Seemingly harmless and passive information processing devices in the hospital environment have now become the target of cybercriminals: beware!
When it comes to data security, healthcare organizations are stuck between a rock and a hard place. To provide proper patient care, clinical staff need access to the right information quickly. At the same time, the law requires them to protect the sensitive data included in electronic medical records (EMR).
A wide array of devices are used to collect and transmit patient data: computers, mobile devices, IV pumps and X-ray machines. Today, all of these are connected to the internet, the hospital network and other medical technologies, even though many of them have few, or no, security protocols in place.
The situation is made even more complex by the public nature of hospital environments. Many connected devices containing sensitive data are left unguarded, leaving the entire network exposed. The result is an increase in cyber and data security threats.
It is clear that healthcare organizations need a comprehensive security strategy to protect against breaches. The best of these is a systematic approach that tests all connected devices for vulnerabilities. Once identified, security threats should be prioritized so the most severe can be addressed quickly.
Regular software updates and patches are just as important, as is replacing outdated equipment with new devices that have security built in. Because they do not stand out as threats, multifunction devices, printers and imaging devices are often overlooked during security reviews. In reality, however, these seemingly innocuous equipment handle a lot more data than people realize.
Healthcare organizations are prime targets
A close look at some data demonstrates just how prevalent and damaging security breaches are in the healthcare world.
Across all industries in the US in 2019, there were 1,473 data breaches with over 168.68 million sensitive records exposed. But, it is not just cyberattacks that cause harm. According to data from Ernst & Young, 34% of organizations see careless or unaware employees as the biggest vulnerability.
Healthcare data breaches, in particular, are on the rise. Consider:
- The number of data breaches involving more than 500 health records increased from 371 to 510 between 2018 and 2019, representing a 196% increase.
- Over the 10-year period between 2009 and 2019, a total of 3,054 healthcare data breaches occurred, involving more than 500 records. As a result, nearly 231 million healthcare records were lost, stolen, exposed or disclosed without permission, representing almost 70% of the US population.
- In 2019 alone, more than 4.5 million records were improperly exposed because of employee error, negligence or acts by malicious insiders.
Exposed medical data can cost healthcare organizations millions of dollars in federal and state fines, civil actions, corrective action plans, credit monitoring, identity theft and lost business. In 2016, Advocate Health Care Network paid US$5.5 million in fines for multiple violations that jeopardized the electronic health records of more than 4 million patients.
HIPAA (Health Insurance Portability and Accountability Act) penalties alone range from US$100 to $50,000 per violation. Fines are classified into tiers according to whether the offending organization should have been aware of the breach and the precautions it did—or did not—take. Simply put, taking the necessary steps to prevent and identify breaches before they occur minimizes the fines that loom if an incident does occur.
The hidden security problem in healthcare organizations
Healthcare organizations cannot afford to leave any device out when implementing security measures. At first glance, printers and imaging devices may seem basic and safe enough, but they are actually a hidden threat within hospitals and healthcare offices. As HP’s Enrique Lores asserted: “Unfortunately, printers have joined network computers, laptops, tablets and smartphones as increasingly popular entry points for hackers and careless (or unscrupulous) employees to breach networks, steal sensitive data or cause digital mayhem.”
The constant flow and turnover of people in healthcare facilities makes it all too easy for criminals to take advantage of an empty workstation to wreak havoc and steal documents. As more organizations expand mobile access to printers, control becomes even more lax.
Employees may print a sensitive document remotely and either leave it sitting for hours before retrieving it, or simply forget about it altogether. Yet only 18% of companies monitor printers for threats, according to a Spiceworks survey sponsored by HP. Clearly, the number needs to change.
The content-aware print and capture solution
Healthcare organizations must implement greater controls over when and how documents are printed and who has access to output trays. The first step is to create a print security framework that includes devices with security built-in and content-aware print and capture technology.
Traditional print management tracks items such as data header, where a document was printed from and who printed it. Content-aware print management tracks all of this information, plus the contents of the document itself. A comprehensive, advanced content-aware solution combines print, capture and output management to minimize security breaches and reduce compliance costs.
When looking for a solution, make sure it offers:
- The ability for users to specify which printer is used over a network, and the option to hold printing until the individual is physically at the printer.
- An enterprise audit trail of what is being printed or captured.
- Prevention of inappropriate printing of personal, sensitive or confidential information.
- Automatic redaction of sensitive data, such as Social Security numbers and NHS numbers, when documents are printed or shared beyond a list of authorized people.
- Automatically-generated audit trails of printed documents to ensure compliance with regulations such as HIPAA and GDPR.
- Secure mobile authentication for printing and capturing.
- Rules-based controls including restrictions on document printing.
- Multi-channel capture integration including mobile, multifunction printers, desktops and email.
- Integration with EHR systems and HL7-compliant clinical systems.
- User authentication at the multifunction device by ID card or mobile device to enforce end-user access to device and/or block use of device features (print, scan, fax, etc).
- User permissions to control and track what documents and locations an end-user can access at a multifunction device.
- Limits on outbound destinations including fax and email to pre-defined recipients, to mitigate exposure of sensitive healthcare information.
- Document encryption to protect data in motion and at rest.
- High-availability of print and capture workflows to mitigate the impact of network outage.
Unified printing, scanning and automated workflows help healthcare organizations manage, secure and govern sensitive documents. Workflows and process automation make sure the right information gets to the correct people.
Automatic audit trails generate credible reports to demonstrate compliance. In the event of exposed data, audit reports can document the due diligence an organization took, helping to reduce fines.
Content-aware print and capture technology gives healthcare organizations the power to secure one of the biggest security threats that is hiding in plain sight. With it, they will improve security, productivity and compliance—and work like tomorrow, today.