Paper Chain Compliance Risks

Healthcare organizations can’t afford to ignore the potential risks of paper-based breaches

hp bp 5

Networked printers are an essential element of organizations and an often-overlooked compliance risk. Recent cyber attacks have no doubt awoken healthcare IT organizations to the dangers of ransomware phishing assaults. But security teams shouldn’t overlook the dangers of printed personal health information lying in output trays of printing devices that may be wholly or partly unmonitored.

According to the Department of Health & Human Services, between September 2009 and September 2016, personal health information of more than 168 million people was impacted in 1,688 breaches that affected more than 500 people. And paper records accounted for 23% of larger breaches.

Paper costs can sting

This is a serious compliance issue. One health organization settled a compliance violation for $475,000 after it failed to notify in a timely manner that more than 800 operating room schedules that contained protected health information had gone missing.

HHS’ Office for Civil Rights (OCR) has picked up the pace of violations enforcement, and a key reason is increased auditing. OCR’s Phase 2 HIPAA Audit Program, initiated in 2016, reflects more aggressive enforcement, including walk-through audits.

HIPPA audit case studies reported by Health Management Technology detail user access issues for which two organizations were examined.

“From a security perspective, the auditors make sure that computers that are unattended have been logged off per policy, passwords are not ‘taped to the keyboard,’ printers and fax machines are not where the public could remove confidential information, that locked rooms are indeed locked, and that badge access to secure areas is being utilized,” according to the publication.

Protect the document

It’s typical in a work environment for printers and imaging devices to be in open-access areas. With nobody monitoring a device, and frequent foot traffic, it’s not difficult for an on-site criminal or a passerby to quickly lift documents that have been left unattended in an output tray.

Lax control over printed documents is a growing problem as many organizations expand mobile device access to workers on the go. Such workers may print remotely and forget about them, or delay in picking them up.

Protecting documents requires a combination of policy and technology. On the policy front, healthcare organizations should implement and enforce clear cut access-authorization guidelines.

Simple to sophisticated solutions

Components of a print security solution can be relatively simple, such as employing locked input trays that prevent misappropriation of special payments used for printing items such as paychecks or prescriptions.

Or print security can be as sophisticated as HP’s comprehensive access control system modules that provide print authentication, auditing, authorization, accounting, and secure “pull” printing capabilities that are scalable across the healthcare organization. (Pull printing stores print jobs in the cloud or on the user’s PC—users authenticate at their chosen print location to pull and print their jobs.)

Other tools that organizations can consider include requiring a secure badge to release a print job, or allowing users to assign a PIN when they send a print job that can only be completed when they enter that PIN at the device.

Healthcare organizations can’t afford to ignore the potential risks of paper-based breaches. To learn more about how to protect your organization from these risks, go to HP Print Security.


Copyright © 2017 IDG Communications, Inc.