Securing the Forgotten Servers: Why Printers Are the Biggest Security Risk Today

Jim LaRoe, CEO, Symphion, Inc.
SEPTEMBER 28, 2018
The good news is that, thanks the evolution of printers, from dummy printers to today’s advanced machines, all such devices (regardless of make, model, vintage or type) have built-in security features that can be leveraged to cyber-harden them. Advanced print fleet cyber security automation will provide the visibility, command and control to allow information security professionals to choose controls that balance security and utility, to implement, manage and adapt those controls to meet changing needs and also provide reports for compliance purposes.

>> WATCH: Can Outside Disruption Save Healthcare?

Other commonly considered security options fall short:

1. Do Nothing

Doing nothing is not an option. HIPAA requires action and has mandatory penalties for failing to act. Moreover, the risk of an attempted hack or breach has become “when,” not “if.”

2. Try to Do it Yourself (DIY)

While DIY is possible for very small or homogeneous fleets using brand-specific printer manufacturers’ management software, DIY is not feasible for larger print fleets. They are too diverse and dynamic. Even if printers are deployed with the desired security settings activated, these settings regularly change during normal operations or routine maintenance, firmware updates and servicing by unknowing service personnel. To further complicate matters, a typical large printer fleet comprises many different printer brands, makes, models, ages, functions and specialty printers (label and 3D) — each with different available security settings.

The print fleet composition is also constantly changing with adds, deletes and hot swaps, and the settings are often not duplicated on the replacement printers such as hot swaps, end of lease and end of life. There are also frequent changes in printer brands and managed print service vendors, reconfigurations of the network and changes in the business such as mergers and acquisitions. It is effectively impossible to secure a large print fleet without comprehensive automation.

3. Use Network Architecture and Configure Printer’s Security Settings on Deployment

“We’ll just put all our printers on a separate subnet, change the administrator password from default and protect the subnet with a firewall.” No one would ever take this approach to securing their other servers, desktops or workstations. This approach ignores the complexities of the diverse composition and dynamic state of all print fleets. It also does not include cyber-hardening to address internal threats from employees such as transmitting sensitive data or accidentally injecting malware that was on corrupted media brought “from home.” Continuous visibility and cyber-hardening are also necessary to address the indirect external attacks on the business originating from unsecured, unmanaged IoT medical devices through printers (that are trusted devices on networks with full access). We’ve all heard about the example of the unsecured casino’s customer database server that was hacked from an IoT aquarium thermometer in the casino’s lobby.

4. Buy All New Printers and Standardize the Entire Large Fleet on One Brand of Printers

Understandably, printer manufacturers (also known as original equipment manufacturers or OEMs) want customers to standardize on their newest printers. They tout their latest advanced cybersecurity hardware features managed by their own proprietary, brand-specific print fleet management software and professional services teams. If a completely homogeneous, newest-model fleet with a professional services tab fits your budget, this may be an option.

However, the realities are that budgets are tight and large printer fleets, especially in healthcare, are diverse, comprised of many brands, types and ages of printers and OEMs’ printer management software won’t include the whole print fleet because it’s technically limited to each manufacturer’s brand and latest model printers. Also, this approach requires regular systematic operation of OEMs’ software on their brand of printers for security configuration management, which is not being done. (Even the most advance security features aren’t effective if they aren’t used.)

5. Rely on Managed Print Services (MPS) Vendors that Already Manage the Fleet

MPS vendors are not focused on or trained in printer security. They focus on servicing printers and supplying consumables (toner and staples) to maintain the print service. They do not consider printer security configurations. Also, they don’t have automation to see or control printer security configurations. Common print fleet management tools are technically limited and do not report, monitor or remediate printer security settings. MPS vendors do typically resort to manual effort.

6. Rely on Pull Printing or Enterprise Output Management Solutions

Many vendors, including MPS vendors, resell pull printing and enterprise output management solutions with some marketing messaging about print security. But these software products apply to other parts of the print stream, not the printers themselves. Enterprise output management software provides rules and queue management that protect the source data through the transmission to the proper output devices (directs who can print what, where and how). Pull printing software ensures that the person printing is the person viewing the output. Neither solution keeps track of printers throughout their lifecycle or cyber-hardens them against threats.

7. Rely on Security Information Event Management (SIEM) Software or Data Loss Prevention (DLP) Solutions

These solutions are reactive, “detect, not defend,” approaches to cybersecurity. While being sold as an effective security overlay, SIEM and DLP software products simply do not report or manage printer security configurations. Moreover, SIEM solutions deselect printers due to the incessant chatter, and DLP solutions do not include printers.

8. Rely on Professional Security Services or Compliance Assessment Services Offerings

Professional services offerings are typically very expensive and, if they consider printers at all, may recommend security controls, but they do not secure printers and keep them secured. Compliance assessment services, while project-based, are point-in-time snapshots and are not ongoing delivery services. If these companies even consider printers, they rely on customers’ incomplete information or use immediately obsolete information from “walking the fleet” to manually check, both of which are not long-term solutions.

The message to today’s healthcare leaders is that even though printers “have been here for years,” they aren’t the same “dummy copiers” as in the 1990s and must be protected like the servers that they are, with automated IT asset lifecycle management and continuous cyber-hardening.

Symphion, Inc. is a Dallas, Texas based software and services company dedicated to excellence since 1999. Symphion’s leading-edge technologies and unique remote concierge solutions allow customers to affordably minimize risk and eliminate cost while maximizing operation efficiency. Contact Symphion here, visit its website or follow the company on social media (@symphionsecure).

Get the best insights in healthcare analytics directly to your inbox.

The Worst Healthcare Cybersecurity Breaches of 2017
What Keeps Healthcare Cybersecurity Innovators Up at Night
Podcast: Finding Orangeworm

Become a contributor