Beware of the Potential Issues & Safety On Your Office Digital Machines
_{August 20, 2018}

Did you know that most multifunction printers (MFPs) and photocopiers now contain hard disk drives that can store a data image of every document scanned, copied, faxed, emailed or printed?

Why is this important to know?

For one, if these printers or photocopiers contain highly sensitive data like protected patient health information, it could lead to threats like fraud or identity theft and your facility could be sanctioned for violating HIPAA Privacy and Security Rules. One major case related to the impermissible disclosure of PHI of about 345,000 individuals is that of Affinity Health Plan, Inc. and this company was penalized and paid a huge amount of money totaling USD 1.2 Million. A corrective plan was also required by OCR for Affinity Health Plan to recover all those storage drives of those MFPs leased by Affinity Health Plan then ensure this time that safeguards to protect patient health information are implemented.

How does this PHI can be stolen?

Your site’s PHI may be at risk by use of one of these machines. Data can be accessed remotely (Wi-Fi connection or network LAN connection), or taken out via the hard drive. As most of these digital printers and copiers are leased, there lies the risk of exposing the PHI when the machine is returned or sold.

What are the steps you can do to protect PHI?

1. Ensure that before you purchase these digital copiers or printers, they are included in your Risk Analysis/Assessment. Ensure security measures are spelled out through Security Policy.
2. Make sure that the network to and from these machines is secure.
3. Check with the manufacturer to identify any built-in security features. Ideally, the hard drives can be encrypted or overwritten (i.e. clean out the stored data periodically). Passwords can also be another feature within the machines that can help prevent easy access to the sensitive PHI (e.g. copier does not release the paper on output tray until a user inputs his password on the machine).
4. Check internal audit logs to track activity.
5. Ensure in the lease agreements, if any, your facility has the right to keep the hard drive of the digital copiers or printers at the end of the term, or that they are properly destroyed.

For more tips and guides on how to secure your digital printers and copiers, please visit Federal Trade Commission’s guidance on safeguarding sensitive data stored in the hard drives of digital copiers.