To Protect Patient Data, Don’t Forget Scanners and Printers

By Jim Cropper, director of healthcare Sales, Brother International Corporation.

Jim Cropper

Almost every day, a news story breaks about a cyberattack hitting a healthcare facility. Healthcare is one of the most highly targeted sectors, and hacks cost the industry $4 billion in 2019.

It’s challenging to stay ahead of malicious actors, and since healthcare is such an attractive target, leaders in this field need to be especially alert. IT teams must protect the vulnerable internal systems safeguarding patient data without falling victim to costly ransomware, for example.

Modern hackers know the most vulnerable parts of enterprise systems. That puts medical centers at a disadvantage because they are susceptible to frequent, sustained attacks. Many of these facilities also lack adequate incident response protocols, and they don’t have enough capital in their budgets to replace legacy software and devices. But with a few simple, smart steps, facilities can still significantly uplevel the protection of patient data.

Step one is understanding all the different methods cybercriminals employ when breaching health systems. Some infiltrate clinical labs by exposing vulnerabilities on their websites, while others exploit lax server protections. Employee email accounts are also a common offender since unauthorized third parties can access patient information through phishing.

One worrisome aspect is how many data breaches are the result of internal negligence. Unencrypted laptops, smartphones, and flash drives are an all-you-can-eat buffet for cybercriminals when forgotten and left exposed.

In particular, there’s one standard device that isn’t part of most health systems’ cybersecurity focus, though it should be: the Multi-Function Printer (MFP), which is an easy target because they’re often overlooked, and because so many vital documents flow through these workflow hubs. Keeping such a large volume of data out in the open is an enormous security risk.

Print and scan devices handle untold numbers of medical records, for instance, which could easily fall into the wrong hands. The exploits don’t even need to be fancy or high-tech: anyone can swipe papers from output trays if left unattended, or physically upload malicious code through USB ports to access an MFP’s cache to spy on networks and exploit data.

In some ways, clinics are still using just as much paper as a decade ago because numerous laws and regulations mandate that doctors, nurses, and patients exchange important information like medical records and health histories on paper forms to prevent cybersecurity risks, chief among these regulations being the Health Insurance Portability and Accountability Act (HIPAA). At the same time, other regulatory factors are putting a strong emphasis on scanning and digitization functions to increase ease of use and accessibility. For example, recent presidential administrations set aside millions of dollars in federal funds to kickstart the digitization of electronic records, step one of which is scanning them.

Whether printed or scanned, there still needs to be stringent cybersecurity protocols for dealing with sensitive patient data, especially when it’s transacted in common areas where MFPs are usually located. Healthcare facilities must include these devices in their endpoint security plans. This crucial investment will help reduce risk and strengthen the network from the ground up.

In addition to awareness, there are also many strategies facilities can deploy. At the most basic level, IT teams must regularly update all devices to ensure they stay current with the latest firmware and use strong admin passwords. Even more importantly, organizations need to train staff in cybersecurity best practices given that internal negligence often plays a significant role in data breaches.

For MFPs specifically, one method that significantly uplevels document security is ‘pull printing.’ This feature stores documents on a centralized server until users retrieve them. Each person must input a unique code or swipe an ID card to get their files, which reduces the risk of sensitive documents falling into the wrong hands. There are also security-focused printers intentionally made without hard drives so that they don’t save file copies in their memory after usage. Brother International Corporation offers both options as part of its mission to promote smart document workflow management in healthcare.

Every health facility must keep patient data secure so all parties can exchange information safely. But that task becomes more difficult in a large system, in which doctors and nurses send the organization’s most important files to unprotected MFPs. That’s an invitation for bad actors to infiltrate networks, expose patient medical histories, and attack healthcare operating systems. Bottom line: clinics and other facilities must strengthen internal device protocols to ensure cybercriminals can’t access valuable patient data.

Write a Comment

Your email address will not be published. Required fields are marked *