Stealing personal information by printing it is nothing new, but most organizations probably don’t focus on it as a risk. In reality, 70 percent of businesses admit to experiencing one or more print-related data breaches and violations to data protection legislation could lead to fines of up to $850,000 in serious cases. More than three-quarters (76 percent) of organizations indicate that printing is critical or important to their business activities. So why do less than a quarter of businesses have a print security strategy? One possible explanation is that most news headlines put the focus on hackers or trusted insiders stealing digital files and not printed documents.
Case-in-point, a recent breach at the Montefiore Medical Center in New York received little media attention but offers an important reminder not to overlook the need for securing printers. In this situation, an employee stole names, addresses, dates of birth, Social Security numbers as well as the information of family members and health insurance details of more than 12,000 patients. The information was used to purchase clothing and other merchandise from some of New York’s finest department stores. The Montefiore employee was a trusted insider who sold the stolen information to a ring of seven others who perpetrated the crimes.
The employee in question printed thousands of patients’ records and sold them for $3 per copy to outside buyers. The hospital had no way of preventing or controlling this activity. The employee and her accomplices are now under arrest, but the hospital may face charges for violating HIPAA and patient privacy laws.
Taking a data-centric approach to your security can give you a more holistic view into how sensitive data is used in your organization. Fasoo offers five tips for applying this approach to the creation of a security strategy in the enterprise. From restricted access and verification requirements for blocking documents containing sensitive information to watermarks that show who printed it, these features help regulate employee behavior and detect suspicious activity.
- Set print control based on context
The policy restricts users from printing documents with PII (personally identifiable information), PHI (personal health information) or other sensitive information. Users can request to print sensitive information using an approval workflow. Print security policy is effective at all times, even if users use uncontrolled printing devices or if they are offline.
- Require authentication prior to retrieving a printout
Users can only retrieve their printouts after authentication with a smartphone or tablet. Users can release print jobs at any printer. This policy does not require additional authentication devices like an RFID reader. A web-based, pull-printing approval interface can be integrated with MFP devices.
- Apply dynamic watermarks to printouts without user intervention
The policy enforces printing documents to physical or virtual printers with watermarks without user intervention. Multiple watermark templates can be applied to different users, groups or documents. Dynamic watermark information includes user name, IP address, security classification, file name, company logo, time and date.
- Trace and manage printing activities
Printing activity logs include user name, IP address, security classification, file name (including original file if changed), time and date. Comprehensive logging can be set up for specific users or groups, and includes the actual content of documents in text or image format.
- Limit printing to virtual printers
By establishing a print quota, organizations can regulate the number of print jobs each employee is allowed to physically print and can encourage virtual printing. Virtual printing converts material and allows employees to save documents and web pages in various file formats. Additionally, it facilitates remote printing, or sharing of documents, via a Web server.
The healthcare industry needs to protect printed PII, PHI and other sensitive information from easily leaving the premises in order to meet HIPAA compliance. A comprehensive strategy including the solutions above offer not only protection of printed materials but breach detection when exposed. In order to avoid future Montefiore incidents, it is necessary to address the reality of insider threats of careless – or malicious – employees.