HIPAA security requires protection for servers and various endpoint devices. However, many healthcare organizations do not realize printers need the same attention.
Most covered entities and business associates do not appreciate how printers have evolved from “dummy copiers” to today’s complex business machines that include multiple servers built directly into them, explains Jim LaRoe, CEO of Symphion, a software and services company in Dallas. The competition among printer manufacturers has driven the inclusion of web servers, file transfer protocol servers, fax servers, huge hard drives, and many other advanced capabilities, he notes. Yet, printers, unlike standalone servers, are maintained outside of data centers without the physical and technical safeguards that are common to data centers.
“They are also managed by nonsecurity, non‐IT professionals, not the heavily credentialed system administrators like in data centers, and are not included in IT policies and procedures,” LaRoe adds. “Moreover, printers, like laptops, are mobile throughout the enterprise. They are often on wheels.”
HIPAA’s general mandates require covered entities to ensure the confidentiality, integrity, and availability of PHI the business creates, receives, maintains, or transmits. HIPAA also requires covered entities to protect against any reasonably anticipated threats or hazards to the security or integrity of information. “Printers in hospitals clearly ‘create, receive, maintain, and/or transmit’ electronic PHI,” LaRoe notes. “Moreover, even the most cursory examination of reasonably anticipated threats and hazards to the security and integrity of that ePHI trigger the HIPAA mandates to protect printers.”
Specifically, HIPAA requires covered entities and business associates to assess current security and risks for ePHI in the entire enterprise. That includes the risks presented by the printers and implementation of a security plan, policies and procedures, and controls that address vulnerabilities and risks. The entity must monitor, record, and evaluate implemented security settings to ensure the security plan and controls are maintained vigilantly, according to LaRoe.
“Neither hospitals nor enterprises are dealing with network printers correctly. That makes them one of the biggest security threats for 2019, especially considering that breaches are getting more costly,” LaRoe warns. “Since every printer on a print fleet can provide hundreds of vulnerabilities, and many hospitals can have thousands of printers, the message is clear. Even though printers have been here for years, they ... must be protected like the servers that they are, with automated IT asset life cycle management and continuous cyber hardening.”