The Datamax Thinking Blog

Educating, collaborating, and sparking ideas for maximizing the technology that matters.


Copier Security in a Healthcare Environment: Biometrics and HID Cards

Unless you've included copiers in your planning, there's a hole in your HIPAA compliance efforts. Here's what you need to know about copier security.

You have to include your copier in your HIPAA-compliance planning. Biometrics and HID cards can be used to reduce risk of information going astray.

Twenty years have passed since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) became federal law. By now, you are probably familiar with HIPAA's requirements to protect your patients' health information and have implemented various security measures to keep that data private. But there's one area you might have overlooked in your risk analysis: the copy machine. Learn about the possible security risks posed by your office copier and ways to minimize those risks.

Why Copiers Must Be Included in HIPAA Security Risk Analyses

Most copiers today do much more than simply copy documents; almost all the ones in use today are properly called multifunction copiers able to copy, scan, print, fax, and even email. These machines also contain a hard drive, and as such should be considered a workstation with a computer.

Concerned about print security and HIPAA?  Schedule a FREE Assessment Today!

Your practice is a HIPAA-Covered Entity and thus must fully comply with the Health Information Technology for Economic and Clinical Health, or HITECH Act, and the entirety of the HIPAA Security Rule. This includes the Risk Analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A), which requires you to identify exposures that could compromise the confidentiality, integrity and availability of paper and electronic forms of protected health information. This includes any machine that creates, receives, stores, or transmits protected health information. Chances are high that your copier contains such information and must be included in any risk analysis. 

According to NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments, a Risk Analysis is "the process of identifying, prioritizing and estimating risks to organizational operations." After conducting the Risk Analysis, you must then take steps to minimize those risks. In addressing potential vulnerabilities in your copier machines, you need to put safeguards in place to protect document security, data integrity, confidentiality, and availability. Technical safeguards need to be instated limiting inappropriate access to the copiers, authenticating the identity of the users of the copiers, and creating an audit trail of who accessed the machine and its data. Failing to secure the physical and electronic access points to your data exposes patient information, which in turn exposes your practice to potential fines for a data breach.

All users should have unique user credentials for the devices they are authorized to use. Administrators should implement authentication verification and monitoring as to ensure only authorized persons are accessing the devices. These practices not only address access control, they also help create an audit trail to identify potential breaches in security. Just as staff in your office should each have their own log-in information to access the computer network, so too should each have unique user access to machines on the network, including copiers. Two methods of verifying users' credentials at copiers include the implementation of proximity cards and biometrics.

Using HID Proximity Cards

Proximity cards either use radio frequencies or an embedded microprocessor to communicate with a special reader. Radio frequency identification (RFID) cards use electromagnetic fields to automatically identify and track tags that contain electronically stored information. When the RFID card is held close to the special reader, the encoded information is exchanged and authenticated. Smart cards store encoded information in a small microprocessor embedded onto a card. These cards are verified upon contact between the card and the specialized reader. Proximity cards of either type are frequently referred to as HID cards since they are produced and branded by the HID Global Corporation.

Implementing the use of proximity cards to access your copier's functions addresses concerns about document security. For example, you can program the copier only to print when the user is physically present and authenticated as an authorized user via use of a proximity card. This practice reduces the risks of protected health information being viewed or picked up by others. Such a practice is especially useful in practices where the physical location of the machine cannot be completely secured.

Using Biometrics for Authentication

Biometrics use uniquely identifiable personal data to authenticate end user access to equipment, facilities and data. Biometrics are nearly impossible to falsify. Though advanced biometric technologies, such as retinal scanning, exist, fingerprint data is the easiest, most commonly used, and least invasive method of authentication.

Biometric technology takes a picture of your fingerprint and converts this image into data. The biometric device compares this data with a known sample of your fingerprint characteristics and either authenticates you as the authorized user or rejects the fingerprint as not a match. Your actual fingerprint is not stored; only the electronic interpretation of the data from the picture of your fingerprint is stored.

Requiring user authentication at the copier is a best practice; requiring that authentication be performed by biometrics is perhaps the best method. Since biometrics cannot be stolen, borrowed, or falsified like other authentication methods, such as proximity cards, it provides the most secure means of verifying a person's identity.

Whatever the method of authentication in access control, keep copier security in all information security policies and risk analyses. Help keep your patients' information private and keep your practice safe from costly breaches.

Concerned about print security and HIPAA?  Schedule a FREE Assessment Today!

Sources:
Guide for Conducting Risk Assessments
HIPAA Security Rules and Technology Safeguards 

Topics: Office Equipment Security Healthcare Tips and Tools MFP Security