It is more than just an IT issue.
Security of an organization’s printers and multi-function devices, as well as the data on those devices, is handled by the IT department, right? While this might be true, compliance and privacy officials should care about what is happening with these devices. It is not uncommon for these devices to have significant data storage capacities, as much as 320 GB. Imagine how many records such a device could hold, as well as the fact healthcare organization will have hundreds if not thousands such devices. Think about what gets printed in a busy clinical area or by the staff in finance or patient quality. These business units often work with large files that include the information of hundreds if not thousands of individuals. Has anyone at the organization ever evaluated the volume of records that get printed by the staff in one of these areas?
It is likely a version of that file is being stored on the hard drive of the printer or multi-function device for most, if not all, of the copies that are printed. If the device is compromised because of inadequate security features all of the data could be exposed. It could also be exposed if the hard drive is not properly handled when the device is swapped out for a new one. Healthcare organizations must have a strong process around handling these devices from the point they are brought in to the organization to the point the device is removed from service.
Difficulties in Establishing a Device Security Process
The difficulty in establishing such a process for these devices is often a combination of issues. Many organizations might not inventory these types of devices either because the cost for them is below the threshold to have an inventory control tag or the organization has contracted to lease these devices. Even if the devices are supposed to have an inventory control tag they might not go through the formal process to get one if purchased by an individual business unit or department outside the formal procurement process. This is all to say the organization may not have a good handle on just how many of these devices are in use, where they are in use, how they are deployed and how they are disposed of at end of life.
This is supported by the 2015 Ponemon Institute research report The Insecurity of Network-Connected Printers which surveyed multiple industries. According to the report:
- 30% of respondents say their organization has a process for identifying high-risk printers.
- 64% of respondents say their organization assigns a higher data risk to desktop or laptop computers than printers.
- 55% of respondents say their companies do not have security policies that include network-connected printers or do not know.
- Less than 40% of respondents believe the information contained in printer memory is thoroughly wiped clean during the disposal or refurbishment process.
- 62% of respondents are pessimistic about their ability to prevent the loss of data contained in printer memory and/or printed hardcopy documents
The Role of Compliance and Privacy Officers
Compliance or privacy officer should have a significant interest in what the organization is doing to assure the security of these devices. If there is a data compromise they will be involved in the assessment of whether a breach has occurred and the notification process. One of the complexities of this assessment will be identifying what data was or might have been on the device’s hard drive. Organizations may need to over notify because the ability to specifically identify the impacted individuals might be impossible. If the device has been in service for some time the number of impacted or potentially impacted individuals could be in the tens of thousands.
Compliance and privacy officers need to know what the organization is doing around these devices. If they don’t they need to take action now and ask the question. The answer might be a pleasant surprise. They may learn the organization has a strong document management/print management function. But asking the right question is critical to assuring the process is robust and properly designed for risk reduction. As with many compliance issues understanding what question to ask and how to evaluate the answers is the only way to assure an adequate understanding of the risks.
A True Print Management Process
Understanding the difference between what print management is and what some might think it makes a huge difference. A true print management process will incorporate all network-connected devices and be vendor agnostic. If the question is posed whether a print management process exists and the answer is “Yes, we have that through Vendor X” then verify whether Vendor X is managing all devices regardless of manufacturer or only those devices manufactured by Vendor X. Organizations will have devices from multiple vendors.
The lack of awareness around how the organization is managing printers and multi-function devices, including what the security features are on those devices creates another area of significant exposures for organization’s data. Compliance officers and privacy officers need to partner with the Chief Information Security Officer, the Chief Information Officer and others to assure this risk is minimized as much as possible. Otherwise, the organization is awaiting another “when not if” instance regarding the exposure of its data.