In April 2010, Affinity Health Plan filed a Breach Report with the HHS Office for Civil Rights (OCR) as required by the Health Information Technology for Economic and Clinical Health, HITECH Act.
Affinity reported that a photocopier they had previously leased was purchased by the CBS Evening News as part of an investigatory report and contained confidential medical information from more than 340,000 individuals on the hard drive.
OCR determined that Affinity Health failed to identify the electronic health information (ePHI) stored on photocopier hard drives in their risk analysis of security vulnerabilities, and did not have policies and procedures for protection or destroying the data on the copier hard drives at the conclusion of their lease agreements. On August 7, 2013, OCR fined Affinity Health $1,215,780, requires Affinity to make best efforts to retrieve all hard drives, and implement a corrective action plan to prevent such data loss in the future.
Digital Copiers are Computers
Today’s digital copiers have a hard-drive that stores images and data of all the documents it prints, scans, faxes, or e-mails.
These multi-function copiers typically contain an embedded computer with a full operating system, firewall, and network connectivity. Residual data that remains on the disk could put your customer’s data at risk.
Company Responsibility
Companies must take reasonable steps to protect sensitive information about their customers. HIPAA covered entities and business associates are required by the Security Rule to implement technical and administrative safeguards to prevent electronic protected health information (ePHI) that may be contained on a multi-function copier hard-drive.
Prevention
Digital Copiers have features that can encrypt data on the hard-drive and perform a wipe and data overwrite after each print, copy, or scan job is complete. Vendors also offer “secure print” features to prevent sensitive information from being printed until the individual requesting the job is in front of the unit.
Sharp offers multiple features including 7x data overwrite protection, government standard 256 AES data encryption, and “End of Lease” overwrite.
Canon offers a hard disk drive format feature, HDD Data Encryption, and HDD Data Erase.
Konica Minolta includes HDD auto deletion, HDD sanitizing, and AES data encryption with password protection.
Toshiba’s SecureMFP features on-the-fly encryption and a data overwrite kit to ensure than data is erased after every fax, copy, scan, and print job.
Ricoh offers a DataOverwriteSecurity System and their Hard Drive Encryption Option
Xerox too advises their customers to enable their AES 128-bit data encryption feature and disk image overwrite feature to run as soon as printing is complete or on an automatic daily basis.
Additional security features may include an audit log that can be monitored to trace unauthorized access, ability to scan only to authorized folders, and/or ability to send only to authorized e-mail addresses.
Take Action
Contact your copier leasing agent, reseller, or vendor to purchase and enable these security features on your copiers. Perform an audit/assessment to ensure that the feature is enabled and operating on each multi-function machine. In addition, ask for the latest “firmware” patches and keep your copiers up-to-date so that operating system vulnerabilities are patches. Disconnect un-used fax connections as they could also provide a back-door into your network if compromised.
You should add all devices with data storage (copiers, laptops, desktops, servers, tablets, smartphones, automation equipment) to your security risk assessment, and thoughtfully take steps to mitigate the vulnerabilities.
The cost of a multi-function copier data security module is typically on the order of $500. A small price to pay to protect your customers, avoid significant fines and reputational risk.
Read More
The full HHS Resolution Agreement with Affinity, Corrective Action Plan (CAP), and additional guidance from the Federal Trade Commission (FTC) and National Institute of Standards and Technology (NIST) can be found here:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html
