The lowly office copy machine can be a treasure trove of data vulnerable to identity theft and a potentially massive healthcare privacy rule violation. Healthcare providers are scrambling to shut this security hole following reports of patient data found on copiers discarded by medical facilities.
From a privacy and security perspective, office copiers are not benign. Starting in 2002, digital copiers have been designed to retain in memory an image of everything they copy, scan, and e-mail. In a typical healthcare practice, this could mean that driver's licenses, health insurance ID cards, medical records, and personal checks are routinely copied or scanned, creating a repository of confidential patient information.
As healthcare facilities focus on more conventional threats to the security of patient data, it's been easy to overlook these omnipresent machines when developing a plan to comply with HIPAA provisions. But not anymore.
Healthcare providers are taking a closer look at copier-related HIPAA privacy issues following recent TV coverage of confidential data breaches. On April 19 on "CBS Evening News," investigative reporter Armen Keteyian told how more than 300 medical documents from patients enrolled in a New York health insurance company were found on the hard drive of a used photocopy machine purchased at a nearby resale office equipment warehouse in New Jersey.
And in November 2009, WINK News of Fort Myers, FL, aired a report following an investigation in which reporters purchased 10 hard drives from unknown sources on the online auction website eBay. They discovered that the hard drives were filled with confidential information from two large corporations.
Congressional action
The issue has also attracted federal attention. The day after the "CBS Evening News" report aired, Rep. Edward Markey (D-MA) wrote a letter to the commissioner of the Federal Trade Commission (FTC) asking what the agency was doing about the security risk posed by copiers.
In a letter dated May 11, FTC Chairman Jon Leibowit responded by saying that "the FTC is now reaching out to copier manufacturers, resellers, and retail copy and office supply stores to ensure that they are aware of the privacy risks associated with digital copiers and to determine whether they are warning their customers about these risks ... and whether they are providing options for secure copying." Leibowitz also stated that the FTC will be providing additional guidance specifically addressing how to protect personal information stored on hard drives of copiers and other devices.
The U.S. Navy had already issued a warning and "how to" information in the January 2010 issue of CHIPS, its internally published information technology magazine.
The copier industry
Xerox and Sharp, manufacturing leaders in the copier industry, are two companies that have been advising their customers about security issues for years; they offer products and services to remediate the risk of data retention.
Xerox stated that it spends 5% of its annual revenue on security at its five international research centers. It offers image overwrite software that electronically "shreds" information stored on the hard disks of its copiers and multifunction printers. Some of its products also include features requiring identification from users for machine activation, along with secure printing that is password protected.
Downloadable patches are issued when viruses and vulnerabilities that can affect equipment are identified. Xerox also offers a service to remove hard drives and erase data stored in other memory sources when one of its products is being decommissioned by a user, according to Larry Kovnat, product security manager.
Sharp Electronics offers a "security suite" of products and services for its equipment. An optional data security kit provides routines to overwrite data up to seven times, as well as robust encryption. Like Xerox, it offers audit trail security, access control, document, fax, and network security software.
Making copiers HIPAA-compliant
One firm that specializes in providing services to make copiers compliant in industries where privacy information is regulated is Digital Copier Security. Sean O'Leary, the company's senior regional analyst, specializes in the healthcare industry market segment. He said that the company's founder, John Juntunen, discovered the security vulnerability of office copiers when he purchased a used copier in 2007, turned it on, pressed a button, and a complete home mortgage application spewed out.
O'Leary told DrBicuspid.com that HIPAA regulations mandate that a copier or multifunctional printer/copier/scanner/fax machine becomes a part of a HIPAA plan the moment it enters a doctor's office, clinic, imaging center, hospital, or healthcare-related company.
Because a copier contains digital memory, it must be treated in the same manner as a computer. It must be included as security-sensitive inventory, password protected, audit enabled, and, if applicable, network protected. Its use must be included as part of formal HIPAA training for all employees and users.
Digital Copier Security offers a package of consulting services to keep healthcare facilities in compliance from the time of copier acquisition or to develop remediation programs for existing copiers. It also offers a service to purge copiers of their hard drives and other digital memory when they are being sold or traded in for a new model.
To decommission a copier in accordance with HIPAA regulations, technicians print a benchmark report that identifies specific data contained within the unit. They identify the locations of hard drives and nonvolatile memory, which may exist in as many as five different locations, according to O'Leary.
The technician removes the identified hard drives and purges all data using a process that conforms to National Institute of Standards and Technology standards. Then a new formatted hard drive is installed, and a process is followed to clear all data stored on other sources of memory. This can include company directories, network data, IP addresses, e-mail and fax addresses, contact lists, and job logs.
Finally, the purged and disabled drive is sent to Digital Copier Security's headquarters, where it is cataloged and destroyed. A certificate of destruction containing the make, model, and serial number of each hard drive is issued to the healthcare provider. The cost of the service ranges from $500 to $600 per machine.
Caution when removing hard disks
Some healthcare facilities might be tempted to have IT personnel remove hard drives, but O'Leary cautions against this.
"While some [copiers] have obvious [hard drive] locations and are limited to one memory source, others have multiple hard drives buried in obscure locations within the equipment," he said. "With most machines, you need someone who is trained in copier data destruction to fully meet HIPAA requirements."
Are healthcare providers sufficiently concerned about their copiers? O'Leary said that his company's phones have been busy since the "CBS Evening News" report, with a large number of calls from healthcare providers.
"Based on telephone and Web traffic, we think that this news was a real shock to many entities thinking they were in compliance with HIPAA regulations," he said.
Copyright © 2010 DrBicuspid.com