According to one security expert, it’s possible to infiltrate an otherwise HIPAA-compliant hospital network from an unlikely place-the printer.
Peter Mongroo, head of global health care marketing for Aruba Networks, said low-level peripherals such as printers and scanners are often overlooked as potential weak links in a hospital’s network, especially if that network is a wireless one. While accessing a network this way is unlikely, it is still a cause for concern, he said.
“It’s a fact that some devices are inherently more secure than others, especially scanners, printers and other low-level legacy devices that can’t be encrypted,” Mongroo said.
It would be possible for an unscrupulous person to spoof a printer’s MAC address, gain access to the network and potentially retrieve private patient health information, he said. Even if an attacker or hacker wasn’t able to access that information, they could bring down the entire network, and hospital operations could grind to a halt.
Multifunction printers are a forgotten security risk. Read why.
Policy enforcement firewalls can help secure networked devices, as well as address other aspects of HIPAA (Health Insurance Portability and Accountability Act) compliance such as access control, auditing, personnel authentication and data transmission security, Mongroo said.
Policy enforcement firewalls perform deep packet inspection on all network data and can detect and identify the specific types of information that should be going to and from various devices.
Network administrators can set specific usage policies for each device to grant or deny information transfer to or from that device. In the specific case of a printer, Mongroo said, policies would permit the printer to receive and print out only specific types of patient information.
If the deep packet inspection failed to confirm that the correct information was transmitted, the device would be blacklisted and denied access to information or, in a worst-case scenario, kicked off the network entirely, he said.
Mongroo added that the policy enforcement firewall provides device and network access based on unique passwords for greater security, and includes system logs that HIPAA requires so that administrators can look back on network events in the event of a breach or an audit.
The firewall also provides WPA2 encryption and is compatible with biometric security hardware for extra protection.