An old saying suggests that if you’re hunting for a misplaced item, you’ll find it in the last place you look.
For hospital IT directors and compliance officers who are responsible for protecting their IT systems against hacks and data breaches, too often the “last place you look” is one of the least secure devices in the healthcare environment.
It’s the familiar MFP (multi-function printer), humming quietly in the corner as it makes multiple copies of patients’ “face sheets,” sends faxes with patient data to the wrong phone number, and forwards confidential (but unencrypted) information beyond the firewall.
Thieves can do plenty of damage when they steal physical property, as in the recent case of a Vermont medical practice where a break-in led to the theft of patient names, Social Security numbers, and treatment-related information for some 2,000 patients.
But MFPs don’t have to be physically removed in order to create painful vulnerabilities for the organizations to which they belong. Because they are connected to networks, contain drives that store images of the documents they handle, and have the multi-function capability to copy, print, fax, and scan documents, MFPs – if not protected – can be exploited in multiple ways.
“Copiers are workstations”
The U.S. federal government is alerted to this risk. In March 2014, the Department of Health and Human Services defined printers and copiers as “workstations,” in the context of risk assessment for healthcare organizations. As such, printers and copiers must use the same kind of “administrative, physical, and technical safeguards” to secure PHI (protected health information) as other computing devices, to comply with the HIPAA (Health Insurance Portability and Accountability Act) Security Rule.
The penalty for not securing all those printers, copiers, and MFPs? Potentially, millions of dollars in fines, not to mention damage to patient confidence and the organization’s reputation.
To date, hospital IT directors and compliance officers have been slow to make the new federal requirements a priority. But the vulnerability that unprotected MFPs creates for their IT systems, along with the steady drumbeat of news about healthcare data breaches, should provide incentive to take action.
For its part, the Office of the National Coordinator for Health Information Technology (ONC) has released software tools and guidance to healthcare professionals, on how to assess and remediate their organizations’ risk.
Still more powerful tools for ensuring that PHI is properly protected come from today’s advanced capture and workflow software. These solutions deliver a wide spectrum of capabilities that are optimized to meet the specific requirements of the HIPAA Security Rule, as it applies to scanning, faxing, and printing on MFPs. Key features include user-centric workflow; authentication; encryption; audit trails; and secure print release from EHR (electronic health record) systems.
The use of these capture and workflow solutions on MFPs adds a layer of document security and control to the paper-based and electronic processes by which a healthcare organization exchanges PHI today. As a result, the MFP can be transformed from a locus of risk and uncertainty to a source of security and confidence, for patients, employees, providers, and administrators.