Share this article on:
Hackers may be using high-tech methods to obtain the Protected Health Information of healthcare patients, but HIPAA-covered entities must take action to protect themselves from low-tech threats such as shoulder surfing and visual hacking.
Shoulder surfing and visual hacking are names used to describe the practice of obtaining sensitive information from computer screens and other electronic equipment as data is entered or viewed.
That information may be visible on the screen or the user of a computer could be observed entering a password on a keyboard. The direct observation technique is often seen at cash-dispensing machines as users enter their PIN numbers. The same techniques can be used on healthcare providers, and the practice is common in offices according to 3M.
Remembering a PIN number or a password as it is entered is not a difficult task, but remembering a name, address, phone number and social security number would be much more difficult. However, according to 3M, the practice is easy, highly effective, and can result in sensitive data being obtained. Information could even be used for a cyberattack or phishing campaign.
Visual Hacking – A Low Tech Approach Used by Criminals to Steal Sensitive Information
3M claims that visual hacking is common across all industries. However, for healthcare providers and health insurers it is especially dangerous.
Visual hacking may not result in individuals stealing nearly as much data as hacks of network servers and the theft of portable storage devices and healthcare laptops, but the practice does occur and patient data could all too easily be stolen. As medical records are accessed, malicious individuals could capture the data on Smartphones. Due to the high resolution images that can be taken, malicious individuals could take photographs from a distance and clearly make out the information that is captured.
Patient health data along with their personal information can be used to commit identity theft and make fraudulent insurance claims. Even the data of one individual can be used by criminals to obtain thousands of dollars. Healthcare providers and other HIPAA-covered entities must therefore take steps to reduce the risk of data exposure via visual hacking.
How Big is the Risk of Data Theft?
In theory, the technique could be used by criminals to obtain the PHI of patients, but is there really a risk of it actually occurring? Patient data has value, but how easy is it for data to be obtained using visual hacking techniques? 3M, with assistance from the Ponemon Institute, decided to put this to the test. An experiment was devised in which individuals attempted to use visual hacking to obtain sensitive data.
The 3M Visual Hacking Experiment
The 3M visual hacking experiment involved a white hat hacker visiting offices with the aim of covertly stealing information. The hacker was required to enter the offices, and only using visual means, obtain sensitive information from computer screens, faxes, and other locations.
The 3M visual hacking experiment was surprisingly effective. Typically, it took less than a quarter hour for the individual to obtain sensitive information, and in 88% of attempts the hacker was successful in obtaining data. The individual was able to obtain an average of five pieces of information on each successful attempt.
In the majority of cases, the hacker was able to obtain information without being challenged by employees. Only 30% of cases was the hacker challenged, and even when it was noticed that the hacker was snooping it was often too late. Information had already been viewed and remembered. According to the 3M report, even when the act was identified and action taken by employees, the hacker was able to steal an average of 2.8 pieces of information.
Due to the high volume of foot traffic through offices, there are numerous opportunities for sensitive data to be viewed. Desks, print bins, photocopiers, computer screens, and fax machines are all locations where data theft can occur. The main risk areas for healthcare organizations are reception desks and other high traffic and other areas accessible to the public.
Policies Must be Developed to Reduce Risk
According to 3M, “Creating visual privacy policies and protocols is an important step in building awareness of the issue among employees, including contractors.” It is essential that employees are made aware of the risks so they can take action to prevent sensitive data from being viewed by unauthorized individuals. It is not only patient health records that could potentially be viewed. If sensitive business information is seen, such as email addresses or business directories, the information could potentially be used to obtain further data. According to 3M, “This type of information has the potential to open a company up to a large-scale data breach through a variety of means, including phishing attacks, economic espionage, social engineering and even cyber extortion.”
The 3M white paper on visual hacking risk, together with the full results of the 3M visual hacking experiment, can be viewed here.