When it comes to protecting your organization’s most sensitive data, it can be easy to focus on the role of technology.
While technical controls are indeed essential, they by no means should be your only approach to ensuring data privacy. This is especially true when it comes to “visual” privacy, which is the protection of sensitive and private information shown on your display and paper form.
Threats to visual privacy are plentiful as companies’ information has become more vulnerable than ever. For starters, employees more frequently use mobile devices to access and share data. A growing number of these workers access sensitive information in public places, often in full view of others, using laptops, tablets and smartphones. There’s increased risk of data exposure inside the office too. The trend toward open-office floor plans removes physical barriers that traditionally helped shield computer screens.
Meanwhile, malicious individuals have increasingly sophisticated means of viewing and capturing this exposed data, from smartphones with high-resolution cameras to discrete wearable devices. These “visual hackers” can visually record log-on credentials and several pages or screens of information without anyone even noticing, while leaving behind no trace of their activity.
Ultimately, assuring visual privacy of your data assets shown on your display is in the hands of your employees. And the best way to recruit them is through effective awareness and training.
However, just dictating policies and best practices is not enough. Your employees have to understand the purpose, and it has to mean something to them personally. That’s why training programs should first aim to increase awareness among employees about the risks and ramifications of visual privacy breaches.
Specifically, companies should provide workplace-relevant examples and illustrate the potential business and human consequences that could result from a successful visual hack.
For example, a hospital patient’s sensitive, and legally protected, medical information displayed on an unattended medication cart or hallway workstation could be viewed by a visitor who recognizes the patient’s name and tells friends. That information could be spread around the community and, in some cases, alter the patient’s life. This HIPAA violation and breach must be reported to the federal government and could result in a fine and negative publicity for the hospital, as well as disciplinary action for the employee. More than that, a hacker who obtains patient information could use it for medical identity theft to fraudulently obtain free care, prescription drugs or insurance money. They could even use an embarrassing diagnosis to blackmail the patient.
Providing these real-life examples can help employees better understand what’s at stake. It can also help you connect with employees at a deeper, more personal level and provide better motivation for them to support your organization’s visual privacy efforts.
Best practices for protecting visual privacy are too often relegated to a brief mention or bullet point during new-employee training, if they’re included at all. However, it’s important that visual privacy training be thorough enough to ensure employees understand the threats and take the appropriate actions.
For example, workers should be trained to always be aware of their surroundings. Those who work in heavy-traffic areas like emergency departments, public lobbies and guest-service desks should know to look for suspicious behaviors, such as identifying a visitor who is pointing a smartphone toward a computer screen. Workers located in restricted or employee-only areas should be mindful of the people around them exhibiting odd behaviors, whether it’s coming from a delivery person, cleaning crew member or even a fellow employee.
Since most people are not comfortable questioning strangers about their behavior, your training program should provide sample dialogue that employees can use in these workplace situations. It also should provide guidance on specific actions to take, as sometimes it’s best to call security rather than have a confrontation.
While monitors and mobile device screens should be fitted with privacy screens to obscure the viewing of information to potential onlookers, employees should always be mindful of additional ways they can protect information. This includes angling their computer screens away from visitors and logging off or locking devices before leaving them unattended.
Likewise, employees who can access their work email and sensitive information using a laptop or mobile device should be taught to be mindful of people seated near them and potential shoulder surfers in public places.
Keeping Visual Privacy on the Radar
A visual hacker may take one piece of information and, when added to other easily obtained information, steal someone’s identity; carry out medical or financial fraud; or even initiate a large-scale data breach. That’s why training and awareness should be ongoing priorities—not a one-time activity for new employees.
Best practice is to provide mandatory annual training, as well as frequent reminders on privacy and security topics. Additionally, look for opportunities to regularly highlight the importance of visual privacy and discuss best practices within your employee communications. Employee emails, internal newsletters, staff meetings and intranet home pages can be good places to reiterate prevention tips for data breaches, including the security breaches experienced by other companies that are featured in the news.
Upfront awareness and training efforts can help empower employees to protect the visual privacy of your most sensitive information. Ongoing training and communications can reinforce these efforts and help ensure visual privacy remains foremost throughout the day.
Kate Borten, founder of The Marblehead Group consultancy, brings expertise in security, privacy, and health IT from over 20 years inside the healthcare industry, including establishing security programs at Massachusetts General Hospital and Beth Israel Deaconess Medical Center/CareGroup in Boston. She is a nationally-recognized HIPAA security and privacy expert, and a frequent speaker and author on these topics.
She is also a member of the Visual Privacy Advisory Council, and receives compensation from 3M in connection with her participation on the Visual Privacy Advisory Council.