This often-overlooked security gap can create a surprising number of serious security risks.
Multifunction printers are great tools, offering your team the ability to do just about anything their duties would require them to do from a single piece of hardware. Unfortunately, much of what makes multifunction printers (MFPs) so useful also makes them a major flaw in your network’s security.
The need to effectively safeguard protected health information (PHI) is a huge part of HIPAA compliance, and if your multifunction printer or printers are properly configured and secured, it’s very easy for a hacker to help themselves to the data being transmitted to and from those printers. In fact, they can even use an unsecured printer to gain access to your network, plant malware, steal PHI and other valuable data, or they may even destroy the printer itself.
Cybercriminals using an MFP to wreak havoc on an organization happens more often than you might think, with seriously unpleasant consequences. Despite that fact, a lot of healthcare practices – and their IT support providers – still overlook this potentially giant flaw in their otherwise highly-secure network.
The main reason an MFP is such an area of concern is that unlike single-function printer that connects directly to a computer, MFPs have sophisticated internal hard drives and CPUs that process and store data, and run on their own software. This “brain power” gives hackers something to play with, and without the right endpoint protections in place, security breaches are almost inevitable.
There are five main considerations to make when looking at your MFPs and the security around them. These are the things our team pays very close attention to not only when we work with healthcare organizations, but with any business that uses MFPs.
Hacking and Malware
Getting hacked is a surefire way to find yourself facing HIPAA fines and a whole lot of bad publicity, but that’s far from the only worry here. Once someone gets inside your network, they can block access to information and disrupt workflows that are essential to patient care, which is both inconvenient and potentially dangerous. Especially if a hacker uses the opportunity to plant malware or ransomware inside your network.
The biggest risk where MFPs are concerned is a hacker rerouting or intercepting information being sent to the printer they’ve gotten control of. If that information isn’t encrypted, there’s nothing stopping them from helping themselves to whatever they can find. Giving your MFPs private IP addresses or creating VLANs to keep them from connecting directly to the Internet can keep hackers and their nasty tricks out.
Data encryption should already be part of your data security protocols, but a lot of times those protocols only apply to data stored on your network, not data that’s being transmitted – despite HIPAA strongly suggesting you do so. Data that’s been encrypted is all but useless to cybercriminals since without the key that data is unreadable. That being said, a hacker who can get a hold of a staff member’s credentials can sometimes get a hold of that key, so it’s still important to have a strong firewall and antivirus software in place to limit unauthorized access as much as possible.
Authentication and Access Controls
Authentication and Access Controls are also a big part of HIPAA compliance that once again doesn’t always extend as far as it should. Newer MFPs with more advanced settings can use the same type of authentication protocols you should have on your workstations and other devices, such as a smart card, magnetic swipe card, PIN code, or fingerprint. This is great for a few reasons since it lets you place strict access controls both as an overall security measure and as a means of managing access for your staff. You can control who is allowed to transmit documents or scan them into your EHR, fulfilling your role-based access control obligations to HIPAA.
Plus, this type of Two-Factor Authentication, when combined with MFP features like “hold job” keeps sensitive documents from printing automatically and sitting in the printer tray for anyone to walk up and grab. Having to physically go over to the printer and prove your identity before documents will print protects PHI, and can cut down on wasted paper and toner by eliminating unnecessary print jobs.
A central printer server that monitors and control information traveling to and from all of your organizations MFPs is the best solution as far as thorough security goes. When all printer traffic is moving through a single hub, suspicious activity is easier to catch. This setup works best when all of your MFPs are purchased from the same vendor, ensuring smooth communication between all of your devices and making it much easier for all of your MFPs to be configured correctly. This setup also gives you better control over “hold job” and similar features, letting you limit certain functions to only specific offices or work areas.
Faxing and Scanning
Faxing is something we as IT professionals are not fond of. By far the least secure way to transmit documents, faxing creates a lot of concerns we don’t have as good of an answer to as we’d like. Aside from the obvious problems of not knowing for sure who is receiving your fax transmissions, faxes can easily be sent to a mistyped number, MFPs save sent faxes to their internal memory and make that information vulnerable to hackers, and faxes can’t be encrypted. However, since faxes are not about to vanish from clinical settings for a lot of reasons, so the best you can do is use the same authentication and access controls applied to print jobs to secure inbound transmissions.
Scanning presents a lot of the same challenges as faxing, and brings some of its own problems to the table. Scanned documents can be added to the wrong EHR chart, or saved to a random, potentially unsecured folder and vanish. Both of these scenarios are HIPAA issues but can be handled by having scanned documents sent to a secure central folder to be sorted and filed. Controlling who can create scans and where they go once they’ve been created lets you keep a tight hold on PHI.
Even with all of the safeguards we’ve discussed in place, the printers themselves are still vulnerable to anyone who can lay hands on the hardware itself. Just because your network is locked up tight, it doesn’t mean someone can’t plug a USB with a malicious payload stored on it into the printer in order to infect or compromise your network. MFPs should be set up in areas not accessible to the public, in a room that can be locked to keep unauthorized personnel out.
When it comes time to retire your MFP, you need to make sure that the internal memory has been wiped clean before it leaves your building. This is where working with the right vendor is critical since a good vendor will let you keep the hard drive in order to fully protect your PHI and any other information stored in your old MFPs memory.
Finally, training your employees on all of your policies and procedures and making sure they understand exactly what the rules are and why they need to be followed to the letter will cut down on your risks significantly. Your staff needs to be your first line of defense, and that means making sure they’re not taking shortcuts that will jeopardize your security.
Working with an IT provider who can help you choose the right vendor, implement the right safeguards, and help you and your staff maintain security and HIPAA compliance can make all the difference. Knowing your IT provider hasn’t missed a single important detail means you can focus on your patients instead of worrying about your cybersecurity.
Want to learn more about the solutions available to help your healthcare practice take care of every potential vulnerability within your systems and network? Give us a call today and speak with one of our healthcare IT specialists.
My philosophy when starting OTT was I wanted to create a place that I would want to work at (fun and friendly.) Where there was no corporate politics and we could just do our job fixing things and helping people. We can help people with their technology and not be arrogant or condescending to people. We can actually make a difference in peoples lives and not just say it but do it.