Cybersecurity has become a buzzword in healthcare. Rapid digitalisation of healthcare in recent years – in the form of electronic medical records (EMR), telehealth and remote monitoring devices – has given rise to more potential security gaps that malicious actors and hackers can exploit.
Indeed, healthcare organisations have become a prime target for cyberattacks. In November and December 2020, cyberattacks targeting healthcare organisations increased by 45% month-on-month, more than doubling the overall increase for all sectors worldwide.
The need to boost cybersecurity in healthcare
The consequences of cyberattacks on healthcare providers can be far-reaching and grim – from the WannaCry ransomware attack which took down the United Kingdom’s NHS in 2017, to a 2020 attack in Germany which led to the death of a patient. However, despite these high-profile incidents, healthcare organisations still lag behind other industries on key measures of cyber-readiness.
One common gap in healthcare’s cyber-readiness lies in the use of old legacy devices and operating systems that have not been patched for decades, said Dr Jason Tee, Healthcare Industry Consultant for Lexmark.
Another would be in inadvertent employee actions. “Whether intentionally or not, your employees are the biggest risk of a healthcare data breach, and pose a great financial and compliance risk to your practice,” said Dr Tee. He pointed to Verizon’s 2018 Data Breach Investigations Report, which revealed that employees are involved in 71% of all cybersecurity incidents (regardless of whether data was compromised) in healthcare — more than in any other industry. In addition, 53% of all healthcare cybersecurity incidents are caused by inadvertent employee actions, such as human error, physical loss/theft of devices or records, and email phishing.
“These “inadvertent actors” do not intend to do harm, but unintentionally leave the door open for cybercriminals by, for example, opening malicious attachments or clicking malicious links in spam emails, or losing unprotected laptops containing sensitive data,” he noted.
Bringing print security to the fore
Many healthcare providers have established cybersecurity policies and guidelines to mitigate risks in their expanding digital presence. However, Dr Tee flagged out a common misconception – that all that needs to be done is to secure network entry points such as employee’s laptops or a warehouse processing terminal. In fact, any device that connect to the Internet is at risk of becoming a security loophole for hackers. This includes printers, which are often overlooked as part of security plans.
“Printers are connected directly to the internet and sensitive corporate networks. They send data through fax and emails, and demonstrate potential risks and security vulnerability posed by enterprise Internet of Things (IoT) – thus offering hackers a backdoor into the corporate network,” said Dr Tee. “They are used to print sensitive, confidential, and classified data, and also store copies of that data in their memory.”
Across different businesses, printers are increasingly becoming vectors for cyberattacks targeting sensitive company or client information. Quocirca’s report stated that up to 60% of businesses in the United Kingdom, United States, France, and Germany suffered a print-related data breach within a year.
Hackers could also choose to sell the information for huge profits, he added. “Hackers recognise the potential value of medical information on the dark web. Each record can be worth up to $1,000, or between 10 and 40 times more than credit card details.”
As such, failing to ensure print security can lead to severe consequences, from business-disrupting data loss, financial toll on the hospital, compliance and patient privacy breaches, as well as damage to productivity, consumer confidence, and brand value.
How to start building print security
If print security isn’t something top of mind at your organisation, you are not alone. As of 2020, only 1 of 5 companies have a strategy for print security. Many don’t know where to start, or are unsure if their existing devices have the right security features and how to configure them properly.
For a start, hospitals could work on identifying the security gaps in print processes and printer device features. As mentioned above, a significant risk arises from employee actions. “There could be cases where clinicians or hospital administrators send documents containing patient data to print, and never picked them up – as much as 30% of print jobs are never even picked up from the printer. Many others go to the printers to pick up their own documents, and would have inadvertently seen these confidential reports. This would constitute a patient privacy breach,” said Dr Tee.
Many employees are used to using the Scan-to-Email configuration to capture paper documents. However, this method is unsecured, and can lead to massive manual effort to get the documents to where they belong within the digital system, he added.
There is also a lack of organisation-wide user control or print policies amongst healthcare providers in general. This includes having visibility and control to printing output across the organisation – audit trails of who, when, and where documents were viewed or printed.
There are printer solutions which can circumvent the above issues. For example, print release and user authentication features would require the user to be at the printer to authenticate their identity (through a staff pass or other means) before the documents are printed. “This ensures that no sensitive info can fall into the wrong hands, and helps eliminate the chance of missing or duplicate print pages which may affect critical patient care-related workflow,” Dr Tee explained.
Adding a watermark on all documents, of the staff member who printed them, could also encourage staff to be more careful with what documents they print and how they keep these documents safely.
With cyberattacks expected to grow in sophistication and volume, it is vital that the healthcare industry continues to explore solutions enabled by new technologies, and review existing print infrastructure to mitigate vulnerabilities and provide greater continuity of care. This is not an easy task when we consider the complexity of a hospital’s IT infrastructure and the sensitive nature of the data it produces; but a necessary one, as printed documents continue to be relied upon in critical patient care processes, and we know the consequences on the patient and organisational level if printers were to be hijacked.
For Lexmark, said Dr Tee, security is an integral design and engineering component embedded into all of their products, tools, and services. “We don’t treat security as an afterthought or optional feature,” he said. “We take a comprehensive approach to security, covering a full spectrum of features and functions designed to protect every aspect of your print environment.”
Lexmark’s Secure by Design approach and commitment to Secure Software Development Lifecycle (SSDL) is a series of processes designed to address all aspects of security related to software development, from planning through design and implementation, including quality assurance, release, and maintenance. You can contact Lexmark’s Healthcare Consultant at Jason.email@example.com to learn more about Lexmark’s clinical solutions and assessment of your facility’s printing requirements.