Tag: Jim LaRoe

The Most Overlooked Cyber Security Threat: Network Printers

By Jim LaRoe, CEO, Symphion, Inc.

Jim LaRoe

The trend in cybersecurity news is to focus on the latest buzz words like artificial intelligence, blockchain, ransomware, denials of service or HIPAA fines. Recent hacks are front page news. Trends also includes the increasing cybersecurity regulatory mandates such as state laws providing private consumer rights (class actions) against offending healthcare providers and their officers and directors. Another hot topic is the dearth of cybersecurity skills.

CISOs and other business leaders responsible for security of ePHI and business continuity are the intended audience and are being inundated with the tornado of cyber security trends—much of which is vendor driven.  They’re also being pulled in many different directions internally with competing priorities. At a recent panel discussion of CISOs at Northern California HIMSS’ CXO Summit, one busy CISO described how he is repeatedly added to committees on all sorts of different subjects, some of which he had never heard of.

Whitepapers discussing the “top 10 priorities” or “top 10 trends” are commonplace. They’re usually vendor driven and focus largely on the most prevalent asset type — computers. That is, desktops, laptops and servers about perimeter security or internal threats from user behavior; including training users not to click on suspect emails to prevent phishing attacks.

Overlooking Second Most Prevalent Asset Type — Printers

But no one is talking about, or including in the top 10 lists, the second most prevalent asset type in all healthcare providers’ IT enterprises — their printers. For some reason, networked printers (any device that creates an image, electronic or otherwise, including multi-function, single-functions, faxes, scanners, label printers, etc.) are not perceived as the same risk as other computers, even though in the past few years there have been reported hacks of 50,000 to 150,000 networked printers. Also, a research house exposed that faxes can be easily exploited to hack printers and the corporate networks where they reside.

Why is this trend not hot on the minds of top security professionals? It could be because of the origins of today’s modern business printers as “dummy copiers” or the fact that they are often not procured or managed by the information technology department or visible to the information security department.  Or, it could be because vulnerability management, intrusion detection and information security consulting vendors driving today’s messaging do not include printers in their solutions.

Little Known Facts about Print Fleets

Whatever the reason, here are few important facts that you should know about almost all printers in healthcare:

  1. Printers are mission critical to patient care and part of providers’ tier one applications.
  2. Printers are everywhere. There can be as many as one printer to one employee or between 1:6 and 1:10.
  3. Printers are often accessible or visible in public areas and not in protected data centers or offices like many other computers.
  4. They aren’t assigned users like desktops or laptops, or system administrators like servers in data centers.
  5. Printers have built-in security settings, but they are not being set or maintained.
  6. HIPAA requires that all printers be included in the comprehensive risk analysis and cyber hardened for security of ePHI regardless of make, model, age or type.
  7. Printers are shipped and regularly deployed and maintained on networks with factory default settings including published factory default administrator passwords to enable bad actors to take control of them.
  8. Even if security settings on printers are set at time of deployment, they get unknowingly reset back to factory defaults (turned off).

Why Act Now to Secure Printers?

The easiest answer: because it’s the law (HIPAA) and you’re exposing your company to serious and long-lasting financial risk if you are not acting now to secure (and keep secured) all the printers in your print fleet. Also, the fact that other regulations are being regularly enacted that go beyond HIPAA mandates exposing companies to even more severe penalties.

Continue Reading

Symphion Applies Unique Cyber Hardening Service Solution to Broader IoT

Symphion, Inc., a leading software and services company focused on affordably eliminating risk and cost while maximizing operational efficiency in information technology, today announced the official launch of the Symphion’s IoT Cyber Security as a Service solution. This new offering from Symphion is the only service available today to cost-effectively secure IoT devices, independent of make, model or type.

Regulators are recognizing the increasing exposures from Internet of things (IoT) devices and are requiring manufacturers to add features to address security.

“New laws like California’s SB 327, which will take effect in January 2020, require connected devices to be secure,” stated Jim LaRoe, Symphion’s chief executive officer. “We’re just seeing the beginning of these types of regulations requiring that security features must be added by manufacturers to protect devices and the networks that they are connecting to. At Symphion, we recognized this need for printers, the most prevalent and mature Internet of Things devices, and designed our Print Fleet Cyber Security as a Service solution using artificial intelligence to identify and maintain preventative cyber hardening using the built-in security features. To address the broader IoT market development and the anticipated introduction of security features, we’re introducing our newest service, IoT Cyber Security as a Service.”

Currently, networked printers form the largest number of IoT devices across most enterprises in the US today – with the estimated number being above 100 million deployed on networks. Of those, it is estimated that less than two percent are properly configured for security, creating the greatest threat to network security today. Industries like healthcare, energy, finance and government are at significant risk due to increased regulations that have expanded fines for not properly securing IoT devices, including networked printers.

“We knew that cyber hardening all our printers (IoT devices), bringing them into change control and compliance reporting were what we had to do,” stated Jason Johnson, Marin General Hospital’s information security officer and president of the HIMSS Northern California Chapter. “Even with our print fleet of fewer than 1,000 printers and around 60 models, for us to try to manually do what Symphion does would easily have run us in excess of $400,000 per year for only a fraction of what they provide and would have been wholly ineffective.”

Symphion’s IoT Cyber Security as a Service™ is a turnkey security configuration management service for IoT devices – completely and remotely delivered by Symphion. This affordable service manages the available security setting (regardless of make or model), monitors those settings and automatically remediates them their planned, controlled state.

For more information on where to purchase and service details, visit https://symphion.com