Hiding in plain sight: The overlooked risk to PHI data security

The U.S. federal government has classified MFPs as “workstations” – equivalent to computers and smart devices – and mandated that the Protected Health Information they handle be secured. Hospitals, clinics, and medical offices that don’t do so may face substantial fines.

An old saying suggests that if you’re hunting for a misplaced item, you’ll find it in the last place you look.

For hospital IT directors and compliance officers who are responsible for protecting their IT systems against hacks and data breaches, too often the “last place you look” is one of the least secure devices in the healthcare environment.

It’s the familiar MFP (multi-function printer), humming quietly in the corner as it makes multiple copies of patients’ “face sheets,” sends faxes with patient data to the wrong phone number, and forwards confidential (but unencrypted) information beyond the firewall.

Thieves can do plenty of damage when they steal physical property, as in the recent case of a Vermont medical practice where a break-in led to the theft of patient names, Social Security numbers, and treatment-related information for some 2,000 patients.

But MFPs don’t have to be physically removed in order to create painful vulnerabilities for the organizations to which they belong. Because they are connected to networks, contain drives that store images of the documents they handle, and have the multi-function capability to copy, print, fax, and scan documents, MFPs – if not protected – can be exploited in multiple ways.


“Copiers are workstations”

The U.S. federal government is alerted to this risk. In March 2014, the Department of Health and Human Services defined printers and copiers as “workstations,” in the context of risk assessment for healthcare organizations. As such, printers and copiers must use the same kind of “administrative, physical, and technical safeguards” to secure PHI (protected health information) as other computing devices, to comply with the HIPAA (Health Insurance Portability and Accountability Act) Security Rule.

The penalty for not securing all those printers, copiers, and MFPs? Potentially, millions of dollars in fines, not to mention damage to patient confidence and the organization’s reputation.

To date, hospital IT directors and compliance officers have been slow to make the new federal requirements a priority. But the vulnerability that unprotected MFPs creates for their IT systems, along with the steady drumbeat of news about healthcare data breaches, should provide incentive to take action.

For its part, the Office of the National Coordinator for Health Information Technology (ONC) has released software tools and guidance to healthcare professionals, on how to assess and remediate their organizations’ risk.

Still more powerful tools for ensuring that PHI is properly protected come from today’s advanced capture and workflow software. These solutions deliver a wide spectrum of capabilities that are optimized to meet the specific requirements of the HIPAA Security Rule, as it applies to scanning, faxing, and printing on MFPs. Key features include user-centric workflow; authentication; encryption; audit trails; and secure print release from EHR (electronic health record) systems.

The use of these capture and workflow solutions on MFPs adds a layer of document security and control to the paper-based and electronic processes by which a healthcare organization exchanges PHI today. As a result, the MFP can be transformed from a locus of risk and uncertainty to a source of security and confidence, for patients, employees, providers, and administrators.

Gain control of Protected Healthcare Information (PHI)

Nuance empowers healthcare organizations to streamline electronic and document workflows, delivering the control you need to ensure healthcare document compliance.

Learn more

Tags: , ,

Jeff Segarra

About Jeff Segarra

Jeff Segarra is the Senior Director of Product Marketing for the Nuance Document Imaging Division. He is responsible for the global team that delivers industry product positioning, messaging and content to help our customers around the world identify how Nuance solutions can meet their needs. He enjoys speaking and writing about business process improvement, The Internet of Things, document security, document conversion technologies and personal productivity. He has an MBA from Iona College, Hagan School of Business and has been working with software technology for 20 years. Jeff is an original New Yorker and, therefore, a staunch Yankees fan – in the heart of Red Sox nation.