Are Multifunction Printers (MFPs/MFDs) HIPAA Compliant?
What was once the humble office copy machine has now evolved into the mighty Multi-Function Printer (MFP), aka the Multi-Function Device (MFD). MFPs can make copies, print documents, email attachments, and send faxes.
However, the more powerful these devices become, the more considerations have to be taken into account when it comes to their security. For organizations in the healthcare industry, this immediately raises concerns about HIPAA compliance. So where do MFPs stand, and what can you do to help keep them safe?
MFPs are Computers in Disguise, and Need to Be Protected
One of the most important things to remember when it comes to information security is that MFPs are heavily computerized, network-connected devices. As a result, they can be targets for attack (for example, the faxploit attack demonstrated in 2018).
According to a 2019 research study by print industry research firm Quocirca, 59% of businesses surveyed reported a print-related data loss in the past year. Quocirca puts the average cost of such breaches (across industries) at more than $384,027 per annum. Given the costs of a HIPAA violation are likely to be even greater, a breach can be particularly damaging in the healthcare industry.
Attacks may not be centered around pulling digital information off MFPs or intercepting information travelling to or from them. Hackers can also compromise them and then use them as a staging point for launching an attack into the rest of your network. Regardless of the form the threat takes, your organization should be working to keep things secured by regularly installing software updates. Your network infrastructure should also be set up to restrict outside access to MFPs and limit damage if they are compromised.
MFP manufacturers work to make their devices secure, but just like computers, that effort is meaningless if IT departments don’t apply patches or take advantage of security features. These devices often go overlooked.
HIPAA Compliant Is as HIPAA Compliant Does
Ultimately, it’s what people do with MFPs that is or isn’t compliant, rather than the tool itself. With that in mind, here are some best practices for making your staff’s use of an MFP more HIPAA compliant:
Control Physical Access
In small healthcare facilities that combine the main business office (i.e. billing, scheduling, etc) with the reception space, it’s not uncommon for machines handling Personal Healthcare Information (PHI) to be near to patients checking in, delivery people picking up or dropping off packages, etc. While this is perhaps more often a concern for smaller devices more likely to be put on counters near reception, it’s nevertheless essential that outsiders are not able to read patients’ medical records sitting in the tray. If they can, that’s a HIPAA violation.
Don’t Leave Documents Unattended, Even in the Back Room
HIPAA doesn’t just mandate protection of PHI from outsiders, it also says access must be limited to employees involved in a given patient’s care. That means that even if your MFPs are behind doors that are locked to the public, letting documents sit in trays unattended can be a violation. This can happen when an employee wants to scan or fax a document without waiting by the machine for all the pages, or when incoming faxes or print jobs wait to be collected.
One way to limit unauthorized access to physical documents being produced by an MFP (either fax or prints) is to institute a “Pull Printing” system. With Pull Printing, documents sent to an MFP are only printed when a user authenticates (via a badge or card, biometrics, or a PIN, for example) that they are the correct recipient.
Avoid the “Scan to Email” Function
Basic email is inherently insecure. Whether you’re emailing a scanned document to yourself or sending it across the internet to a supporting entity (service provider, consulting doctor, referrals, insurance billing departments, etc.), anything written in or attached to a standard email is very open to attack.
Many organizations get around this vulnerability by instead sending scanned documents from MFPs via fax. Despite being a communications medium with a long history, fax continues to be a bedrock tool for healthcare (and, in fact, its usage rate continues to increase) because it is intrinsically more secure than email.
Thanks to the MFP app-revolution, healthcare organizations’ choices are continuing to improve and evolve. It is now possible to download applications to your MFP that provide encrypted methods for document transfers, secured with 2 factor authentication and other safeguards against prying eyes.
Decommission MFPs Responsibly
There will be times when your organization needs to shed MFPs that are out of date, broken, or have become redundant. Whether they’re being sent to e-recyclers, returned to the company they’re being leased from, or sold on the secondary market, it’s key that they be properly prepared to leave your control. As discussed above, MFPs are computers, and as such almost always have built in storage (hard drives). Just as your organization wouldn’t get rid of a computer without carefully cleaning its drives of any residual data, the same must be done for MFPs.
A CBS News expose in 2010 demonstrated how damaging this risk could be, when they purchased four secondhand MFPs, ran a free forensics program on the extracted hard drives, and ended up with ultra-sensitive documents from the Buffalo, NY Police Sex Crimes and Narcotics Units, pay stubs and design plans from a major NY construction company, and full medical records from a NY insurance company.
Tools exist to solve this problem, but they need to be used.
Make MFPs More Compliant with XMedius Secure Communications Solutions
XMedius offers two secure document exchange solutions that can aid compliance with HIPAA privacy requirements.
XM Fax allows you to replace conventional fax with a powerful Fax over IP solution. Apps and connectors are available for MFPs that allow them to use this solution as conveniently (if not more so) as analog fax boards. Not only does XM Fax not require employees to wait for each page to send, but it can also route incoming faxes directly to secured workstations in your organization. XM Fax servers can be configured for zero retention and will automatically log all transactions.
XM SendSecure can provide a secure, encrypted alternative to the “scan to email” function. Documents are scanned as usual, but then transferred via an encrypted SafeBox with two-factor authentication, a full audit trail, and ephemeral storage (automatically deleted after a set period of time).
Implementing one or both of these solutions can go a long way towards assisting HIPAA-compliant document communications, while also potentially reducing costs and streamlining workflows.
Would you like to learn more about what XMedius products can do for your organization? Reach out to us for additional information, a demonstration, or a free trial.