The following is a guest blog post by Sean Hughes, EVP Managed Document Services at CynergisTek.
Print devices are a necessary tool to support our workflows but at the same time represent an increasing threat to the security of our environment.
Most organizations today have a variety of devices; printers, copiers, scanners, thermal printers and even fax machines that make up their “print fleet”. This complex fleet often represents a wide variety of manufacturers, makes and models of devices critical to supporting the business of healthcare.
Healthcare organizations continue to print a tremendous amount of paper as evidenced by an estimated 11% increase in print despite the introduction of the EHR and other new systems (ERPs, CRMs, etc.). More paper generally means more devices, and more devices means more risk, resulting in increased security and privacy concerns.
Look inside most healthcare organizations today and even those with a Managed Print Services program (MPS) probably have a very disjointed management responsibility of their inventory. Printers are most often the responsibility of IT, copiers run through supply chain with the manufacturer providing support, and fax machines may even be part of Telecommunications. Those organizations that have an MPS provider probably don’t have all devices managed under that program – what about devices in research or off-site locations, or what if you have an academic medical facility or are part of a university?
These devices do have a couple of things in common that are of concern – they are somehow connected to your network and they hold or process PHI.
This fact and the associated risk requires an organization to look at how these devices are being managed and whether the responsibility for security and privacy are being met. Are they part of your overall security program, does your third party manage that for you, do you even know where they all are and what risks are in your fleet today? If multiple organizations manage, do they follow consistent security practices?
Not being able to answer these questions is a source of concern and probably means that the risk is real. So how do we resolve this?
We need to take a programmatic approach to print and print security to ensure we are addressing the whole. Let’s lay out some steps to accomplish this.
- Know your environment – the first thing we must do is identify ALL print devices in our organization. This includes printers, scanners, copiers, thermals, and fax machines, whether they are facility owned, third-party managed, networked or local, or sitting in a storage room.
- Assess your risk – perform a comprehensive security risk assessment of the entire fleet and develop a remediation plan. This is not a one-time event but rather needs to be part of your overall security plan.
- Assign singular ownership of assets – either through an internal program or a third-party program, the healthcare organization should fold all print-related devices into a single program for accountability and management.
- Workflow optimization – you probably have millions of dollars of software in your organization that is the source of the output of these devices. Even more was spent securing the environment these applications are housed in, and accessed from, to make sure the data is secure and privacy is maintained. The data in those systems is at its lowest price point, most optimal from a workflow efficiency standpoint, and most secure — yet every time we hit print we multiply the cost, decrease the operational efficiency and increase the risk to that data.
- Decrease risk – while it is great that we identify all the devices, assess and document risk and develop a mitigation/remediation plan, the goal should be to put controls in place to stem the proliferation of devices and ultimately to begin the process of decreasing the unnecessary devices thereby eliminating the risk associated to those devices.
The concept of trying to reduce the number of printers from a cost perspective is not new to healthcare. However, many have achieved mixed results, even those that have used an MPS partner. The reason that happens is generally because they are focused on the wrong things.
The best way to accomplish a cost-effective print program is to understand what is driving the need or want for printers, and that is volume. You don’t need a print device if you don’t need to print. I know it sounds like I am talking about the nirvana that is the paperless environment but I am not. This is simply understanding what and where is unnecessary to print and eliminating it, thereby eliminating the underlying need for the associated device, and with it the inherent security risk as well as the privacy concern of the printed page. Refocusing on volume helps us to solve many problems simultaneously.
Putting a program in place that provides this visibility, and using that data to make the decisions on device reduction can significantly reduce your current risk. Couple this with security and privacy as part of your acquisition determination, and you can make intelligent decisions that ensure you only add those devices you need, and when you do add a device it meets your security and privacy requirements. More often than not the first line of defense in IT is better management of the environment.