Guest post by Sean Hughes, EVP managed document services, CynergisTek.
Healthcare has spent a significant amount of both human and financial capital addressing the security of their environments over the last several years – but have we forgotten a major vulnerability?
Printers and print-related devices (e.g. copiers, fax machines, scanners, etc.) continue to be a major component of our infrastructure and a big part of our clinical and business workflows, yet in most organizations, they continue to represent a gaping hole in our defenses. The advent of the EHR has not equated to the perceived reduction in print, but rather some research shows it’s responsible for an 11 percent increase in print in healthcare over the same time as the implementation of this technology. This increase in print volume brings with it an increase in the number of devices required to process the paper.
The approach most organizations have taken related to the security of these devices falls into one of two categories: segmentation of the network or reliance on manufacturers for “secure” devices. These approaches vary significantly from the approach most organizations have taken for other endpoint computing devices and leaves an organization open to the possibility of negative outcomes.
The industry has seen an increase in the computing power of these devices (e.g. internal hard drives, scan to file or application, residual data on devices, mobile printing, USB-enabled device access, etc.) and the bad guys are aware of this. More and more we see stories in the news of print devices being used as entryways for bad guys to circumvent our protections and put our data and our organizations at risk. According to an article published by BBC News in February 2017, “Hacker Briefly Hijacks Insecure Printers,” a hacker was able to access more than 150,000 printers that were briefly left accessible via the web.
The most effective way to address this threat is to treat these devices no differently than all our other data endpoints, be it a desktop, server, or any other piece of infrastructure. We need to look at these devices and ensure they meet the same security standards.
The most effective way to mitigate risks starts with knowing what the risks are. The first step should be a comprehensive printer fleet security assessment that is part of your overall security program. This can be accomplished either through your internal processes or by engaging a competent third party. Either way, you need to know what you don’t know, and you need to know it now.
The results of that assessment will drive the remediation efforts as well as define the ongoing measures our organizations should take. These steps will be directly related to the vulnerabilities identified but will most likely fall into the following categories: