Confronting the HIPAA Risk of the Aging Network Printer

By Marty Puranik

HIPAA compliance is a broad concern. You can start to understand just how wide its parameters are when you consider the tripartite safeguards that are necessary to meet the Security Rule, spanning administrative (e.g., staff training) and physical considerations (e.g., CCTV cameras), as well as technical ones (e.g., in-transit and at-rest encryption). Those protections are focused on data though, electronic protected health information (ePHI). Protected health information on paper must also be safeguarded – and the machines that turn your ePHI into PHI can be a key point of risk.

Network printers are often not very well protected, particularly if they are older. Because they do not have recent updates and stronger, more innovative security features, hacking is a serious threat. Printers are also tricky, as noted above, because of what comes out of them: hard copies that exist beyond the scope of any data-loss prevention strategies the organization might have deployed. Violations related to privacy failures and loss of data can also occur.

How printers are vulnerable

Before we even start to think about specific exploits, vulnerabilities introduced by printers generally include:

• Eavesdropping – Cybercriminals can monitor your network and collect all the files that you print.
• Storage – If the printer has a hard drive, it is capable of storing anything you send through it to copy, print, or fax. What that means is that your printer actually may contain sensitive information long-term.
• Hard copy snooping or theft – A person can walk up to a printer and take or simply look over a paper that is not theirs. An action like that is probably a HIPAA violation since that person is likely unauthorized.
• Web hacking – It is not all that complicated for an individual to hack a printer connected to your network. It is particularly easy to get onto your printer if its security safeguards are obsolete.

Study reveals specific exploit avenues

Brother, Dell, HP, Konica, Kyocera, Lexmark, OKI, and Samsung would seem to be a lineup of strong computer manufacturers that would help your business stay secure. However, in a 2017 German study, computer scientists analyzed 20 printers from these companies and found that all of them were susceptible to breach. The research team used a tool it had developed call PRinter Exploitation Toolkit (PRET), which, built in Python, discovered new attack vectors as well as old ones left unprotected.

One of the key ways the hacking team infiltrated the devices was through PostScript malware; this tactic was used to manipulate files in 2016, allowing someone to hijack printers around the United States and force them to print flyers containing racist hate speech. To wage these attacks, an attacker can enter through various means, such as remote access through a malicious site via cross-origin resource sharing (CORS) spoofing or cross-site printing (XSP). They can alternately enter through remote access over the local network, or via USB. You can also often access entire file systems, including web server passwords, via PostScript in conjunction with the Printer Job Language (PJL). Commands that utilize the PJL interpreter can be leveraged in attacks to access web server passwords and other critical private data within the nonvolatile memory (NVRAM) of devices, or to physically harm the NVRAM. Buffer overflow issues with PJL and the Line Printer Daemon (LPD) also make denial of service (DoS) attacks possible, as well as the execution of arbitrary code. These compromises can be achieved through the remote deployment of CORS spoofing and SXP, as well as locally.

Steps to keep your printers secure

You want to put as much priority on your printers as you do on your computers when it comes to hardening them. When the printer manufacturer announces security issues or releases new firmware, you want to be acting on it immediately. Other general steps to helps secure your printers are to disable protocols you are not using, update passwords from the defaults, and implement firewalls. You also want to watch your printers to determine that you have not reverted to default credentials or reopened ports accidentally via hard resets or other means.

Use a pull-printing platform. When you have users pull print jobs, anything that will be printed goes to a queue through which jobs can be pulled from a printer with either a password or an ID card. This process reduces the risk of pushing print jobs to printers.

Finally, have a greater awareness of hard copy security. Any documents containing PHI or other sensitive information should never be left available for anyone to see or take.

A HIPAA-safe ecosystem

Old office printers represent more vulnerability than many people think. All printers are potential sources of violations, so they should certainly be addressed in risk assessments or any analyses of HIPAA compliance. Printers also remind us of the importance of protecting both digital ePHI (as moves through printers, is stored on them, and is faxed by them) and physical PHI (as is produced by them when healthcare files are printed or copied). Be sure that you are properly safeguarding your own printers and signing business associate agreements that ensure a HIPAA-compliant environment from any digital providers.