8 common printer cyber-hardening mistakes that could endanger your network.
Ladies Love Cool James (better known as “LL Cool J”) said it in 1990: “Don’t call it a comeback. I’ve been here for years.”
The same applies to printers (which we define as any device that creates an image, electronic or otherwise). They’ve “been here for years.” They started as benign, “dummy” copiers and simple dot matrix printers, but it’s not the 1990s anymore. Printers have evolved into amazing business-enabling devices that have huge hard drives, many advanced features such as built-in email, web, fax and file transfer protocol (FTP) servers and are deployed throughout corporate networks as trusted devices. Today’s printers are now servers that aren’t in data centers and that are open and available to be physically accessed by anyone (e.g. on wheels in an emergency room).
But healthcare leaders aren’t treating printers like servers when it comes to cybersecurity. They’re not including them in cybersecurity plans, information technology (IT) policies and procedures or change control.
Printers are the “forgotten servers.”
To illustrate what’s happening, a typical multi-function printer has been described like this (PDF):
“Please consider this scenario. An unknown device is placed into an enterprise network, behind network perimeter defenses like firewalls, IPS and other IT infrastructure, so that the device has unfettered access to all the corporate network resources. To maximize the device’s functionality, a webserver is embedded into the device. To make the device accessible, all the ports will be set as ‘open’ by default and enable the connectivity with as much as a gigabit of Ethernet connectivity. The device will have a rich OS-like Linux to maximize functionality. The device will not be examined on an ongoing basis using the enterprise’s vulnerability scanner, as the embedded web server will likely light up the organization’s SIEM tools like a Christmas tree with false positives. The vulnerability scanner will be configured to ignore the devices, leading to the conclusion, depending on the brand, that the device will not be updated, maintained or patched over five-year useful life or sometimes 10-year useful life of the device. Device protection will consist of a default password, and . . . third parties will maintain the device. The device will be core to organizational productivity, so there will be one of these devices for every 10 employees. Some might call this a nightmare; some might call this a printer.”
Printers are not being secured despite the facts that:
1. Health Insurance Portability and Accountability Act (HIPAA) requires printer security because printers in hospitals clearly “receive, maintain and/or transmit” electronic protected health information (ePHI) and even the most cursory examination of “reasonably anticipated threats and hazards” to printers triggers the HIPAA mandates.
2. Threats to the ePHI that printers receive, maintain and transmit are increasing and will continue to increase because of the widespread adoption of electronic health records (EHR) creating more ePHI, the black market for ePHI and the proliferation of unsecured Internet of Things (IoT) devices, such as medical devices, increasing more opportunities for hackers.
3. The stakes have never been higher for a data breach or failure to comply from even one unsecured printer — the average hospital data breach can cost over $13 million, including forensics, breach notification, lawsuits, lost revenue, lost stock and brand value, fine settlements and post-breach clean up. HIPAA and other regulatory fines alone can total in the millions of dollars for breach, such as $1.2 million for ePHI left on repurposed copiers and $3.2 million for a lost unencrypted laptop, iPod and blackberry.
You ask, “So, what can we do?”
The answer is to proactively manage all the printers in print fleets like you would your servers, desktops and laptops, including continuous IT asset lifecycle management (ITAM) (from cradle to grave) to account for all the printers in the fleet, at all times, cyber-hardening them (actively managing their configurations to secure them) and keeping them cyber-hardened — all with vendor agnostic automation.
Continuous ITAM is essential for securing any IT asset, especially assets that move around and get “hot swapped,” like printers in a dynamic large print fleet that constantly changes in composition, which includes nearly all print fleets. You can’t manage it if you can’t see it. Continuous automated cyber-hardening is also the only way to proactively address the “reasonably anticipated threats” as required by HIPAA.
The good news is that, thanks the evolution of printers, from dummy printers to today’s advanced machines, all such devices (regardless of make, model, vintage or type) have built-in security features that can be leveraged to cyber-harden them. Advanced print fleet cyber security automation will provide the visibility, command and control to allow information security professionals to choose controls that balance security and utility, to implement, manage and adapt those controls to meet changing needs and also provide reports for compliance purposes.
Other commonly considered security options fall short:
Doing nothing is not an option. HIPAA requires action and has mandatory penalties for failing to act. Moreover, the risk of an attempted hack or breach has become “when,” not “if.”
While DIY is possible for very small or homogeneous fleets using brand-specific printer manufacturers’ management software, DIY is not feasible for larger print fleets. They are too diverse and dynamic. Even if printers are deployed with the desired security settings activated, these settings regularly change during normal operations or routine maintenance, firmware updates and servicing by unknowing service personnel. To further complicate matters, a typical large printer fleet comprises many different printer brands, makes, models, ages, functions and specialty printers (label and 3D) — each with different available security settings.
The print fleet composition is also constantly changing with adds, deletes and hot swaps, and the settings are often not duplicated on the replacement printers such as hot swaps, end of lease and end of life. There are also frequent changes in printer brands and managed print service vendors, reconfigurations of the network and changes in the business such as mergers and acquisitions. It is effectively impossible to secure a large print fleet without comprehensive automation.
“We’ll just put all our printers on a separate subnet, change the administrator password from default and protect the subnet with a firewall.” No one would ever take this approach to securing their other servers, desktops or workstations. This approach ignores the complexities of the diverse composition and dynamic state of all print fleets. It also does not include cyber-hardening to address internal threats from employees such as transmitting sensitive data or accidentally injecting malware that was on corrupted media brought “from home.” Continuous visibility and cyber-hardening are also necessary to address the indirect external attacks on the business originating from unsecured, unmanaged IoT medical devices through printers (that are trusted devices on networks with full access). We’ve all heard about the example of the unsecured casino’s customer database server that was hacked from an IoT aquarium thermometer in the casino’s lobby.
Understandably, printer manufacturers (also known as original equipment manufacturers or OEMs) want customers to standardize on their newest printers. They tout their latest advanced cybersecurity hardware features managed by their own proprietary, brand-specific print fleet management software and professional services teams. If a completely homogeneous, newest-model fleet with a professional services tab fits your budget, this may be an option.
However, the realities are that budgets are tight and large printer fleets, especially in healthcare, are diverse, comprised of many brands, types and ages of printers and OEMs’ printer management software won’t include the whole print fleet because it’s technically limited to each manufacturer’s brand and latest model printers. Also, this approach requires regular systematic operation of OEMs’ software on their brand of printers for security configuration management, which is not being done. (Even the most advance security features aren’t effective if they aren’t used.)
MPS vendors are not focused on or trained in printer security. They focus on servicing printers and supplying consumables (toner and staples) to maintain the print service. They do not consider printer security configurations. Also, they don’t have automation to see or control printer security configurations. Common print fleet management tools are technically limited and do not report, monitor or remediate printer security settings. MPS vendors do typically resort to manual effort.
Many vendors, including MPS vendors, resell pull printing and enterprise output management solutions with some marketing messaging about print security. But these software products apply to other parts of the print stream, not the printers themselves. Enterprise output management software provides rules and queue management that protect the source data through the transmission to the proper output devices (directs who can print what, where and how). Pull printing software ensures that the person printing is the person viewing the output. Neither solution keeps track of printers throughout their lifecycle or cyber-hardens them against threats.
These solutions are reactive, “detect, not defend,” approaches to cybersecurity. While being sold as an effective security overlay, SIEM and DLP software products simply do not report or manage printer security configurations. Moreover, SIEM solutions deselect printers due to the incessant chatter, and DLP solutions do not include printers.
Professional services offerings are typically very expensive and, if they consider printers at all, may recommend security controls, but they do not secure printers and keep them secured. Compliance assessment services, while project-based, are point-in-time snapshots and are not ongoing delivery services. If these companies even consider printers, they rely on customers’ incomplete information or use immediately obsolete information from “walking the fleet” to manually check, both of which are not long-term solutions.
The message to today’s healthcare leaders is that even though printers “have been here for years,” they aren’t the same “dummy copiers” as in the 1990s and must be protected like the servers that they are, with automated IT asset lifecycle management and continuous cyber-hardening.
Symphion, Inc. is a Dallas, Texas based software and services company dedicated to excellence since 1999. Symphion’s leading-edge technologies and unique remote concierge solutions allow customers to affordably minimize risk and eliminate cost while maximizing operation efficiency. Contact Symphion here, visit its website or follow the company on social media (@symphionsecure).
Get the best insights in healthcare analytics directly to your inbox.