Privacy expert shares tips for preventing visual hacking

Visual hacking’s low-tech nature flies under the radar of chief information security officers and chief privacy officers. But there are simple technology and physical fixes, Kate Borten of the Visual Privacy Advisory Council explains.
By Jessica Davis
07:09 AM
visual hacking

Kate Borten, a Visual Privacy Advisory Council member and founder of The Marblehead Group, said that although training employees to protect against visual hacking is not required under HIPAA CISOs and CIOs should not overlook the threat. Photo courtesy of Kate Borten. 

When the Ponemon Institute released its 2016 Global Visual Hacking Experiment, the research firm found that 91 percent of visual hacking attempts are successful.

Visual hacking applies to spying on physical items, like someone’s desk, computer screen or mobile device, even paper records. These attacks not only happen very quickly but they are also very difficult to detect when it does happen.

Many of these vulnerabilities, however, aren’t addressed by healthcare organizations, as the chief information security officers and chief privacy officers are generally IT people focused on technology, according to Kate Borten, member of the Visual Privacy Advisory Council and founder of The Marblehead Group, a privacy and information security firm.

[Also: Tips for protecting hospitals against ransomware as attacks surge]

“It starts with awareness,” Borten said. “Visual hacking flies under the radar and tends to be overlooked.”

There are both simple technology and physical items that healthcare leaders can adjust to better protect their organizations from these types of threats, she explained.

While most healthcare organizations already have training structures in place for HIPAA requirements, addressing visual hacking is not common, Borten said.

Items like papers left in stacks on desks and around recycling bins and improper fax machine placement in high traffic areas are some of the most common mistakes made by hospitals, Borten said.

Many organizations are often squeezed for space, which can result in poor monitor placement, as well. According to Borten, security officers need to be aware of those screens. While they may be unable to change the angle, better privacy filters to protect data should be required.

Further, hospitals need to establish what Borten described as walk-around audits. Privacy and security officers should develop a checklist and walk around to find weaknesses in the organization’s security.

Although not required by HIPAA, it’s another training tool able to heighten awareness within an organization, she said. The tactic helps an organization protect patient data and can provide evidence of its security features.

[Cybersecurity Special Report: Ransomware to get worse, hackers target whales, medical devices and IoT open new holes]

It can also help an organization in case there is some kind of breach, she added. “The organization can demonstrate it was taking the steps needed to protect information.”

Also, visual hacking of healthcare data isn’t confined to the four-walls of a hospital. Borten stressed that mobile devices have increased the risk of hacking. While many organizations consider privacy filters for log-ons for workplace screens, these filters should be required on all devices.

“This is a pervasive thing and healthcare providers in particular are in a sticky situation because they’re essentially open to the public,” Borten said. “Anyone can walk in and the exposures really do create a risk.” 

Twitter: @JessieFDavis
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn