According to the OCR, 21% of breaches impacting greater than 500 individuals were the result of printed pages
Photo of a Telefax fax machine by Wikimedia Commons user Olivetti. Image has been stylized.
There is a common misconception that printing decreases when an electronic health record (EHR) is implemented, and many assume that the print infrastructure—and even the printed document—are covered from a security and privacy perspective.
All of these assumptions are wrong.
According to Logicalis, healthcare has seen an average increase of print post-EHR implementation of about 11%. Print Audit recently reported that healthcare has seen a 118% increase in average pages printed per day, per user. That means that a 1,100-bed health system is printing 8 million pages per month on average, or 96 million pages per year. And the numbers are increasing.
This is probably a surprise to most in the healthcare field, as it is common for organizations to lack overall visibility in terms of print output or costs. The assumption that EHRs would reduce paper was flawed because not everyone is on the same system, not all systems can “talk” to one another, and, most importantly, organizations do not always fully understand print utilization when implementing electronic solutions—so they may not effectively solve the issues driving print in the first place. Oftentimes, internal faxing of a printed page takes place from one floor of the building to another, only to be scanned back in to the system because no one has been informed that data can be shared in a better, more cost-effective way.
So how does the increase in printing, even post-EHR, affect the risk of the devices or printed page?
First of all, the number of print devices (printers, copiers, multi-function devices) has increased by an average of 6% because of the increased volume and the lack of visibility into actual utilization compared to need. Just because the overall volume has increased doesn’t mean more devices are necessary. On average, healthcare only uses about 35% of its multifunction (copier) capacity and only 11% to 15% of the print fleet capacity, yet the industry continues to add more devices all the time.
These additional devices each represent an increased risk factor simply because they will be connected to the network and store or pass data. Print devices also inherently have vulnerabilities no different than any other computing device, yet print devices are regularly left out or forgotten about in most organizations’ security programs.
In a survey conducted by the Ponemon Institute, 55% of the respondents stated that their organization’s security policies did not include network-connected printers or were unsure, while 62% were pessimistic about the ability to prevent loss of data contained in printer memory and/or printed documents. These fears have become reality for some organizations as the vulnerabilities have been exposed and breaches have occurred. For example, there were reports on the individual that caused thousands of printers to print Nazi flyers, and the hacker that hijacked thousands of publicly exposed printers just to prove they were vulnerable. Most recently, an internal resource at the University of Chicago alerted the student newspaper that there were hundreds of devices, including printers, being exposed directly to the internet.
It is not just the vulnerability of the physical device that causes an increased risk but also what the data is and how it is being used after being printed. According to the Office of Civil Rights (OCR), 21% of breaches impacting greater than 500 individuals were the result of printed pages. Think about how many pages are being printed today and how much potential there is for sensitive or protected data to be on any of those documents. The numbers can be astounding. A single Microsoft Excel document can have over a million rows of data on it and any one of those rows could contain data that needs to be protected.
Remember that 1,100 bed health system, the 1 with the 8 million printed pages per month? Assume it has over 2,000 devices (printers, copiers, etc.) in its environment, and further assume that the organization is doing a better-than-average job of including the print devices into the security program (recall that only 45% of the survey respondents could say they were). What are the realistic chances that the health system properly disposes of all 8 million printed pages within a given month? Those odds are not favorable.
Organizations can reduce their print risk and decrease associated print costs with the right approach. Looking at this from a volume perspective can move the needle on all fronts. By driving down volume, the need for so many devices is decreased (reducing the threat landscape). At the same time, printing less can also reduce the chances that the printed page leads to a breach. Attacking volume allows for the greatest opportunity to drive the biggest change.
Unfortunately, most organizations fall prey to the approach of trying to reduce risk by replacing the device with the latest and greatest. This may solve the immediate issue, but how long until that specific device becomes a weak link due to a vulnerability? Plus, that device replacement approach does not address the risk of the printed page.
Printing is rising and devices are increasing, and with that comes increased risks—and it’s imperative that they be addressed.
Sean Hughes is the executive vice president of managed print services at cybersecurity firm CynergisTek.