Healthcare IT: Is Your Internal Printing Introducing HIPAA Risk?
By Mike O'Leary | July 31, 2018
Cyberattacks are dominating the news, and they’re the first thing we think of when HIPAA breaches occur. But there’s another area of vulnerability that flies under the radar of many healthcare organizations: office printing.
Breaches involving office printers include remote attacks from hackers looking for network access points, as well as privacy and confidentiality violations. For example, a printer that’s not secured is likely to have uncollected documents in the output tray for anyone to collect, and leaving sensitive information around is a clear violation of HIPAA privacy rules. These same devices may have configuration holes that leave servers and the network vulnerable to attacks.
For example, 15 percent of the 54 breaches reported to the Office for Civil Rights (a subagency of the U.S. Department of Education) so far this year were due to printing errors when mailing letters to patients, according to the HIPAA Journal. These errors affect a smaller portion of customers, but the costs to the organization are the same.
HIPAA violations can result in fines of up to $1.5 million. On top of this, they leave room for negative publicity, the chance of losing your license, or other sanctions (such as mandatory HIPAA audits). With so much at stake, it’s imperative to secure your network and ensure every device connected to it is secure. Too often, we find that the print ecosystem within healthcare organizations does not receive the attention it requires.
Gaps in our information security
Complying with HIPAA continues to be a major challenge in today’s evolving high-tech environment. Hospitals and other healthcare organizations are responsible for keeping protected health information secure at all times. We see this in action when we swipe an access card to enter secure areas like medical record storage.
Security measures are in place everywhere you look, but printers are ignored far too often. The Ponemon Institute found that 50 percent of companies ignore printers when assessing end-point security. In fact, almost two-thirds of IT managers reported possible malware infections on network-attached printers.
No matter how far technology advances, people will always be the weak link in security. Employees are easily exploitable — one recent study found human error to be the root cause of 52 percent of all security breaches. Nearly a third of top security professionals polled in the 2015 Black Hat survey agree that employees are easily fooled by social engineering attacks, often resulting in the divulgence of confidential information in one form or another.
Secure your office printers and employee printing workflows
It should be a high priority for every healthcare organization to re-evaluate company print strategies for HIPAA compliance. Start with the fundamentals, including three important steps you should take:
1. Implement pull-printing technology.
In a typical work environment, it’s common for documents to be left on printer trays. Network printers are usually shared between dozens, if not hundreds, of people. All too often, people send documents directly to printers and then forget about them, leaving sensitive information in the output tray for anybody to pick up. Even those who do remember to collect their prints might not do so quickly enough — there’s too much risk in such an environment.
Pull printing resolves this issue. Employees print to a single virtual queue, where their print jobs are “parked” and encrypted until they arrive at any secured printer on the network to “release” documents using their access card or login credentials. The technology locks down your organization’s devices to authorized personnel only, while also ensuring that printed documents are released only when the document owner (or assigned delegate) is physically present at the device. The side benefit to all this added security is that it shaves 30 percent off your total office printing costs.
2. Train staff on best printing practices.
Although employees are often the weak link in information security, they don’t mean to be. Most employees are eager to help their organization reach cost savings, security and efficiency goals. But it’s necessary that they’re trained on the issue to understand how their habits contribute to those goals.
The reality is most people don’t think about printing — they do it without a second thought. Employees must be trained on how printed information relates to HIPAA compliance. Internal communications should be sent to everyone, training sessions on printing policy should be held and recorded for later access, and signage should be placed near every printer as a reminder of mindful printing habits.
3. Secure all your internal printers.
In most cases, your print provider should be able to assist with hardware-level tasks. While we mostly discuss physical security, network security is important for printers, too. Printers, fax machines and copiers are all considered workstations per HIPAA guidelines. Any printers or print services must be compliant with HIPAA, ISO 27001, NIST 800-53, etc.
The problem? Most printers are not secure out the box. Be sure to update firmware on all printers and change any default network settings. Treat printers just like computers by regularly monitoring them for open ports and other security vulnerabilities. Any hard resets or significant maintenance on these devices can revert them to factory settings, reintroducing security risk. This proactive maintenance can save a lot of headaches down the road.
With these fundamental steps in place, your office printers will be much more secure and cost-effective. It’s not something to take lightly: A HP study found 90 percent of enterprises have experienced a security breach related to unsecured printers. These breaches are expensive and put everyone in the organization at risk. Don’t become one of these statistics. Keep your printers secure, and monitor any data passing through them. The health of your own organization may depend on it.