Industry Voices—The hidden security threat most hospitals haven't thought of yet

What most do not appreciate, or have ignored, is that printers have evolved from being “dummy copiers” into today’s complex business machines that include servers built directly into them. (Getty/Wavebreakmedia)

There is a huge network threat that most people aren’t aware of: Today’s printers present greater security risks than traditional servers, desktops and laptops.

What most do not appreciate, or have ignored, is that printers have evolved from being “dummy copiers” into today’s complex business machines that include servers built directly into them.

The competition among printer manufacturers has driven the inclusion of web servers, file transfer protocol (FTP) servers, fax servers, huge hard drives and many other advanced capabilities. Yet printers, unlike standalone servers, are maintained outside of data centers without physical and technical safeguards and controls. They are managed by nonsecurity, non‐IT professionals and are not included in IT policies and procedures.

Conference

2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

Moreover, printers, like laptops, are often mobile throughout the enterprise.

Why is this problematic?

First, HIPAA requires covered entities (and business associates) to secure printers just like traditional servers, desktops and laptops.

Second, HIPAA general mandates require covered entities to ensure the confidentiality, integrity and availability of protected health information (PHI) that the business creates, receives, maintains or transmits. Third, HIPAA also requires covered entities to protect against any reasonably anticipated threats or hazards to the security or integrity of information.

Printers in hospitals clearly “create, receive, maintain and/or transmit” electronic protected health information (ePHI). Moreover, even the most cursory examination of “reasonably anticipated threats and hazards to the security and integrity of” that ePHI trigger the HIPAA mandates to protect printers.

“Further, HIPAA requires that identified risks to such ePHI on printers be reduced through implementation of the appropriate administrative, technical, and physical safeguards, and OCR will ask for documentation to demonstrate such efforts.”

Are today’s hospitals and health enterprises secure under current HIPPA regulations? For almost 99% of the organizations in the US today, the answer is a resounding no. This is especially concerning considering that breaches are getting more costly. Uber settled on a $148M fine for their handling of the 2016 breach, Yahoo was hit with an SEC fine of $35M for their email breach, and Anthem settled for $115M on litigation around their 2015 breach.

Each and every printer on a print fleet can provide hundreds of vulnerabilities, and many hospitals can have thousands of printers.  As such, they must be protected with automated IT asset lifecycle management and continuous cyberhardening.

Suggested Articles

Two lawsuits were filed suing the Trump administration to overturn a new rule that would allow healthcare workers to deny care over religious or conscience…

Policy changes are affecting how investors view the skilled home health market and paving the way for potential strategic acquisitions.

JLABS executive Kate Merton talks about the JLABS model and Johnson & Johnson’s interest in digital health.