It’s a bit of a catch-22 for healthcare organizations trying to ensure the security of their data. On the one hand, it’s essential for staff to be able to quickly access patient information to provide care. Yet on the other, the law requires organizations to protect sensitive data included in electronic medical records (EMR).
Today, countless devices are connected to the internet, the hospital network and other medical technologies, and are used to collect and transmit patient data—including computers, mobile devices, IV pumps and X-ray machines, etc. However, many of them have few, or no, security protocols in place. The situation’s made even more complex by the public nature of hospital environments. Many connected devices containing sensitive data are left unattended, leaving the entire network exposed. The result’s an increase in cyber and data security threats.
The global pandemic is making the situation even more challenging. Many healthcare workers aren’t working in their normal environments; they’re helping in other departments, hospitals and even pop-up field hospitals. With all the displaced healthcare workers, their normal print and capture workflows are left behind with their devices—and the security of the patient data contained in documents printed or scanned elsewhere may be at risk.
So how do healthcare organizations protect against a breach? By implementing a comprehensive security strategy, and ideally, by taking a systematic approach that tests all connected devices for vulnerabilities. Once identified, security threats should be prioritized so the most severe can be addressed quickly. Regular software updates and patches are just as important, as is replacing outdated equipment with new devices that have security built in.
Because they don’t stand out as threats, multifunction devices, printers and imaging devices are often overlooked during security reviews. In reality, however, both of these handle a lot more data than people realize.
The risk is real for healthcare organizations
Healthcare security breaches are increasingly common. Across all industries in the United States in 2019, there were 1,473 data breaches with over 168.68 million sensitive records exposed. But, it’s not just cyberattacks that cause harm. According to data from Ernst & Young, 34 percent of organizations see careless or unaware employees as the biggest vulnerability.
Here is a snapshot of recent healthcare data breach activity:
- The number of data breaches involving more than 500 health records increased from 371 to 510 between 2018 and 2019, representing a 196 percent increase.
- Over the 10-year period between 2009 and 2019, a total of 3,054 healthcare data breaches occurred, involving more than 500 records. As a result, nearly 231 million healthcare records were lost, stolen, exposed or disclosed without permission – representing almost 70 percent of the U.S. population.
- In 2019 alone, more than 4.5 million records were improperly exposed because of employee error, negligence or acts by malicious insiders.
Exposed medical data can cost healthcare organizations millions of dollars in federal and state fines, civil actions, corrective action plans, credit monitoring, identity theft and lost business. In 2016, Advocate Health Care Network paid $5.5 million in fines for multiple violations that jeopardized the electronic health records of more than 4 million patients.
HIPAA penalties alone range from $100 to $50,000 per violation. Fines are classified into tiers according to whether the offending organization should’ve been aware of the breach and the precautions it did – or didn’t – take. Simply put, taking the necessary steps to prevent and identify breaches before they occur minimizes the fines that loom if an incident does occur.
Healthcare organizations can’t afford to leave any device out when implementing security measures. At first, printers and imaging devices may seem basic and safe enough, but they’re actually a hidden threat within hospitals and healthcare offices. Furthermore, he constant flow and turnover of people in healthcare facilities makes it too easy for criminals to take advantage of an empty workstation to wreak havoc and steal documents. As more organizations expand mobile access to printers, control becomes even more lax. Employees may print a sensitive document remotely and either leave it sitting for hours before retrieving it, or simply forget about it altogether.
The power of a print security framework
It’s clear that healthcare organizations must implement greater controls over when and how documents are printed and who has access to output trays. The first step is to create a print security framework that includes devices with security built-in and content-aware print and capture technology.
A comprehensive, advanced content-aware solution combines print, capture and output management to minimize security breaches and reduce compliance costs. Traditional print management tracks items such as where a document was printed from and who printed it. Content-aware print management tracks all of this information, plus the contents of the document itself.
Here’s a helpful checklist of features and functionality when searching for a solution:
- The ability for users to specify which printer is used over a network, and the option to hold printing until the individual is at the printer.
- Enterprise audit trail of what’s being printed or captured.
- Prevention of inappropriate printing of personal, sensitive or confidential information.
- Automatic redaction of sensitive data, such as Social Security numbers and NHS numbers, when documents are printed or shared beyond a list of authorized people.
- Automatically generated audit trails of printed documents to ensure compliance with regulations such as HIPAA and GDPR.
- Secure mobile authentication for printing and capturing.
- Rules-based controls including restrictions on document printing.
- Multi-channel capture integration including mobile, multifunction printers, desktops and email.
- Integration with EHR systems and HL7 compliant clinical systems.
- User authentication at the multifunction device by ID card or mobile device to enforce end-user access to device and/or block use of device features (print, scan, fax, etc.).
- Leverage user permissions to control and track what documents and locations an end-user can access at the multifunction device.
- Limit outbound destinations, including fax and email, to pre-defined recipients to mitigate exposure of sensitive healthcare information.
- Document encryption to protect data in motion and at rest.
- Provide high availability of print and capture workflows to mitigate impact of network outage.
Today’s healthcare organizations have the power to manage, secure and govern sensitive documents by implementing unified printing, scanning and automated workflows. Process automation makes sure the right information gets to the correct people, and automatic audit trails generate credible reports to demonstrate compliance. In the event of exposed data, audit reports can document the due diligence an organization took, helping to reduce fines. And during this chaotic time, as healthcare organizations focus on treating COVID-19 patients, print and capture workflows follow healthcare workers no matter where they go – with the proper levels of security maintained.