By Sean Hughes / Special to Healthcare Facilities Today

The concept of facilities management playing a part in the security of an organization is not something new, but is it possible that the process of securing your printers can have an unforeseen benefit to facilities management? The answer is, yes.

Since the very beginning of HIPAA there has been the need for a comprehensive approach to security that addresses the administrative, technical, and physical safeguards. The administrative approach has always involved the creation and implementation of policy and procedures of an organization’s information security program. These policies are usually then translated into technical means to enforce and ensure the adherence to the policies. These address the first two requirements related to the administrative and technical safeguards - but what about physical?

Physical security

Physical security requirements are usually where the paths of information security and facilities management briefly cross. Most organizations document and potentially improve the controls associated with how devices are secured. This usually starts with the data center deploying technology like retina scans or other advanced access controls. Video monitoring, locking cabinets, card swipes, and even the tried and true key and lock are examples of how the information security program usually takes shape in working with facilities management.

These methods are great and provide organizations with tremendous value in making sure the infrastructure, and the data housed and transmitted through it, are secure but none of these really provide return value to facilities management outside of the needed security of the systems and data.

The right approach to printer security can not only leverage all the benefits of the methods mentioned above, but, if done correctly, can achieve and even surpass those benefits, bringing added value to the objectives of a facilities management program.

Device security misconceptions

Let’s start by clearing up a few misconceptions as it relates to print, printers and the security of those devices.

First let’s look at printing. One would assume that printing in healthcare is on a decline with the adoption of Electronic Health Records (EHRs) along with all the technology and infrastructure investments that have been made - but that is not necessarily the case. According to Logicalis, hospitals have seen an 11 percent increase in print post implementation of EHRs, ICD-10, and all the other technology. Furthermore, in a recent article by PrintAudit they found that healthcare saw a 118% increase from last year in the average pages per day per user. The average 1,100 bed health system prints about 8 million pages per month. That is a lot of printing even after a large adoption of electronic technology.

Despite the increased volume of print and related devices, it is a common misconception that the devices are not a real threat and the security team has them under control. A quick look at some recent news may give you a very different perspective. In March of 2016, a hacker sent controversial propaganda to thousands of printers as an experiment. In January of 2017, a research group published an article outlining known vulnerabilities in many major manufacturers print devices. Then in February of 2017, a hacker hijacked thousands of publicly exposed printers to warn others.

So, we have research identifying known deficiencies, hackers exposing and penetrating thousands of devices as “warnings” of these vulnerabilities and then in November of 2017 we had two events happen that further exposed these issues. First, there was the publication of hundreds of manufacturers devices with a known vulnerability that exposed the devices to the internet which was quickly followed up by the report of an employee of the University of Chicago providing the student newspaper screenshots of devices exposed to the internet and even indications that print jobs from the health system’s EHR were being sent to those printers.

We can safely say that printing is still happening at a very high rate and that the devices facilitating this printing are vulnerable. Those that mean us harm know about vulnerabilities and are actively using them against us.

How does this happen when we have such robust and mature security programs? The major underlying cause for most of this is the fact that these devices have been forgotten. Their ownership is misaligned. IT usually owns the printers and supply chain usually owns the copiers - but who owns the security of the devices?

The normal approach to securing these devices is similar to that taken for other endpoints, including the physical aspect. However, printers provide a unique opportunity with an approach that is mutually beneficial to facilities management.

Imagine - what if you didn’t need all those devices? Less devices means less points to secure. Less points to secure mean less concern or cost on physical security. How is this accomplished? Volume. That’s right attacking the volume of print provides an organization with a multitude of benefits.

When an organization understands what their actual volume is and what size print fleet they need to support that volume, they can then change the landscape they are confronting. Most healthcare organizations are only using about 35% of their copier fleet capacity and only 12-15% of their printer fleets. That leaves a lot of opportunities for device reduction, which means fewer devices to secure.

Print volume drives all the costs of supporting the devices; toner, paper, labor, lease and acquisition cost just to name a few, but there is even more benefit.

Imagine how much space an organization gets back with the reduction in the physical footprint of these devices, or the energy consumption, or even the avoidance of your limited capital dollars. What if you could take those underutilized devices and use them in your next building project or for your next acquisition or expansion? That is a lot more available money to put towards other more strategic and potentially revenue generating initiatives.

Simply by taking an alternative approach to the security of printers and by understanding the current utilization of your fleet you can reduce the risk associated with the devices, reduce the cost and effort to securing the devices, drive out costs, provide cost avoidance, regain much needed physical footprint within your facility, reduce the capital cost of growth and even support your overall green and environmental initiatives.

Facilities management should be both a participant in and a beneficiary of your print security program to ensure maximum benefit.

Sean Hughes is the EVP of managed print services at CynergisTek.