The Unseen Threats to Patient Care: Your Printers and the Biggest Challenges to Protecting Them

Jim LaRoe

Updated on October 11, 2025
Technology
A programmer is typing a code on a keyboard to protect a cyber security from hacker attacks and save clients confidential data. Padlock Hologram icons over the typing hands.

HIPAA’s Security Rule mandates a comprehensive risk analysis.  Yet, printers are not being included. 

In hospitals and clinics, printers are mission-critical. They enable important aspects of patient care such as admissions, discharges, labs, pharmacy, and ER data. They also receive, transmit, process and store the most sensitive patient information and provide open access to other systems.

So, why then are healthcare providers ignoring their printers in their cyber security efforts? 

Is it because business leaders believe that they’re “just printers” and not at risk? Do they think they’re completely digitized with EMR adoption? Is it because there is no fear of getting caught for non-compliance?  

The answer is: Yes.

The Facts to Know

20 Percent of Endpoints: Printers across all healthcare providers account for 20 percent of each provider’s network endpoints. 

Most Sensitive Data: They receive, transmit, process and store ePHI, ePII and research data—the most sensitive and valuable information. That’s the same information that HIPAA requires covered entities to protect. 

99 Percent Unprotected: Yes, 99 percent of all printers are unprotected. They have built-in security features, but they aren’t used. There is not a process to protect them and keep them protected like with PCs and servers. 

Softest Targets: Rather, printers sit as the softest targets, with factory defaults such as administrator passwords available on the internet, unconfigured for protection, unpatched, unmonitored for changes. They offer unguarded, unhardened direct entry points into the corporate network, unwatched by IT or IS. Just one criminal and one printer can take down a whole network and bring patient care to a halt. 

Mission Critical with Patient Risk: Printers aren’t going away. They remain mission critical to patient care. Print-service outages, data theft, and ransomware outages present the gravest danger of all—risk of harm to patients. 

Criminals Know: The criminals know it and view healthcare providers and especially their printers as the softest most valuable targets of all for data theft and ransom. 

The Statistics

92 Percent: According to the HIPAA Journal, 92 percent of U.S. healthcare organizations experienced a cyber attack in the past year. 

$9.77 Million: In addition to the reputation damage and brand erosion, these breaches can be financially costly, with the average breach reaching $9.77 million, the highest average cost for data breaches in any industry. 

78 Percent: Healthcare leaders know that cybersecurity is a priority. Deloitte’s 2025 Global Health Care Outlook report notes that 78 percent of healthcare leaders say that enhancing cybersecurity is a priority this year. 

Why Are They Unprotected?

Surprisingly, the biggest challenges to protecting print fleets are complacency driven. Complacency is the enemy of cyber security protection.

Printers are no longer just paper-output devices. They are complex business machines with extensive business enabling capabilities such as built in web servers, email servers, and file-transfer capabilities—yet healthcare organizations are not protecting them like they are their other endpoints.

Why are printers being left unprotected:

Printers, Procurement and Turf Wars 

For decades, printers have been treated as simple office equipment procured and managed by the supply chain/procurement departments focused on eliminating unnecessary costs, not focused on cybersecurity. Printers started as basic analog devices, but manufacturers have since added complex features, turning them into powerful, networked endpoints. However, they’ve remained outside the purview of IT and security teams, leading to a lack of understanding and attention. 

Ignorance 

Unlike their PC and server cousins, printers, which are IoT devices, represent unknowns on many levels. Printers like other IoT devices present a disparity in operating systems, for instance printers even in the same brand, same model with different firmware versions offer different configurability. The lack of a common management platform and the differences between printers and other endpoints has simply not been fully understood. 

Complacency

Allocating personnel and cost for a legacy technology is a tough sell to budgeting and is not as interesting as talking about the latest artificial intelligence. 

No Risk of HIPAA Non-Compliance

Providers know that the OCR is overloaded with complaints each year. They also know that many warnings are given before the OCR takes action and the risk of a fine is minimal. 

What To Do?

The answer to “What to do?” is take action now before it’s too late. The action must organizationally be driven from the top. 

Step 1: Decide on the Owner of Printer Cyber Security in Your Organization

It starts with who owns the cybersecurity risk affecting these highly vulnerable endpoints that are 20 percent of the network endpoints and that can shut down the entire business and harm patients. This is not for supply chain/procurement whose focus is contracts and cost. Or, it can be a policy provided to supply chain/procurement with frequent audits, enforcement and penalties for lack of compliance. Either way, we suggest a single executive owning it. 

Step 2: Add and Fund the Print Fleet Security Line Item to the Annual Budget

This may sound basic, but there have been real-life scenarios of providers that continue unprotected for two years after getting hacked through a printer. They spent the two years trying to cram the cost of print fleet cyber security into their “next” managed print services contract through supply chain/procurement, or like adding it to a break-fix-and-toner contract to providers not equipped to address it. Additional scenarios have involved other businesses endlessly debating internally over competing priorities—all to do nothing to protect themselves.   

Step 3: Scrutinize the Options Presented to Establish a Robust Cyber Hygiene Program that Affordably Addresses the Unique Risks Presented by Printers 

Proposed options from the print industry typically involve “lip service” to “security” of these complex endpoints, failing to establish and maintain even the most basic cyber hygiene such as one-time “set and forget” approaches or brand only focuses. These approaches create a false-sense-of-security program that does not address the risks, eventually leading to unnecessary cost and patient-care interruptions. The program should be continuous, not a one-time project but perpetual and not tied to one brand of printers. 

Step 4: Take Action Now, You Are at Risk Now

The most important step of all is taking action now. All it takes is one unprotected printer to take down your whole organization. 

Printers remain the most overlooked and prevalent unprotected endpoints of healthcare IT infrastructure. That’s a recipe for disaster in today’s cybercrime climate.

Jim LaRoe
Jim LaRoe
CEO at Symphion

Jim LaRoe is Symphion’s dynamic leader with a special combination of skills, experience and insight that has driven Symphion’s success since inception to the world’s leader in print fleet cyber security. With a specialty in protecting the healthcare industry, Symphion’s focus has been on continual innovation, seamless delivery, affordability of its solutions and a dedication to excellence in customer service.

    This author does not have any more posts.

Healthcare Business Today is a leading online publication covering the healthcare industry.

email us

founded in

Pittsburgh, PA

© healthcare business today 2025

PRIVACY POLICY DMCA