Recently I have spent a lot of time thinking about Printers. Not because I want something on paper. In fact, I do my best to avoid paper. But that doesn’t mean that I don’t care about printers and multi-function devices (MFD). I test security for healthcare organizations, and these are entities that print reams of paper every hour. Most of this printing is done for a good reason, there is a legitimate need to print forms, records, orders etc.
For the last decade, the healthcare industry has been working very hard to come over to the 21st century. One of the largest overall initiatives that have been sweeping through the industry is the digitization of patient records. Along with this has come a plethora of new problems, regulations, attacks, and privacy concerns. Anyone that works in IT in healthcare, and more so those that work in security, knows that everyone has been working hard to find solutions to the new digital problems we are facing. This is all well and good, in fact, it is wonderful.
Unfortunately, this push to secure the digital side of things has left the IT and security departments stretched to their breaking point. Everyone is scurrying in ten different directions to put out the fires. There are very few organizations, at least that I have worked directly with, that have had the time and energy to devote to the security of their printers and MFDs. In most cases, what I see is these devices are simply segregated onto their own VLAN.
Keeping these printers and MFDs off the main network has kept at bay much of the regulatory complaints. It also works well as a mitigating control when a risk assessment or vulnerability scan finds the printer VLAN. But, all that is being done here is putting another thumb in the dam. Unsecured devices anywhere on any network are bad. When those devices are used to process, and print sensitive patient information the landscape begins to look bleaker.
There is a mountain of services running on each of these devices. By default, they have a well-known username and password for administrative access. Often, they are in publically accessible, or semi-public locations throughout healthcare facilities. And on top of all that, they are often configured, managed, maintained, and administered by the hardware reseller, or the printer leasing company. These things put the printers and MFDs that providers so keenly rely upon at a significant level of risk.
Next time you have a vulnerability scan, risk assessment, or penetration test conducted within your organization have them look at this “safe” printer VLAN. See how many of these devices are properly configured. Think about their lifecycle. Does the vendor ever take the devices out for maintenance? If so, what happens to the hard drive? How about when the device is retired? These are just a few starter questions. Just because no one in your organization has had the time to take on printer security doesn’t mean it can be safely ignored.
Consider getting an assessment done specifically for the printers. Have a look at all these aspects. Everything from the placement, access control, life cycle, and configuration to the management of the vendor, security, disk drives, and services as well as all the things in between. Printers are a big part of most healthcare provider’s toolset. They also process significant amounts of sensitive and even patient health data every day. Would you let your EHR database or Active Directory server be that wide open to attack? No.