a woman exit the building who resembled the woman they had seen on their monitor, whom they then approached and told her what they had just seen.
The patient told them she had given her consent to have supervised urine samples taken for drug screening purposes as part of the methadone treatment, says Cavoukian.
“Obviously she didn’t expect the image to be conveyed other than to the nurse’s station; so they called us, we investigated, and we contacted the clinic and discovered they were using a wireless camera.”
Cavoukian says the hitch with unsecured wireless communications is that the signals can be picked up not only by the monitor in the nurse’s station (where they’re supposed to be seen), but also by other monitors in the area.
“That’s the problem in this particular case: they’re using wireless technology that is absent encryption; it can be sent through the airwaves for anyone to pick up in the vicinity of that wireless camera,” she says.
In a society that is increasingly becoming Web-savvy, with the popularity of sites such as Facebook, MySpace and YouTube, the possibility of these images not only being intercepted but also distributed online is a very real threat, concedes Cavoukian.
“There are people called war-drivers…people who drive around neighbourhoods trying to intercept wireless signals,” explains Cavoukian. “And then if they have a DVR or a VCR plugged in their monitor, they can tape [the images] and transmit them on the Internet…so it could have very serious consequences.”
However, Cavoukian is quick to point out that in this particular incident, action was immediately taken to shut down the service the clinic was using. “To their credit, as soon as we contacted the clinic and said, ‘Shut it down; call your service provider,’ they immediately did. The next day they switched to a wired camera, which is much more secure.”
“Now that this order has been issued, we’re providing the guidance necessary and alerting health-care providers to this situation; so it will no longer be acceptable,” says Cavoukian.
“From this point on, the standard is if you want to use wireless communication technology, you must have it strongly encrypted, and you must review your policies and practices relating to that encryption on a regular basis because wireless is such that you can’t just encrypt it and forget about it forever.”
Requirements for wireless video surveillance systems as advised by the IPC:
– Even when explicit consent is obtained from patients, special precautions must be taken to protect the privacy of video images.
– Clearly visible signs should be posted, ensuring that patients are aware of the existence of video cameras.Where video cameras are used in private areas, such as washrooms, there should be a very visible indicator that the camera is in use.
– Staff should receive special technical training on the privacy and security issues involved with the use of video surveillance equipment, and the sensitivity required in such settings.
– Security and privacy audits should be conducted on an annual basis.
Entire fact sheet: Wireless Communications Technologies: Video Surveillance Systems