- The last two years have seen several high profile, costly health data security breaches from some major healthcare organizations including Anthem Healthcare, Premera Blue Cross BlueShield, Excellus BlueCross BlueShield and UCLA Health System. These examples have served to highlight the importance of IT security for healthcare organizations.
According to IDC, “Cybersecurity is one of the new growth areas in the provider IT budget, and this growth is expected to continue in 2016.” However, despite the growing investment in and emphasis on health data security, there is one element of the IT network that is frequently overlooked and left unprotected. Printers.
Modern printers have many of the same characteristics as PCs. They have operating systems, hard drives, network connectivity, and in some instances even keyboards. They can send and receive information, emails, and files. According to the Ponemon Institute, more than 50 percent of companies ignore printers while assessing their end point security strategy, despite the fact that nearly 90 percent of enterprises have suffered at least one data breach through unsecured printing. In addition, nearly two thirds of IT managers believe their printers are likely infected with malware.
Although printer security is often overlooked, there are several steps healthcare IT managers can take to properly secure their printer ecosystem.
Look for printers with self-protection features
The reality is that firewalls are no longer enough to secure your printer. Hackers now have the tools and knowledge to access your network and commit cybercrimes at any moment. It is imperative to maintain firmware updates for the latest security patches, add administrative passwords and secure ports and protocols plus encrypt data on the device hard disk. In addition, deploy printers with features that can provide a base layer of self-protection, such as the ability to detect and recover from an intrusion. IT organizations should also ensure that they are procuring their printers and print services from vendors that support industry standards such as Common Criteria, FIPS 140-2, HIPAA, NIST 800-53 and ISO 27001.
Prevent unauthorized user access to confidential documents
Documents left in the output tray present one of the most common risks associated with print security. In healthcare settings especially, these documents often contain confidential patient information that can easily be accessed, misplaced or discarded. This exposure to private patient information, financial statements, and other proprietary data puts an organization at risk of an immediate breach. Implementing a pull printing or pin printing solution can help prevent this type of unauthorized access by requiring a user to authenticate at the printer before a document starts printing.
HIPAA compliance means not just preventing authorized access to patient information records, but also being able to document who has access to those records. When it comes to printing documents, an access management solution can be used to enforce IT policies about who can print what as well provide an audit trail, if needed.
Implement a policy-based proactive compliance solution
A typical business class printer has over 250 settings, including ports and protocols that could be a potential source of vulnerability. Multiply that by the hundreds of printers sitting in a healthcare organization, and the task of securing your printers and keeping them secure becomes difficult and time consuming. Use a fleet management solution to manage and configure printers based on a strategic, compliance-focused secure print policy. This will enable IT to manage a fleet of printers, ensuring that they become compliant and stay compliant.
A printer security management solution will help automate printer management tasks including:
- Turning off unnecessary protocols and secure all ports on the printers that are not in use
- Disabling file access to prevent unauthorized access to files stored on the printer hard drive
- Enforcing passwords to prevent unauthorized changes to printer settings on the control panel
- Managing firmware updates to prevent unauthorized changes to the printers
- Enabling HTTPS Redirect to protect the device when accessing it through a web page
Consult with a print advisory service
Lack of awareness is one factor that has IT leaving printers vulnerable to attack. Lack of knowledge about how to address the vulnerability is another. According to the Ponemon Institute, 39 percent of organizations have low confidence in their ability to secure printers. Print security is complex and includes many different elements. Without the right expertise, suboptimal security policies and governance can lead to gaps. Engaging print security experts can help IT organizations develop a comprehensive approach to printer security by first assessing the current security status to determine the state of vulnerabilities. Once any security gaps are identified, the print advisory service can help to develop proper security governance, roadmap and policies moving forward to be carried out by the IT infrastructure and Security teams, covering all fleet vulnerabilities. They can also help you select the printers and technology that will best protect your print infrastructure.
While each of these elements will provide some measure of protection on its own, the strongest security is going to come from implementing all four. The Ponemon Institute tells us that, in 2015, the average cost of a data breach was $154 per lost or stolen record, but in the healthcare industry, breaches were significantly more costly, at $363 per lost or stolen record.
Whether a security breach is the result of unauthorized user access at a print station or because of outdated security protocols, HIPAA ramifications are tremendous. Aside from the immediate financial impact, other costs associated with mitigating a HIPAA breach can include a formal press announcement that negatively impacts public perception and years of mandatory HIPAA audits, making it imperative to put strong print security controls in place before it’s too late.
Healthcare institutions that take steps to protect their printers decrease the risk of a HIPAA violation and ultimately increase their eligibility for Meaningful Use compensation. Meaningful Use is designed to reward organizations for improving quality, safety, efficiency and patient privacy by digitizing health records. Within most healthcare organizations, it is typical that 25 to 35 percent of patient healthcare records are in analog format, creating a need for IT to secure the flow of information and transfer physical documents into the digital world. Deploying solutions that strengthen the security around printing and scanning analog records is one way an organization can make a strong case for Meaningful Use eligibility.
Patient privacy and HIPAA compliance should be the driving factor behind every healthcare organization’s security protocol. The good news is that, despite the constantly changing IT-landscape, it’s not too late to fully protect your printer ecosystem. Focusing on the steps outlined in this article will enable you to provide increased protection for your print environment and the patient records that pass through it.
Joe Wagle is the Director of Industry Consulting for HP.