Industry Voices—The hidden security threat most hospitals haven't thought of yet

There is a huge network threat that most people aren’t aware of: Today’s printers present greater security risks than traditional servers, desktops and laptops.

What most do not appreciate, or have ignored, is that printers have evolved from being “dummy copiers” into today’s complex business machines that include servers built directly into them.

The competition among printer manufacturers has driven the inclusion of web servers, file transfer protocol (FTP) servers, fax servers, huge hard drives and many other advanced capabilities. Yet printers, unlike standalone servers, are maintained outside of data centers without physical and technical safeguards and controls. They are managed by nonsecurity, non‐IT professionals and are not included in IT policies and procedures.

Moreover, printers, like laptops, are often mobile throughout the enterprise.

Why is this problematic?

First, HIPAA requires covered entities (and business associates) to secure printers just like traditional servers, desktops and laptops.

Second, HIPAA general mandates require covered entities to ensure the confidentiality, integrity and availability of protected health information (PHI) that the business creates, receives, maintains or transmits. Third, HIPAA also requires covered entities to protect against any reasonably anticipated threats or hazards to the security or integrity of information.

Printers in hospitals clearly “create, receive, maintain and/or transmit” electronic protected health information (ePHI). Moreover, even the most cursory examination of “reasonably anticipated threats and hazards to the security and integrity of” that ePHI trigger the HIPAA mandates to protect printers.

“Further, HIPAA requires that identified risks to such ePHI on printers be reduced through implementation of the appropriate administrative, technical, and physical safeguards, and OCR will ask for documentation to demonstrate such efforts.”

Are today’s hospitals and health enterprises secure under current HIPPA regulations? For almost 99% of the organizations in the US today, the answer is a resounding no. This is especially concerning considering that breaches are getting more costly. Uber settled on a $148M fine for their handling of the 2016 breach, Yahoo was hit with an SEC fine of $35M for their email breach, and Anthem settled for $115M on litigation around their 2015 breach.

Each and every printer on a print fleet can provide hundreds of vulnerabilities, and many hospitals can have thousands of printers.  As such, they must be protected with automated IT asset lifecycle management and continuous cyberhardening.