- Although the healthcare data security industry is heavily investing in precautionary measures on their technical devices, they are missing a less sophisticated gap in their security efforts: visual hacking.
According to 3M, visual hacking is a practice during which hackers capture data by way of a camera. By simply capturing an image of a computer or tablet screen which is displaying sensitive information, hackers are able to obtain all of that information with relative ease.
To fill this hole in the healthcare security industry, 3M has launched its Visual Hacking Key Risk Areas campaign, intended to educate industry stakeholders and prevent more data breaches happening by this means.
“Worldwide spending on information security will reach $75.4 billion in 2015, an increase of 4.7 percent over 2014, according to the latest forecast from Gartner, Inc. but such investments might not address all areas where data vulnerabilities exist,” 3M explained in a press release.
To show just how easy visual hacking can be, 3M partnered with the Ponemon Institute to simulate visual hacking incidents.
The experiment showed that 88 percent of the time, the undercover hacker was able to obtain valuable information via visual hacking.
Additionally, nearly half of the hacks were completed within 15 minutes, and an average of five pieces of private information were obtained during each hack.
The study suggests that one of the main issues that enables visual hacking is the lack of office awareness. For example, 3M found that 70 percent of the time, the hacking went completely unnoticed by office staff. Even when the hacking was noticed and stopped, the efforts were often too late. Approximately three pieces of information were still obtained by a hacker even after he or she was stopped.
3M compiled a list of best practices to help prevent these issues. For example, office staff should take periodic surveys of the space to ensure there are no exposed screens. The most common places for exposed screens to lead to visual hacking are in high traffic areas such as the reception desk in a healthcare facility.
Some of the common places where visual hacking occurs includes computer screens, vacant desks, print bins, copiers, and fax machines. Although all of these locations do present a relevant threat, the most common place was indeed on a computer screen.
Furthermore, 3M emphasizes the importance of staff members being aware of their surroundings while conducting remote work. If completing a project in a public space like a cafe, healthcare professionals are liable to visual hacking performed by strangers sharing that public space.
3M explains that visual hacking, while a threat to any industry, can be especially damaging in the healthcare industry due to the sensitivity of the information at risk of exposure. Because physicians collect not only health information, but personal and financial information such as Social Security numbers, healthcare professionals need to be especially aware of the threat of visual hacking.
“Visual hacking can target any industry but may be especially dangerous in healthcare and financial industries, given the sensitive information involved in nearly every customer interaction and the desire for malicious parties to obtain it,” said John Brenberg, Information Security & Compliance Manager, 3M and member of the Visual Privacy Advisory Council (VPAC).
Additionally, 3M explains that visual hacking risks aren’t necessarily about the kind of information that is breached; they are about where that information can lead. For example, common information obtained in a visual hack are employee directories or client lists.
Although on the surface this information may seem relatively innocuous when compared to Social Security or credit card numbers, they can lead to disastrous effects on a healthcare organization.
“While the value of credit card numbers or social security numbers is widely understood, many do not realize that seemingly harmless information like a company directory or general business correspondence can be valuable to hackers as well,” 3M explained in a white paper. “This type of information has the potential to open a company up to a large-scale data breach through a variety of means, including phishing attacks, economic espionage, social engineering and even cyber extortion.”
For example, if a healthcare facility staff directory is obtained via visual hacking, a hacker may then continue to conduct a phishing attack, potentially obtaining far more damaging information.
In order to completely protect a healthcare organization from visual hacking, hospitals need to take charge in implementing best practice strategies throughout the facility and adequately educating providers and staff.
“Creating visual privacy policies and protocols is an important step in building awareness of the issue among employees, including contractors,” 3M says. “In addition to using privacy filters to protect sensitive information as it is displayed, companies should educate and train employees to properly handle the data they are responsible for maintaining.”