In the right hands, patient information is lifesaving. But if it falls into the hands of bad actors, it can pose a threat to the financial lives and wellbeing of patients – from identity theft to medical fraud.
Data breaches are also quite expensive for healthcare organizations. Consider, for example, Premera Blue Cross, which paid a HIPAA settlement of $6.85 million for its failure to conduct an organization-wide risk assessment. The Alaska Department of Health and Human Services paid a $1.7 million penalty because it didn’t have a risk management process. Cignet Health of Prince George’s County denied patients copies of their health records, which led to a fine of $4.3 million. These are only a few examples of how mismanaging access to data can go awry.
One reason data breaches continue to occur is that paper still plays a significant role in hospital environments. Forms and orders containing sensitive patient data are often sent to multi-function device (MFDs), which are now mainstream in healthcare settings. Each time a document or form is copied, printed, scanned, faxed or emailed, patient information is vulnerable to human error, theft or delivery of data through noncompliant mobile devices.
In fact, eight in 10 healthcare information breaches were caused by miscellaneous errors, privilege misuse or web applications, while six in 10 were caused by internal users.
The good news is healthcare organizations can take action to minimize risk and keep data secure on copiers and printers. In this series, we take a deeper dive into each of the ways you can secure your MFDs to protect your patients’ data.
Let’s start with the first questions healthcare IT administrators should ask: Do you know who is using your printers? And how?
Set rules for who has access
The first step to securing your MFD network? Determine who should be authorized for access and which activities users are permitted to use the devices for.
Every doctor, nurse and staff member should be assigned credentials that permit them to use MFDs in their area while also limiting access to others. For instance, you may want to limit finance staff to the MFDs in the administrative area while denying them access to devices in patient areas.
In addition, you’ll want to control which features and capabilities each authorized user can access. Workflow rules determine exactly what each user can do at the device.
For example, any time a user attempts to use an MFD, they’ll be asked to verify their credentials, either by entering a pin or via a card swipe. If their use of that particular device is allowed based on the rules, the device will be activated. These rules also determine whether they can print documents containing patient data or transfer data outside of hospital systems.
Electronic devices – such as mobile phones and tablets – containing electronic personal healthcare information (ePHI) also should be secured at all times. Electronic devices are portable and valuable, and that makes them vulnerable to theft, especially if healthcare employees take them home or leave them unattended in their vehicles.
It’s critical for all MFDs on your network to meet HIPAA and NIST regulatory requirements. Sharing sensitive information to unauthorized users or to non-compliant devices could result in hefty fines under these regulations. HIPAA penalties alone range from $100 to $50,000 per violation.
Track activity across the network
In healthcare environments, doctors, nurses and other staff are usually on the move, which often puts them far from their home MFD. User authentication and workflow rules make it possible for them to use the nearest printer. However, this access also poses a risk for the organization. If there’s a breach, it can be more challenging to track down the source if an auditing process isn’t in place.
Healthcare staff who email ePHI to their personal accounts or remove sensitive patient data from the facility also present a risk. Many do so to catch up on work that they weren’t able to complete during the day. The intentions are good. However, not only is emailing ePHI to personal accounts a violation of the HIPAA Security Rule, it’s also considered theft and carries significant consequences.
With auditing, MFDs are able to pass tracking information to a central database. If a data breach occurs, this capability enables IT administrators to easily track down the source, the authenticated user, the file name and type, and where the data was sent – whether it was to a device, department, application, address or other location.
Auditing has other benefits as well. It can help healthcare organizations reduce printing costs by giving users the ability to analyze output and assign value for cost allocation. Rules-based printing can help you manage MFD usage, improve compliance with regulation, and maximize print cost savings.
These steps are just the beginning for healthcare organizations who want to work like tomorrow—today. Follow the rest of this series to learn more tips for ensuring that your healthcare data remains secure, including how to manage your mobile workforce, why it’s important to be proactive about security warnings and why data encryption is critical as you transfer information between devices.