Many healthcare organizations focus on securing computers, servers, and electronic health record systems. However, one often-overlooked device may also contain sensitive information: your office copier.
Many healthcare organizations focus on securing computers, servers, and electronic health record systems. However, one often-overlooked device may also contain sensitive information: your office copier. This device, if not properly secured, can be the cause of a large HIPAA breach for your practice.
Today's multifunction copiers do much more than make copies. They can print, scan, fax, email, and store documents electronically. Depending on the model, a copier may contain a hard disk drive (HDD) or solid-state drive (SSD) that retains copies of documents processed by the device.
Not All Copiers Store Data
A common misconception is that every copier contains a hard drive. In reality, some smaller devices use only temporary memory (RAM), which is cleared when the machine is powered off. Larger multifunction devices, however, often contain permanent storage that can retain information even after documents have been printed or scanned.
Because healthcare organizations routinely handle protected health information (PHI), it is important to know whether your copier stores data.
How to Find Out
You can determine whether your copier stores information by:
- Reviewing the manufacturer's specifications
- Looking for features such as document storage, secure print queues, or scan-to-folder functionality
- Checking the device's administrative settings
- Contacting the copier vendor or service provider
If you're unsure, it is safest to assume the device stores data until confirmed otherwise.
Why It Matters
If a copier contains a hard drive or other permanent storage, patient information may remain on the device long after a document has been processed. This can create security and compliance risks if the copier is:
- Connected to a network without proper safeguards
- Accessed by unauthorized users
- Returned at the end of a lease
- Sold, donated, or disposed of without removing stored data
Security Best Practices
Healthcare organizations can reduce risk by:
- Enabling password or badge-based authentication
- Using secure or "pull" printing so documents are released only when the user is present
- Changing default administrator passwords
- Limiting access to authorized personnel
- Including copiers in cybersecurity and HIPAA risk assessments
- Using encryption and secure overwrite features when available
When replacing or returning a copier, ensure that any stored data is securely erased or destroyed before the device leaves your control.
More Than a HIPAA Issue
While HIPAA requires healthcare organizations to protect patient information, other regulations may also apply. The Federal Trade Commission (FTC) can take enforcement action against organizations that fail to implement reasonable safeguards for sensitive information.
A copier that stores patient, employee, or consumer information should be treated like any other information system in your organization.
Takeaway
Copiers are no longer simple office equipment. Many function as network-connected computers that may store sensitive information. Taking a few minutes to determine whether your copier contains permanent storage—and ensuring appropriate security controls are in place—can help protect patient privacy, reduce compliance risks, and strengthen your organization's overall cybersecurity posture.
This risk is not new and even as early as 2010 CBS news ran a piece on copiers being a security risk. Don't let what happened in this video happen to you. Watch the CBS Video on You Tube
Read Comments