Electronic Health Reporter

By Mark Gross, senior principal product manager, Kofax

When it comes to data security, healthcare organizations are stuck between a rock and a hard place. To provide proper patient care, their staff needs access to the right information, and quickly. At the same time, the law requires them to protect the sensitive data included in electronic medical records (EMR).

A wide array of devices are used to collect and transmit patient data – including computers, mobile devices, IV pumps and X-ray machines. Today, all of these are connected to the internet, the hospital network and other medical technologies, even though many of them have few, or no, security protocols in place.

The situation’s made even more complex by the public nature of hospital environments. Many connected devices containing sensitive data are left unattended, leaving the entire network exposed. The result’s an increase in cyber and data security threats.

Right now, nearly all healthcare organizations are facing an added challenge brought on by the COVID-19 global pandemic. Many healthcare workers aren’t working in their normal environments, they’re helping in other departments, hospitals and even pop-up field hospitals. With all the displaced healthcare workers, their normal print and capture workflows are left behind with their devices—and the security of the patient data contained in documents printed or scanned elsewhere may be at risk.

Healthcare organizations need a comprehensive security strategy to protect against a breach. The best of these is a systematic approach that tests all connected devices for vulnerabilities. Once identified, security threats should be prioritized so the most severe can be addressed quickly. Regular software updates and patches are just as important, as is replacing outdated equipment with new devices that have security built in.

Because they don’t stand out as threats, multifunction devices, printers and imaging devices are often overlooked during security reviews. In reality, however, both of these handle a lot more data than people realize.

The hidden security problem in healthcare organizations

A close look at the data demonstrates just how prevalent and damaging security breaches are in the healthcare world. Across all industries in the United States in 2019, there were 1,473 data breaches with over 168.68 million sensitive records exposed. However, it’s not just cyberattacks that cause harm. According to data from Ernst and Young, 34 percent of organizations see careless or unaware employees as the biggest vulnerability.

Healthcare data breaches, in particular, are on the rise. Consider:

• The number of data breaches involving more than 500 health records increased from 371 to 510 between 2018 and 2019, representing a 196 percent increase.
• Over the 10-year period between 2009 and 2019, a total of 3,054 healthcare data breachesoccurred, involving more than 500 records. As a result, nearly 231 million healthcare records were lost, stolen, exposed or disclosed without permission – representing almost 70 percent of the U.S. population.
• In 2019 alone, more than 4.5 million records were improperly exposedbecause of employee error, negligence or acts by malicious insiders.

Exposed medical data can cost healthcare organizations millions of dollars in federal and state fines, civil actions, corrective action plans, credit monitoring, identity theft and lost business. In 2016, Advocate Healthcare Network paid $5.5 million in fines for multiple violations that jeopardized the electronic health records of more than four million patients.

HIPAA penalties alone range from $100 to $50,000 per violation. Fines are classified into tiers according to whether the offending organization should’ve been aware of the breach and the precautions it did – or didn’t – take.  Simply put, taking the necessary steps to prevent and identify breaches before they occur minimizes the fines that loom if an incident does occur.

Healthcare organizations can’t afford to leave any device out when implementing security measures. At first, printers and imaging devices may seem basic and safe enough, but they’re actually a hidden threat within hospitals and healthcare offices.

As HP’s Enrique Lores says, “Unfortunately, printers have joined network computers, laptops, tablets and smartphones as increasingly popular entry points for hackers and careless (or unscrupulous) employees to breach networks, steal sensitive data or cause digital mayhem.”

The constant flow and turnover of people in healthcare facilities makes it too easy for criminals to take advantage of an empty workstation to wreak havoc and steal documents. As more organizations expand mobile access to printers, control becomes even more lax.

Employees may print a sensitive document remotely and either leave it sitting for hours before retrieving it, or simply forget about it altogether. Yet only 18 percent of companies monitor printers for threats, according to a Spiceworks survey sponsored by HP. Clearly, the number needs to change.

The content-aware print and capture solution

Healthcare organizations must implement greater controls over when and how documents are printed and who has access to output trays. The first step is to create a print security framework including devices with security built-in and content-aware print and capture technology.

Traditional print management tracks items such as where a document was printed from and who printed it. Content-aware print management tracks all of this information, plus the contents of the document itself. A comprehensive, advanced content-aware solution combines print, capture and output management to minimize security breaches and reduce compliance costs.

When looking for a solution, make sure it provides the following features and functionality:

• The ability for users to specify which printer is used over a network, and the option to hold printing until the individua is at the printer.
• Enterprise audit trail of what’s being printed or captured.
• Prevention of inappropriate printing of personal, sensitive or confidential information.
• Automatic redaction of sensitive data, such as Social Security numbers and NHS numbers, when documents are printed or shared beyond a list of authorized people.
• Automatically generated audit trails of printed documents to ensure compliance with regulations such as HIPAA and GDPR.
• Secure mobile authentication for printing and capturing.
• Rules-based controls including restrictions on document printing.
• Multi-channel capture integration including mobile, multifunction printers,desktops and email.
• Integration with EHR systems and HL7 compliant clinical systems.
• User authentication at the multifunction device by ID card or mobile device to enforce end-user access to device and/or block use of device features (print, scan, fax, etc.).
• Leverage user permissions to control and track what documents and locations an end-user can access at the multifunction device.
• Limit outbound destinations, including fax and email, to pre-defined recipients to mitigate exposure of sensitive healthcare information.
• Document encryption to protect data in motion and at rest.
• Provide high availability of print and capture workflows to mitigate impact of network outage.

Unified printing, scanning and automated workflows help healthcare organizations manage, secure and govern sensitive documents. Workflows and process automation make sure the right information gets to the correct people. Automatic audit trails generate credible reports to demonstrate compliance.

In the event of exposed data, audit reports can document the due diligence an organization took, helping to reduce fines. And during this chaotic time, as healthcare organizations focus on treating COVID-19 patients, print and capture workflows follow healthcare workers no matter where they go – with the proper levels of security maintained.

Content-aware print and capture technology gives healthcare organizations the power to secure one of the biggest security threats that’s hiding in plain sight. With it, they’ll improve security, productivity and compliance – and work like tomorrow, today.