By Kate Borten / Special to Healthcare Facilities Today

We often talk about protecting patient information through common technical security controls.   But we shouldn’t overlook the importance of other modes of privacy protection in blocking unauthorized viewing of confidential, sensitive information.

The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities take steps to protect the privacy and security of patients’ protected health information (PHI). Privacy and security rules implementing HIPAA require that organizations use administrative, physical, and technical safeguards to ensure the privacy and security of PHI in all forms, including paper and electronic form.  1 

But visual privacy is about more than regulatory compliance. In today’s era of data breaches, healthcare organizations have an obligation to protect not only patient and plan member PHI but also other confidential and proprietary information assets from those with malicious intent and casual observers not authorized to see the information. 

As healthcare organizations increasingly strengthen their cybersecurity defenses, hackers and others who might seek patients’ personal, financial or medical information will try to acquire it through other means. One of those means is visual hacking, which is the viewing or capturing of sensitive, confidential or private information for unauthorized use. 

Visual hacking can be an especially appealing tactic because the growing sophistication and availability of everyday consumer technology, such as smartphones and wearable technology. These provide easy and discrete means to capture sensitive information that is handled, shared and displayed throughout healthcare facilities.

At the same time, a growing number of doctors, other medical professionals and managers can access their healthcare organizations’ networks outside their workplaces using laptops and other mobile devices. This “anytime, anywhere” access can put sensitive patient information at risk of visual hacking, not only inside facilities, but also when it’s viewed in public places such as trains, planes, coffee shops, hotel lobbies or elsewhere.

Do you know where visual-privacy weak spots exist in your facility? Let’s take a virtual walk through the different areas of a typical healthcare facility to identify common high-risk areas, and the safeguards that can help protect patient information.

Registration / check-In

Often steps inside the front door of a facility, consider the front desk where patients register or check in. The staff’s computers may be facing away from the public, but a curved or angled counter can create viewpoints from which patients or other visitors can see computer screens and displayed information. 

Someone standing alongside the desk or counter may seem innocent enough while using his or her phone. But how do you know if this person is checking Facebook or snapping photos of the employee’s computer screen?

A desk behind a glass barrier or counter built into the wall doesn’t create vantage points for onlookers, and it is a more private alternative. 

Clean desk policies also should be in place to ensure employees – and others who handle sensitive information – keep their desks clear of patient information when it’s not in use. Staff should be directed to lock screens or log off computers when they step away from their computers. Portable devices should be kept in locked drawers or cases when not in use and unattended – both to avoid theft and to help prevent a visual privacy breach. Papers containing PHI and other confidential information should be put into drawers, at a minimum, and preferably placed in locked files when unattended.

Lastly, all computers used to access, enter or display patient information should use a privacy filter when feasible. These filters easily attach to computer monitors, laptop screens, and tablet and smartphone screens to blacken out the angled views of onlookers, while providing an undisturbed head-on view for device users.

Corridors & exam rooms

Stationary workstations, often affixed to corridor walls and located in exam rooms, and mobile computers-on-wheels (COWs) are common throughout hospitals. They provide easy and efficient stations for doctors and other clinical staff to view test results, update patient records, order and dispense prescription medications and more. 

Unfortunately, a busy doctor who is scrambling to update patient information at one of these stations before getting to the next appointment may not pay much attention to passersby. A visitor may see confidential information about a neighbor.  Or a visual hacker may snap a picture of a screen before slipping away unnoticed.

Avoid placing stationary workstations in high-traffic hallways. Instead, opt for rooms or side areas that offer privacy or at least obstruct the view of onlookers. Policies should be in place to ensure staff lock or log out of workstations before walking away, especially when using a workstation in an exam room with a patient.

Policies should also require that staff bring COWs or medication carts into a patient’s exam room. If the cart can’t fit into the room, it should be left within view outside the room, with the screen locked. Additionally, paperwork should not be left exposed on these carts. It may be a hassle for staff to carry with them, but that’s a reasonable price to pay for protecting patient privacy.

Nursing stations

Common in hospitals, nursing stations include multiple computers that are shared by nurses, doctors and support staff. 

Some hospitals still use a layout in which a bank of computers face outward toward halls and open areas for the convenience of staff. But a horseshoe nursing station layout, with a bank of computers inside, is more secure with computers facing away from visitors and other unauthorized onlookers. Again, a clean desk policy should be enforced at these stations, and computer screens should be equipped with privacy filters when possible.

Patient records 

Patient record rooms are off-limits to patients and visitors in most hospitals and clinics. If that’s the case in your facility, it’s still important to consider the potential insider threat – whether from an office worker or a cleaning person who enters the room when nobody else is around. Privacy filters should be used on computer screens and clean desk policies should be enforced, including the requirement to lock or log off before leaving a computer unattended. Workers also should have convenient access to shredders for discarded documents, rather than leaving them exposed in trash or recycling bins, or accumulating under desks.

If you do allow visitors into your patient records room to view their records upon request, which HIPAA does allow, consider setting up a dedicated private space in which they can securely review their information without exposing other documents and activities occurring in your records room. 

Mobile workers

The “Fourth Annual Benchmark Study on Patient Privacy & Data Security” released by the Ponemon Institute in 2014 found that 88 percent of healthcare organizations allowed medical staff and employees to connect to their organizations’ networks or enterprise systems using their own mobile devices. At the same time, more than half of organizations were not confident that mobile devices are secure.  2

Personal devices used to access an organization’s network should be fitted with a privacy filter. Also, if your organization supplies mobile devices to doctors, company leadership or staff, a robust policy should be in place regarding their proper use and handling. For example, devices not in use should always be kept in a secured location, such as a locked drawer, and they should not be shared with anyone, even family members or close colleagues.

Theory to reality

These vulnerabilities may or may not be evident in your facility. The only way to know is to conduct a physical walkthrough of the facility itself. This will enable you to pinpoint your visual privacy high-risk areas, as well as identify the necessary policies, training, and physical safeguards to reduce risk of a breach. 

From there, keep your visual privacy efforts agile, just as you do your security efforts. Conduct facility walkthroughs on a frequent basis, at least quarterly, and tighten up your program as needed. Visual hackers are unlikely to abandon their efforts as long as we make it easy for them.  And casual snoopers are with us forever. Your response in countering these risks should be vigilant.

1. http://www.ecfr.gov/cgi-bin/text-idx?SID=cb9bd76e377bb306ee49069485dda775&node=45:1.0.1.3.78&rgn=div5#se45.1.164_1530

2. https://www.privacyrights.org/sites/privacyrights.org/files/ID%20Experts%204th%20Annual%20Patient%20Privacy%20&%20Data%20Security%20Report%20FINAL.pdf 

Kate Borten, CISM and CISSP, is part of the Visual Privacy Advisory Council and receives compensation from 3M in connection with her participation.