Home > Uncategorized > Copier Insecurity Sideswipes HIPAA

Copier Insecurity Sideswipes HIPAA

April 22nd, 2010 Leave a comment Go to comments

If you haven’t watched this video on hard drives in copiers, take 5 minutes and have a look. It is a quick glimpse into how vulnerable the information that is stored on copiers really is, because they store nearly everything you do on a hard drive.

Watch CBS News Videos Online

After a few months of showing presentations out about the HITECH Act, this adds fuel to the fire of how loose our data control really is.  As hospitals, or in my case non-profit health care providers work to comply with regulations, it shows how mis-applied the regulations are to preventing data loss.

How exactly does this affect HIPAA & HITECH?

This constitutes a breach of confidential information, putting you right in line with the provisions regarding secure data loss and your control of that information.

Anybody who has access to or deals with Personal Health Information, including vendors who support systems that control such information need to sign a business agreement, now holding them liable for the same extortion level fines that the covered entity.  Before you run out and try to find your local HIPAA certified copier technician, I will give you a clue.  The copier resale industry is not anywhere close to recognizing the impact of this.  While I may retire from my job tomorrow to open a copier technician company revolving around securing and encrypting copier drives, the real copier industry just isn’t there yet.

That is not to say the copier companies themselves aren’t aware.  In fact most manufacturers offer encrypted drives and systems that wipe the information from any form of buffer.  The problem is that nobody buys a copier direct from Xerox any more and  you will find that your local copier resale rep knows less about encryption or media sanitization than the Buffalo Police department.

How do we react, while we wait for the industry to mature enough to have this problem taken care of?

  • Contact your copier lease company and inform them that all hard drives will be removed before returning the copier.  Frankly at this point, you should’t care what the lease terms say regarding this.  Run them through a validated media sanitization company, with the rest of your hard drives.  Don’t rely on any claims that the copier company will handle the destruction, until they are a signed Business Associate, placing them in fiscal responsibility.
  • Prepare  you copier reseller for the discussion on a business vendor agreement surrounding the regulations of HIPAA, if they aren’t already.
  • Keep a log of any support calls for the copier and approach each technician who shows up to work on that copier with legal disclaimers, ensuring the same HIPAA partner agreements.
  • Possibly tag or mark the hard drive inside of the machine itself, taking inventory of it’s serial number for tracking reference.
  • Wait for the same episode to come out regarding how insecure faxes and fax machines are, because we choose to ignore that too.
Categories: Uncategorized Tags: