Visual privacy vulnerabilities provide entry points to sensitive data in healthcare organizations
Information security attacks are increasing both in their frequency and their cost to businesses, according to "Visual Privacy Advisory Council" from PwC.
In response, information-security spending is reaching new heights. According to Gartner, global organizations are expected to spend just shy of $77 billion on information security in 2015, up more than 8 percent from 2014. The firm reports that the growing use of mobile, cloud, social and information will drive the use of new security technologies and services.1
As organizations seek to give both employees and customers greater access to sensitive information through mobile devices, kiosks and other technologies, they must take care to visually secure and help protect that information from what is known as visual hacking.
Visual hacking is the viewing or capturing of sensitive, confidential or private information for unauthorized use. Also known as shoulder surfing or visual eavesdropping, visual hacking is generally considered a low-tech threat that exploits the lapses in organizations' visual privacy security.
It can be as simple as a visual hacker seeing an employee's network log-in information taped to a computer monitor. By simply memorizing that information, the hacker now has access to the organization's network and everything on it – financial records, intellectual property, sensitive customer details, etc.
Healthcare
Protecting personal and private information is more than a good practice. Healthcare organizations that lack visual privacy safeguards could find themselves in violation of industry regulations.
The Health Insurance Portability and Accountability Act (HIPAA) limits where protected health information (PHI) can be used or disclosed. It requires physical safeguards to protect the information against unauthorized intrusion.2 Examples of these safeguards include facility access controls, such as locks and alarms, and workstation security measures, such as computer monitor privacy filters.3
The more recently introduced HITECH Act includes additional provisions to increase the use of technology in managing healthcare information. Healthcare organizations can be penalized up to $1.5 million under the act for repeating the same violation multiple times in a single calendar year.4
Hospitals and clinics are ripe settings for visual hackers, particularly as doctors and hospital staff seek to improve the patient experience through easier, more convenient access to medical, insurance and billing information. A strong visual security system can be realized using three key elements: assessment, policy and technology.
Adapt and Evolve
Step 1: Assessment
Security threats can't be effectively managed unless they're properly understood. Identify opportunities where unauthorized individuals can view sensitive information.
Step 2: Policy
Security policies and procedures should incorporate visual privacy protections. Place visual privacy warning labels on equipment such as printers, copiers and fax machines. Office, workstation and technology layouts should be designed with visual privacy in mind. Computers should be password protected and shut down when not in use.
Once policies and procedures are in place, reinforce them through training, communications and unscheduled audits.
Step 3: Technology
A host of technologies are available to support visual privacy security both inside and outside an organization's walls. Physical privacy filters are available for computer monitors, laptop screens and mobile devices. These filters are fitted directly over the screen and blacken out the views of anyone attempting to view the screen from an angle. User-access technology on printers, copiers and fax machines require employees to enter a passcode before they can retrieve, copy or send files. Document shredders should be placed near printers, copiers and fax machines, as well as by employees who frequently handle documents with sensitive information.
Even with robust visual privacy policies and safeguards in place, security programs should always strive to say ahead of the threats. One of the best ways to do that is to stay informed. The Visual Privacy Advisory Council was created to raise awareness of the threat of visual hacking, share best practices for defending against it and keep the conversation moving as the threat changes.
To connect with VPAC experts or learn more about creating a visual-security program, visit www.stopvisualhacking.org.
Kate Borten, founder of The Marblehead Group consultancy, on behalf of the Visual Privacy Advisory Council5
1 Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware, Gartner, Aug. 22, 2014
2 HIPAA - Frequently Asked Questions, U.S. Department of Health & Human Services, 2012
3 Guide to Privacy and Security of Health Information, U.S. Department of Health and Human Services, 2012
4 HIPAA Violations and Enforcement, American Medical Association
5 Kate Coreten is a member of the Visual Privacy Advisory Council and receives compensation from 3M in connection with her participation on the Visual Privacy Advisory Council.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.