The multifunction copier is covered in the Information Technology for Economic and Clinical Health (HITECH) Act and the HIPAA Security Rule. It's considered a machine that stores, transmits, receives, or creates protected health information.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is 20 years old, so you have a lot of experience with following its requirements. Your healthcare office has several security measures in place to stay HIPAA compliant, but you may be overlooking a key area: your digital copiers. Here are a few ways you could be compromising your patients' health information due to this oversight.
Multifunction Copier HIPAA Security Risks
Today's copiers have advanced capabilities compared to the devices manufactured 20 years ago. They can copy, scan, fax, print, and even send emails. In many cases, your copier also has its own hard drive. When you conduct a HIPAA security risk analysis, you should categorize this device as a computer workstation.
The multifunction copier is covered in the Information Technology for Economic and Clinical Health (HITECH) Act and the HIPAA Security Rule. It's considered a machine that stores, transmits, receives, or creates protected health information. The four areas to focus on when you add the copier to the risk assessment include confidentiality, availability, document security, and data integrity.
Implementing Technical Safeguards for HIPAA Compliance
You have three major cybersecurity safeguards designed to keep patient health information safe on your copiers. Copier access control, user authentication, and audit trails are essential parts of keeping data secure. You don't want to risk getting fined for a breach due to a lack of physical and electronic access point security.
Every user needs unique credentials for the copier. System administrators also need authentication verification and monitoring in place. You encounter two common methods of verifying user identities at the multifunction copier: proximity cards and biometrics.
HID Proximity Cards
These cards rely on radio frequencies or an embedded microprocessor to transmit information to a proximity card reader. You may be familiar with radio frequency identification (RFID) cards from other industries, and the same concept applies here. They use electromagnetic fields to handle the identification and tracking process automatically. The other option, smart cards, have their own processors to communicate this information.
This authentication method uses unique personal data to grant access to the copier. For example, your users could use their eyes or their fingerprint as the biometric data. Due to the nature of this access key, it's incredibly difficult to falsify.
User authentication at the copier is best practice for HIPAA compliance, but you can maximize your security through biometrics. Someone could lose their HID proximity card, but they can't misplace their fingers or eyes.
No matter which method you choose, make sure to include copier security in your information security policies and HIPAA risk analysis.