A Health IT Security Time Bomb
By Ken Congdon, editor in chief, Health IT Outcomes
It’s not every day that a modestly-sized, B2B, media outfit can say they scooped the CBS Evening News, but that’s exactly what Health IT Outcomes did this month. On April 1, we posted an article to our site by guest columnist Mark Kadrich titled Copy Machines: The Unlikely Threat To Your Health IT Network. We proceeded to run this column in our weekly newsletter that was distributed on April 15. A few days later, the CBS Evening News ran a similar story by Armen Keteyian on it April 19th broadcast. The video of this story is embedded below:
Now, I mention this not only to brag, but also to stress how significant a problem digital copiers pose to IT security, particularly in the healthcare industry. As referenced in both Kadrich’s article and the CBS report, nearly every copier manufactured since 2002 contains a hard drive that stores an image of all documents copied, scanned, or faxed using the machine. These may be copies of private information such as tax documents, bank records, social security forms, and individual medical records.
According to a 2008 survey conducted by Sharp, 60% of Americans don’t realize that copiers contain a hard drive that stores images and, therefore, don’t take the necessary steps to ensure these images are removed from the copier prior to disposal or resale. For example, in the report aired by CBS, a used copier previously owned by New York-based health insurance provider Affinity Health Plan was purchased by Keteyian and John Juntunen, founder and COO of Digital Copier Security, Inc. Using a free software program available on the Internet, Keteyian and Juntunen we able to extract more than 10,000 images of personal medical records from the copier hard drive. Scary stuff. Imagine if this copier belonged to your hospital or healthcare facility. What breaches of patient privacy and HIPAA compliance violations would this expose you to? In essence, this type of violation could constitute as “willful neglect” under HIPAA and put your facility at risk for as much as a 7-figure HIPAA violation fine.
So what can you do to make your copiers more secure and protect the privacy of your patients and your facility from potential liability? The first step is to be aware. Let all parties within your healthcare facility (CEOs, CIOs, IT personnel, clinicians, etc.) know about the hard drives embedded in digital copiers and the security risks these hard drives present. Doing this immediately is of the utmost importance as many hospitals and practices will be using their digital copiers or MFPs (multifunction peripherals) more frequently to scan patient files in an effort to meet EHR mandates.
Next, seek the support necessary to keep these machines in compliance. For example, Digital Copier Security has developed a Health Care Partnership Program (HCPP) designed to help healthcare facilities keep their copiers HIPAA-compliant while in use. More information about this program can be found here: www.copiersecurity.com/the-risk/hipaa-compliance.html
Finally, you need to ensure that none of your organization’s data travels with your copiers when they break down, their leases expire, or you upgrade devices. Now, you may be tempted to just yank the old hard drive from the machine prior to disposal/shipment. However, the majority of digital copiers rely on firmware and other formatting contained on the hard drive, so removing the drive could void your lease agreement and expose you to monetary penalties from the office equipment dealer or device manufacturer. A better option is to invest in an encryption or security service for your copiers. Most major copier manufacturers offer such an option with their machines. This optional feature can cost as little as $550. However, historically, business owners have passed on this option because they were unaware of the security risks the copiers posed. Third-party data removal services can also be purchased from companies like Digital Copier Security. More information on their INFOSweep technology for copy machines can be accessed here: www.copiersecurity.com/products/the-infosweep-process.html
If you have any other questions or concerns regarding digital copier security, feel free to email me directly. If I can’t answer your questions, I can put you in touch with the people who can. In the meantime, we at Health IT Outcomes remain committed to being among the first to inform you on this and other topics that are having a significant impact on healthcare IT.
Ken Congdon is Editor In Chief of Health IT Outcomes. He can be reached at firstname.lastname@example.org.