Security breaches create significant problems for any organization. They tax resources, put your reputation in danger and, most of all, cost money. Healthcare organizations are especially vulnerable to security breaches and often have the most to lose. According to the Ponemon Institute, healthcare data breaches cost an average $6.5 million — or about $408 per patient record.
Today’s patient lifecycle includes more touchpoints than ever before. But while electronic health records give workers more access to relevant patient healthcare information (PHI), they also raise the risk of a security breach.
There’s a particular chance for carelessness or misconduct in today’s network of multifunction devices (MFDs), which are now mainstream in healthcare settings. Each time a document or form is captured — copied, printed, scanned, faxed or emailed — patient healthcare information is vulnerable to human error, theft, or delivery of data through non-compliant mobile devices. In fact, eight in 10 healthcare information breaches were caused by miscellaneous errors, privilege misuse or web applications, according to a study by Verizon. Six in 10 were caused by internal users.
But healthcare organizations can minimize risk and keep data secure on MFDs. These intelligent capture recommendations are based on common scenarios and will help you put procedures in place to protect your patients and your organization.
1. Establish user rules and workflows
Begin by managing content and user access across your network of MFDs. Establish workflow rules covering who can use each device, what information should be protected, and what information can be transferred. Only authorized healthcare personnel should use your MFDs. Just as access to patient information will vary from department to department, limits can be set on who uses a specific device in a certain unit. Each MFD should be capable of verifying user credentials and permitting access based on those rules. For instance, you may want to limit finance staff to printers in the administrative area while denying them access to devices in patient areas
Workflow rules also make it possible to control which features and functionalities can be accessed by each authorized user on a given device. When a user attempts to use an MFD, they’re prompted to enter a pin or swipe a card in order to verify their credentials. The permissions associated with that user will determine what they’re allowed to do. Only certain users, for instance, should have the ability to print documents containing PHI. These rules add another layer of protection to personal data.
Another question to ask is whether your MFDs meet HIPAA and NIST regulatory requirements. HIPAA penalties have the potential to reach $50,000 per violation, so it’s critical to ensure sensitive information isn’t shared with unauthorized users or accessed on non-compliant devices.
2. Audit all network activity
Today’s mobile healthcare staff enables doctors, nurses and other staff to provide faster care, but it also means they often need to access a device that isn’t their primary or “home” MFD. The workflow rules and user authentication we just discussed allow healthcare staff to use the nearest printer, but there’s still a risk to the larger organization. If a breach does occur, it’s harder to identify the source when people are constantly using different MFDs.
Auditing solves this problem by allowing MFDs to pass tracking information to a database. If a data breach occurs, this capability helps IT administrators easily track down the source, the authenticated user, the file name and type, and where the data was sent.
Auditing also helps healthcare organizations reduce printing costs by giving users the ability to analyze output and assign value for cost allocation. Healthcare organizations can manage MFD usage, improve compliance and maximize print cost reductions with rules-based printing.
3. Encrypt all data transferred between devices
In order to use an MFD to print, copy, scan, fax or email a document, the device has to communicate with other devices, servers and third-party applications. While this connectivity improves the availability of patient data and the overall quality of care, it also increases the risk of a security vulnerability. The data contained in these other systems, particularly electronic health records, enterprise resource planning systems and line of business applications, contain sensitive data that must be protected.
Encryption helps healthcare organizations manage this risk. Data must be encrypted at rest (on the device itself) and in transit (as it moves from the MFD to another device, network or application). When both types of encryption are implemented, documents (and the sensitive data they contain) are kept secure throughout the entire patient care lifecycle, ensuring documents are only visible to authorized users.
4. Ensure data stays in the right hands
Healthcare professionals are entirely mobile as they move through your facility. Mobile usage increases the speed of care, but it also makes it easier for an unauthorized user to access PHI. With a secure print release workflow, staff can send documents to the nearest printer, eliminating the risk of sensitive information languishing unattended — or even forgotten — for long periods. Micro-card readers and mobile authentication secure documents and ensure print jobs are released only to authorized personnel.
A single, intelligent print queue for every employee and every printer makes it possible for employees to pick up a job at any MFD. The ability to do this on-demand further improves security while supporting a mobile workforce. As an added bonus, healthcare facilities gain a clear picture of the document chain of custody, which is essential for proving compliance with HIPAA regulations.
5. Automatically monitor and track PHI activity
When healthcare organizations simultaneously monitor and audit their MFDs, they can ensure control of patient healthcare information before it ever gets to its intended destination. MFDs can identify and, when appropriate, remove confidential information before a document is printed with content filtering and redaction capabilities. Data can even be removed or added across a specified group of documents, making it easier and faster to secure PHI.
Additionally, MFDs can send an alert to the appropriate staff member if a potential security breach has been identified. The issue can be investigated immediately, enabling organizations to be more proactive in breach detection and response. Precise documentation of who has accessed or printed information, watermarking functionality and digital copies of all printed documents provide healthcare facilities with a clear chain of custody and real-time visibility into document ownership.
6. Secure routing and destination workflows
Routing and destination workflows for all data transmitted across MFDs must be standardized and secured to reduce the risk of a breach. With centralized print management and scripts, healthcare organizations can standardize documents across multiple print centers. IT departments have the tools needed to easily control and enforce print, capture and routing controls across all MFDs, improving data security and protecting PHI.
The capturing of documents into a network folder is the most common type of workflow. It’s also the type of workflow that’s most unsecure. To eliminate risk, standardize and integrate network scanning with a print secure framework. Network devices should be HL7 compliant and integrate with electronic health records and clinical applications. Optical character recognition (OCR) of all captured documents will allow you to search and share data securely. In addition, you can use APIs to integrate network fax servers with business applications — enabling the secure transfer of sensitive information.
No healthcare organization wants patient healthcare information exposed to bad actors or negligence. By taking these steps, you can secure your copiers and printers and automatically transfer data to the right systems. With content-aware print workflows in place, healthcare professionals can begin working like tomorrow — today.