One of the biggest threats to breaches of sensitive data time and time again was rooted in vulnerabilities from printers and copy machines. The problem with these devices is that they are monitored by printing companies that do not have the expertise or training in data and cybersecurity. And another problem is that many managed services providers or IT Support companies fail to assess and secure the entirety of your network—including printers and copiers supported by third party vendors.
Your reality is that all printers need to be routinely checked for security issues
In fact, all copiers, printers and fax machines are required to be secured and maintained according to security standards—especially for businesses with security compliance pressures, such as HIPAA, PCI or NCUA.
The problems is these devices are often overlooked and can be some of the biggest reasons healthcare offices are in violation of security compliance.
The problem that most offices face is that more often than not, security officers don’t even take these types of devices into consideration when defining and devising their security policies. The hard truth is that overlooking these devices can lead your business to risk of personal identifiable information (PII) leaks, which are in violation security compliance.
Case in Point: I’m sure you recall back in 2010 when Affinity Healthcare had tens of thousands of PHI records exposed. The reason for this breach was that hard drives in leased photo copiers contained PHI records. The company failed to appropriately dispose of these records before replacing their old copier machines. This oversight cost Affinity over 1.2 MILLION dollars in a settlement agreement with the Department of Health and Human Services.
My question to you is: Are you sure your compliance is comprehensively addressing printers, fax machines and copiers? Do your policies require regular monitoring, record-keeping and proper disposal of data acquired on these machines.
Let me guarantee you one thing: Affinity is not alone in making this mistake! Most users don’t even realize that devices like these have hard drives or store information like copied images in the first place. The reason for many companies’ violations and fines to security rules is that their security officer or IT Support simply do not pay attention to minute details (but details when undetected, lead to data leaks, breaches and violations!).
How can you make sure your copiers and printers are security compliant?
Like all of these other data-securing practices we’ve been discussing, it’s all about understanding the risks presented and mitigating them. Here are some important considerations when thinking about your printing security:
Physical Security—devices are locked down, documents not left unattended, only provide authorized access
Hard Drive Removal—most devices have capabilities of storing images (via a hard drive)—when something is faxed, scanned, copied or printed. Before returning any machine if it is leased or to be taken out of service, make sure that your drive is removed and destroyed (data physically removed from the device may NOT be sufficient—the drive needs to be physically ruined).
User Authentication—these devices should be password protected to prevent unauthorized use—specifically if the devices handle sensitive information. Users need credentials for accessing the device (unique to each user) and device usage should have a log of usage. Your use policy should require a device not in use to be logged off.
Data Encryption and Removal—data stored on printing devices should be encrypted using Secure Socket Layer (SSL) encryption. The network that data is getting transmitted to the device also should be encrypted. When a drive is to be removed, it is also good practice to erase data from the drive before it is destroyed. Periodically overwriting or removing data on the hard drive may also be a good way to prevent large quantities of data falling into the wrong hands accidentally.
Are you sure your printers, faxes and copiers are securely managed and that sensitive data stored on these devices are not vulnerable? Contact us TODAY for a free security network assessment to start forming a resolution plan to unwanted security risks!
