HIPAA compliance risk in digital copiers
To understand where the risks come in, it's important to understand how digital copiers work. The FTC put a great guide together that has an excellent summary. In it, they explain that today’s generation of networked multifunction devices — known as “digital copiers” — require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production. These are usually the big commercial copiers used in offices, home office type of digital copiers generally do not have hard drives to worry about. It's the hard drive in a digital copier that holds a lot of the security risk, because it stores data about the documents it copies, prints, scans, faxes or emails. If steps aren't taken to secure the drive, the data can be stolen by removing the drive or even by remotely accessing it. Affinity Health Plan found this out the hard way, when they were fined over $1.2 million for not erasing the data on the hard drive of digital copiers they had leased and returned to the leasing agent. Another HIPAA compliance risk with digital copiers that often gets overlooked is the "scan-to-email" feature. Because the digital copiers are networked, it's often assumed that emails coming from the copier are protected. However, if the digital copier does not have the ability to send emails with encryption, then they are exposed in transit to the recipient's inbox. This was the case for Hookele Health, who identified the risk and used Paubox to make sure the "scan-to-email" feature was able to send encrypted emails.
Jason Johnson, Manager of Information Security & Customer Experience at Marin General Hospital, reached out to me on LinkedIn on the topic: "This isn't talked about enough. There have been big fines because organizations haven't wiped drives before turning equipment back into leasing companies. Always ask your vendor how they wipe drives--it can usually be set up to be done automatically!"
Securing digital copiers throughout their life-cycleNothing lasts forever, and that includes digital copiers, so it's important to make sure they are secure throughout their life-cycle, from purchase to disposal. The best way to do this are to have clear guidelines in place to manage risk at each stage:
- Acquiring a copier: Make sure it is managed by knowledgeable IT staff who have clear responsibilities to securing the data stored and transmitted by your digital copiers. This includes making security features are enabled fully when copiers are installed.
- Maintaining security: Even during the ownership of a digital copier, there should be processes in place to keep data secure, such as Overwriting the hard drive in regular intervals. This removes traces of any data that existed on the drive before the overwrite.
- Disposing of a copier: Many copiers are leased and returned to the leasing agent. Before that is done, it's essential to have processes and policies in place to either keep the hard drive, or make sure it is overwritten before being returned.
Be sure to check with the manufacturer, dealer, or servicing company for options and add-ons that are available at each stage during the life-cycle of the digital copier. This can vary depending on manufacturer.
HIPAA compliance for digital copiers comes down to understanding how PHI may be captured during the use of copiers. Once that is understood, organizations can easily manage risks by implementing documented processes to identify vulnerabilities and how to mitigate them. This includes taking advantage of the built-in security features of the digital copiers, and adding on additional services like Paubox to make sure any transmitted PHI is protected.