Closing the Security Gap: How Many Devices are on Your Network?

Nov. 28, 2017
Most healthcare organizations don’t know the full inventory of devices that are connected to the network or that print devices pose dangerous risks.

We are in the final days of 2017 and everyone is readying themselves to turn the calendar and looking forward to a prosperous 2018. Those of us in healthcare are no different. We are anxiously awaiting the start of the New Year with hopes of better days and less worries. 2017 has been full of uncertainty, change, challenges and ever-evolving threats to our business—both from traditional sources as well as new, and maybe even scarier, ones.

Many of the threats to our business in 2017 we will continue to see next year. Specifically, going into 2018, we will likely see declining patient volumes, reimbursement issues and a shifting political landscape that could impact the regulatory climate. However, the most worrisome of all are the ever-increasing and evolving security threats to our industry from those that mean us harm, which will continue to prevail in 2018.

It’s no coincidence that as soon as healthcare started to invest huge sums of money and effort into implementing technology to digitize patients’ personal information, there has been a spike in cyber criminals working hard to get to this protected and valuable data. Healthcare has responded to cyber threats with increased awareness, effort, and technology to secure the data and prevent unauthorized individuals from accessing our systems and information. With each advance for the good, the other side has also taken an additional step and has now begun to realize that, in many cases, we have left a window open in our secure castle.

Sean Hughes

What is surprising to many is the potential threat presented by printers and print devices—an often forgotten endpoint in our network security efforts. It may sound unrealistic that a simple thing like a printer could be an access point that could potentially bring down our fortified defenses, but that’s the truth. Print devices are just like all endpoint devices, including biomedical devices and the infamous and emerging Internet of Things (IoT—mobile devices, phones, tablets, home monitoring devices, wearables, etc.). Most healthcare organizations don’t know the full inventory of devices that are connected to the network or that print devices pose equally dangerous risks. The fact that print devices are an emerging vehicle of penetration into our systems by those that mean us harm is too often overlooked or forgotten. This threat is real, and best evidenced by the recent report of several hundred devices of a particular manufacturer exposed directly to the internet as a result of a vulnerability within the devices.

Printers and print devices have evolved over time and are no longer just an innocuous device at the end of our network simply used to output paper. These devices have increased in their computing power to the extent that many of them have as much or more than the desktop or laptop that is printing to them. They are used every day to send, store, and receive protected health information (PHI) and other sensitive data. Adding to this is the fact that in most organization’s ownership of print is disjointed. Now you are probably saying that is not the case—printers are IT right? Well, what about the copiers, fax machines and scanners? Are these supported by IT or are there third-party support organizations involved? If there are third parties, is it clearly defined and documented who owns security of the devices and the data stored or moved through them? What about the liability if something were to happen?

These devices are connected to the hospital network, or even more precarious, connected locally to a desktop or laptop, and therefore may not be discoverable or monitored on your network. They usually get deployed with the manufacturer’s default setting, making them extremely vulnerable and usually not in compliance with an organization’s own security standards. Most devices need to be wiped of any potential data to a certified standard that someone needs to be tracking.

Furthermore, according to Logicalis, healthcare has seen an 11 percent increase in print since the implementation of electronic health records (EHRs) and other technology that we have been so busy implementing. Print volume is up and having a big impact. In fact, according to a presentation by OCR (the Office for Civil Rights) in September 2017, 21 percent of breaches impacting over 500 individuals were the result of paper. The culmination increased print volume, more technologically capable devices, and lack of a single entity to “own” print, makes this aspect of healthcare infrastructure prime for attack. Yikes!

Addressing the Challenges

First of all, we must treat print devices just like all other devices connected to our networks. We must start by consolidating print responsibilities and aligning our efforts to achieve the most optimal outcomes. Once we have centralized it, we need to understand what our risk and vulnerabilities are. This can be done by assessing our risk and pulling our print infrastructure and processes under the same microscope we have for the rest of our environment. Performing a comprehensive print device risk assessment should provide an understanding of the vulnerabilities in your environment and allow for the development of a comprehensive remediation plan specific to your organization.

Lastly, healthcare organizations should look at their print utilization and identify ways to reduce the volume of print it produces. That should help decrease the need for the print devices and the associated risk that inherently comes with every single one of them to your organization. Not only will this address security, but it will improve efficiencies and lower costs associated with print output.

Sean Hughes has more than 25 years of experience in a variety of positions within mid- to large-size healthcare delivery systems and has spent the last 15 years in a variety of senior IT leadership roles.