Industry Voices—The hidden security threat most hospitals haven't thought of yet

What most do not appreciate, or have ignored, is that printers have evolved from being “dummy copiers” into today’s complex business machines that include servers built directly into them. (Getty/Wavebreakmedia)

There is a huge network threat that most people aren’t aware of: Today’s printers present greater security risks than traditional servers, desktops and laptops.

What most do not appreciate, or have ignored, is that printers have evolved from being “dummy copiers” into today’s complex business machines that include servers built directly into them.

The competition among printer manufacturers has driven the inclusion of web servers, file transfer protocol (FTP) servers, fax servers, huge hard drives and many other advanced capabilities. Yet printers, unlike standalone servers, are maintained outside of data centers without physical and technical safeguards and controls. They are managed by nonsecurity, non‐IT professionals and are not included in IT policies and procedures.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Moreover, printers, like laptops, are often mobile throughout the enterprise.

Why is this problematic?

First, HIPAA requires covered entities (and business associates) to secure printers just like traditional servers, desktops and laptops.

Second, HIPAA general mandates require covered entities to ensure the confidentiality, integrity and availability of protected health information (PHI) that the business creates, receives, maintains or transmits. Third, HIPAA also requires covered entities to protect against any reasonably anticipated threats or hazards to the security or integrity of information.

Printers in hospitals clearly “create, receive, maintain and/or transmit” electronic protected health information (ePHI). Moreover, even the most cursory examination of “reasonably anticipated threats and hazards to the security and integrity of” that ePHI trigger the HIPAA mandates to protect printers.

“Further, HIPAA requires that identified risks to such ePHI on printers be reduced through implementation of the appropriate administrative, technical, and physical safeguards, and OCR will ask for documentation to demonstrate such efforts.”

Are today’s hospitals and health enterprises secure under current HIPPA regulations? For almost 99% of the organizations in the US today, the answer is a resounding no. This is especially concerning considering that breaches are getting more costly. Uber settled on a $148M fine for their handling of the 2016 breach, Yahoo was hit with an SEC fine of $35M for their email breach, and Anthem settled for $115M on litigation around their 2015 breach.

Each and every printer on a print fleet can provide hundreds of vulnerabilities, and many hospitals can have thousands of printers.  As such, they must be protected with automated IT asset lifecycle management and continuous cyberhardening.

Suggested Articles

The majority of people who fall into the ACA’s “coverage gap” live in one of four non-expansion states, according to a new study.

The Department of Justice has filed a lawsuit against West Virginia-based Wheeling Hospital, its CEO Ronald Violi and R&V Associates.

Under its Medicaid expansion, rates of patient screening for colorectal cancer in Kentucky have increased dramatically, according to a new study.