Healthcare has seen one of the most significant utilizations and adoptions of technology in its history over the past several years in our drive to achieve meaningful use, engage patients, and connect and share data internally and externally with traditional and new partners. According to a 2016 HeatlhITDashboard report, 95% of all eligible hospitals and critical access hospitals have demonstrated meaningful use of certified health IT. This includes 60% of all U.S. office-based physicians, 20% of all Nurse Practitioners, and 2% of all Physician Assistants.
This has resulted in more data than ever before being created, stored, and transmitted in and through the healthcare ecosystem. This has not gone unnoticed by individuals that would mean harm or look to profit from that data. Breaches are on the rise and healthcare is at the forefront of the attention of those looking to access this data. According to the Ponemon Institute 2017 Cost of a Breach Report, the value of the data we have is higher than any other industry with a per capita cost of $380 compared to an overall average of $225. Those looking to gain unauthorized access to our data see the higher value and are putting more effort into their endeavors.
While we have been implementing and using all the technology healthcare has to offer, we have also been spending significant money and time on securing our environment to address the increased attention that has resulted in more breaches and more attacks with increasing sophistication. Even with this spend and expense of effort, healthcare continues to struggle with inadequate budget and resources to combat the growing security threats. The effort has been on hardening our data centers and endpoint computing devices, developing programmatic approaches, and deploying technology to ensure that outside actors cannot gain access. The question is have we covered it all?
One would assume that through the implementation of electronic systems and the associated security measures our digital information is much more secure, but that is clearly not the case. It may surprise you to know that according to a study conducted by Logicalis, healthcare has seen an 11% increase in print post implementation of electronic systems to support EHRs, Information exchange, and all the other initiatives we have had. That means that an average 1,500 bed health system produces over 8 million pages per month, or 96 million pages per year. The number of devices (printers, copiers, fax machines, and scanners) has risen and continues to do so every day. These devices are usually managed in a distributed manner by varying parts of the organization, and even various third parties having responsibility with no clear delineation of who owns the security of the devices. Additionally, most healthcare organizations have limited or no idea of what is being printed and even fewer have adopted technologies to provide secure print within their organization. According to a recent presentation by OCR, that 21% of all data breaches affecting over 500 or more individuals were the result of paper. Imagine trying to determine who was impacted by a breach involving your 8 million pages per month?
It is not only a matter of increased pages due to more technology that has increased our risk. We now have more devices in the environment processing this data and they have not been given the same level of scrutiny from a security perspective as the rest of our infrastructure. Even though the most common risks associated with printers are some of the very same we have tried to address on other computing devices including: physical security of the device and data, access controls and ability to modify the configurations, the device’s ability to store and transmit data and whether or not encryption is enabled and configured, as well as the device’s configuration and exposure to the rest of the network (is the device open to the internet?).
Managed print services have been around since just about the time printing came about, yet most organizations still do not have a mature, all-inclusive program. Some may have a program that is associated with one manufacturer of devices but what healthcare organization has a single manufacturer fleet? Even then, who handles the non-networked devices or third-party printers? Today’s managed print programs require the ability to not only handle all manufacturers and all device types, networked or non-networked, but your program must have security and privacy of the infrastructure and data in scope.
These devices have as much computing power, or more, as the computers and laptops in your environment. They can store massive amounts of data, and an unprotected device can provide entry into your infrastructure that could be disastrous.
Printers and print infrastructure need to be a part of the overall security program. It is crucial to define and implement appropriate control frameworks on all your devices, evaluate and implement tools to secure the physical printers, as well as provide mechanisms to ensure the privacy of what is printed. You need to be looking at methods and approaches to reduce the amount of print output. Limiting output will decrease the need for devices, which in turn means less to secure and a much smaller attack surface for those bad actors looking to get to your data.
Sean Hughes is VP of Managed Document Solutions for CynergisTek. Sean has over 25 years of experience in a variety of roles within mid to large healthcare delivery systems and has spent the last 15 years in a variety of senior Information Technology leadership roles. He has specialized in developing highly efficient and cost-effective service delivery organizations utilizing technology coupled with process re-engineering to achieve business goals and strategies. His understanding of the business needs and challenges of today’s healthcare organizations, coupled with his personal experience as a key customer stakeholder of the CynergisTek programs, positions CynergisTek to deliver programs designed to meet the needs of our customers.
Prior to joining CynergisTek, Sean held a variety of key leadership roles for Catholic Health East (now Trinity Health) including VP of Service Management , VP Chief Information Service Administrative Officer and Chief Information Security Officer. His experience included daily accountabilities of service delivery across all customer locations, Service Level Management, Information Services strategy and execution, acquisitions and divestitures, financial management and reporting as well as the development and implementation of an Enterprise Information Security program.