Guest post by Sean Hughes, EVP managed document services, CynergisTek.
Healthcare has spent a significant amount of both human and financial capital addressing the security of their environments over the last several years – but have we forgotten a major vulnerability?
Printers and print-related devices (e.g. copiers, fax machines, scanners, etc.) continue to be a major component of our infrastructure and a big part of our clinical and business workflows, yet in most organizations, they continue to represent a gaping hole in our defenses. The advent of the EHR has not equated to the perceived reduction in print, but rather some research shows it’s responsible for an 11 percent increase in print in healthcare over the same time as the implementation of this technology. This increase in print volume brings with it an increase in the number of devices required to process the paper.
The approach most organizations have taken related to the security of these devices falls into one of two categories: segmentation of the network or reliance on manufacturers for “secure” devices. These approaches vary significantly from the approach most organizations have taken for other endpoint computing devices and leaves an organization open to the possibility of negative outcomes.
The industry has seen an increase in the computing power of these devices (e.g. internal hard drives, scan to file or application, residual data on devices, mobile printing, USB-enabled device access, etc.) and the bad guys are aware of this. More and more we see stories in the news of print devices being used as entryways for bad guys to circumvent our protections and put our data and our organizations at risk. According to an article published by BBC News in February 2017, “Hacker Briefly Hijacks Insecure Printers,” a hacker was able to access more than 150,000 printers that were briefly left accessible via the web.
The most effective way to address this threat is to treat these devices no differently than all our other data endpoints, be it a desktop, server, or any other piece of infrastructure. We need to look at these devices and ensure they meet the same security standards.
The most effective way to mitigate risks starts with knowing what the risks are. The first step should be a comprehensive printer fleet security assessment that is part of your overall security program. This can be accomplished either through your internal processes or by engaging a competent third party. Either way, you need to know what you don’t know, and you need to know it now.
The results of that assessment will drive the remediation efforts as well as define the ongoing measures our organizations should take. These steps will be directly related to the vulnerabilities identified but will most likely fall into the following categories:
- Configuration – most organizations don’t think about a printer’s configuration outside the original installation. As with any other computing device, these configuration requirements evolve over time based on multiple factors. Factory settings are most frequently found still on devices with no password, encryption or basic security protocols in place.
- Patching/Firmware – most healthcare organizations do not have an aggressive refresh cycle for their printers as these devices compete with all the other priorities around spend. Therefore, it is important to ensure that the devices are part of your overall patch management process and that critical firmware updates are applied in a timely manner. The bad guys know the weaknesses that are available to them when these get out of synch and will quickly take advantage of those.
- Lifecycle Management – the cost of printers has consistently gone down, making acquisition easy and increasing the proliferation of devices. Copiers, particularly those on lease, are usually managed by a third party and are rolled over when the lease is due. Having a disjointed or separate responsibility matrix of these devices makes managing these devices from acquisition through destruction almost impossible. Who is deploying them and more importantly who is making sure your data doesn’t go with your retired device?
- Confidentiality/Privacy – there has been a concentrated effort over the last several years as part of cost reduction initiatives to consolidate printers resulting in more and more users sharing print devices. While this provides some level of cost savings, if not done correctly, it can increase the potential for privacy violations. Do all the users sharing a single device share the same need and level of access to the PHI that is being printed to these devices? In most cases the answer is no. Follow me print, which allows a user to retrieve their print job at any device enabled through the technology, and secure print, which leverages similar architecture but adds in the layer of authentication (e.g. card, mobile app, pin, credentials, etc.) to ensure the user is who the print job should be for, as well as logging to support regulatory requirements, are solutions some organizations have turned to in order to solve this problem. However, these solutions require significant thought and ongoing management to ensure operational continuity and that data privacy is maintained.
Ultimately, the proliferation of devices, even more unsecure devices, has increased the overall risk to our organizations, and unless they are treated as any other data endpoint, all the great work we have done may be for naught. The increased capabilities of these devices to store and process data have created an environment where they are looked at as no different from any other computing device in our infrastructure. Treating these devices appropriately and applying all the technical and administrative safeguards that we must apply to the rest of our infrastructure is critically important to ensure the security and confidentiality of the data processed through them.