Securing the Forgotten Servers: Why Printers Are the Biggest Security Risk Today

Jim LaRoe, CEO, Symphion, Inc.
SEPTEMBER 28, 2018
printer cybersecurity,overlooked network vulnerabilities,improve printer security,hca news

Ladies Love Cool James (better known as “LL Cool J”) said it in 1990: “Don’t call it a comeback. I’ve been here for years.”

The same applies to printers (which we define as any device that creates an image, electronic or otherwise). They’ve “been here for years.” They started as benign, “dummy” copiers and simple dot matrix printers, but it’s not the 1990s anymore. Printers have evolved into amazing business-enabling devices that have huge hard drives, many advanced features such as built-in email, web, fax and file transfer protocol (FTP) servers and are deployed throughout corporate networks as trusted devices. Today’s printers are now servers that aren’t in data centers and that are open and available to be physically accessed by anyone (e.g. on wheels in an emergency room).

>> READ: WannaCry, NotPetya and Cyberwarfare’s Threat to Healthcare

But healthcare leaders aren’t treating printers like servers when it comes to cybersecurity. They’re not including them in cybersecurity plans, information technology (IT) policies and procedures or change control.

Printers are the “forgotten servers.”

To illustrate what’s happening, a typical multi-function printer has been described like this (PDF):

“Please consider this scenario. An unknown device is placed into an enterprise network, behind network perimeter defenses like firewalls, IPS and other IT infrastructure, so that the device has unfettered access to all the corporate network resources. To maximize the device’s functionality, a webserver is embedded into the device. To make the device accessible, all the ports will be set as ‘open’ by default and enable the connectivity with as much as a gigabit of Ethernet connectivity. The device will have a rich OS-like Linux to maximize functionality. The device will not be examined on an ongoing basis using the enterprise’s vulnerability scanner, as the embedded web server will likely light up the organization’s SIEM tools like a Christmas tree with false positives. The vulnerability scanner will be configured to ignore the devices, leading to the conclusion, depending on the brand, that the device will not be updated, maintained or patched over five-year useful life or sometimes 10-year useful life of the device. Device protection will consist of a default password, and . . . third parties will maintain the device. The device will be core to organizational productivity, so there will be one of these devices for every 10 employees. Some might call this a nightmare; some might call this a printer.”

Printers are not being secured despite the facts that:

1. Health Insurance Portability and Accountability Act (HIPAA) requires printer security because printers in hospitals clearly “receive, maintain and/or transmit” electronic protected health information (ePHI) and even the most cursory examination of “reasonably anticipated threats and hazards” to printers triggers the HIPAA mandates.

2. Threats to the ePHI that printers receive, maintain and transmit are increasing and will continue to increase because of the widespread adoption of electronic health records (EHR) creating more ePHI, the black market for ePHI and the proliferation of unsecured Internet of Things (IoT) devices, such as medical devices, increasing more opportunities for hackers.

3. The stakes have never been higher for a data breach or failure to comply from even one unsecured printer — the average hospital data breach can cost over $13 million, including forensics, breach notification, lawsuits, lost revenue, lost stock and brand value, fine settlements and post-breach clean up. HIPAA and other regulatory fines alone can total in the millions of dollars for breach, such as $1.2 million for ePHI left on repurposed copiers and $3.2 million for a lost unencrypted laptop, iPod and blackberry.

You ask, “So, what can we do?”

>> READ: Yes, Healthcare's Data Breach Problem Really Is That Bad

The answer is to proactively manage all the printers in print fleets like you would your servers, desktops and laptops, including continuous IT asset lifecycle management (ITAM) (from cradle to grave) to account for all the printers in the fleet, at all times, cyber-hardening them (actively managing their configurations to secure them) and keeping them cyber-hardened — all with vendor agnostic automation.

Continuous ITAM is essential for securing any IT asset, especially assets that move around and get “hot swapped,” like printers in a dynamic large print fleet that constantly changes in composition, which includes nearly all print fleets. You can’t manage it if you can’t see it. Continuous automated cyber-hardening is also the only way to proactively address the “reasonably anticipated threats” as required by HIPAA.

Become a contributor