Can MFPs Be Secured Against Breaches? Three Tips For Your Organization
HIPAA Compliance is More Than Just Network Security
For organizations that need to maintain HIPAA compliance or adhere to other stringent security standards, it’s typical for compliance policies to be focused largely on computer network security. Because healthcare is such a large target for would-be data thieves, it’s no wonder that some organizations get caught up in focusing primarily on intentional, external hacking attempts. However, there are still other devices being used within a healthcare environment that receive little-to-no compliance consideration, even though they should. One of the best examples of this is the Multi-Function Printer (MFP), which is present in just about every type of healthcare organization.
Physical Documents are Hard to Secure
In a healthcare setting, a standard MFP today is connected to both the organization’s network as well as its EHR systems, and it’s used not just to print and scan, but also to send and receive information. Because of this network connection, MFPs have the same inherent level of vulnerability as any other computer on the network. But, unlike other computers, the vulnerability of an MFP is greatly compounded by its ability to print physical documents: Documents that are encrypted within a network lose that safeguard the moment they appear in the paper tray of an MFP.
Generally, the sheer volume of physical documents within the healthcare industry is slowly declining: Meaningful Use has incentivized healthcare organizations to transition Protected Health Information (PHI) into EHR systems. Despite this effort, healthcare organizations are far from paperless, and PHI that’s stored securely within an EHR system is immediately at risk once someone prints out a physical copy. This level of risk is why MFPs can be problematic within an organization, and it’s why MFPs should be a top priority for any healthcare organization needing to secure the presence of paper-based PHI.
Steps to Make Using Your MFP More Secure
To help your organization better control and safeguard PHI, here are three tips that can be implemented:
Authenticate at the device: Most MFPs will come with the ability to set user permissions at the device itself, so that a member of your organization will need to enter authenticating details before they are able to print out a document. This prevents documents from being automatically printed by the MFP, so that sensitive information doesn’t sit unattended in a paper tray. This method is better for small healthcare organizations, as it makes it easier for individual users to securely receive paper documents, but doesn’t provide a solution on a team-wide level. Additionally, the very manual process of setting up authentication requirements needs to take place at the device itself, and for a large organization, this can be extremely time-consuming for the administrator.
Destination control: A second method for restricting user access to PHI is by implementing boundaries around where files can be sent to from an MFP. This method of destination control means that an organization can put restrictions on filers being sent to certain fax numbers, network folders or email domains. The drawback to this method is that it addresses security and compliance risks for documents that are being sent from an MFP, but doesn’t address the vulnerabilities associated with documents being printed by the MFP. Because of this, the destination control method of implementing security also needs to be combined with another tactic.
Don’t rely on just the MFP: The third and most effective method of securing PHI transmitted through an MFP is to not rely on the MFP alone. MFPs are highly valuable to healthcare organizations, simply because an MFP can accomplish such a wide variety of tasks. From a compliance and security standpoint, however, MFPs are far from ideal as a standalone option. More and more often, large healthcare organizations are shifting to HIPAA compliant cloud fax services, which allow for MFPs to still be used, but less heavily relied on. A reliable cloud fax service enables users to fax to an MFP as usual, but it also provides for an alternative method of sending HIPAA compliant faxes when a document doesn’t need to be printed. A cloud fax service like Concord allows faxes to be viewed and interacted with on a computer, tablet or smartphone, and it also provides options for setting user permissions and restrictions. Faxes can be securely sent to and received by entire groups or lists, and then users within that group can determine whether a copy needs to be printed or not. Cutting back on the use of paper and the need to file hard copies of sensitive information makes HIPAA compliance easier.
To find out how Concord HIPAA Compliant Cloud Fax can work with the MFP in your healthcare organization, download our Cloud Fax Reference Guide below, or you can contact us to learn more.