Printing and Patient Security
Thursday, August 24, 2017
by Guy Tucker
The technical world is changing. There was a time in the “not too distant” past when clinics and hospitals ran all their systems in the well-defined confines of their own physical infrastructures. Usually, this was in the basement (which may explain why so many of my IT colleagues are so sun deprived). Today, the many mergers and acquisitions have changed the complexity of the IT infrastructure. IT demands that data not only cross the street, but cross the town, the state, and sometimes even international borders. This means that patient data is no longer confined to the wires in the building, but is instead traversing the globe.
Exacerbating this issue is the location of EMR clinical and billing systems. Many vendors today offer hosting of an organization’s EMR system. Cerner, Epic, and Allscripts all have hosting options for some or all of their applications. Other companies like eClinicalWorks provide a cloud hosted environment with data traveling on the public internet.
When data have to travel great distances, there is an increased likelihood of that data being read by undesirable forces. However, many forms of data have built in security to allow safe passage. Data accessed via the web can (and should) be guarded by encryption schemes like TLS. So-called private networks should also be encrypted, though this is not necessarily the case. Data in these worlds is easy to obtain if one has a little knowledge of telephony, and often this data is not guarded by common encryption schemes.
Vulnerable Print Streams
A major chink in the security armor is the print-ready data stream. Clinical environments require print. Labels, prescriptions, after visit summaries, and wristbands often are generated by EMR systems and sent to output devices. But print-ready data streams, though not easily read by the human eye, are easy to capture. It is equally easy to reveal their content.
Let’s assume that a print transmission is captured. This is fairly easy to do. Wireshark traces, digital feed taps, and other common sniffing methods are easy to accomplish. Determining which data is a print-ready data stream is simple. A few markers like “PJL”, ^XA, and a few others can quickly identify information destined for a printer.
Once the data is isolated, all one has to do is “play it back” to a printer (many printers handle a variety of document data streams, and even label printers can be pretty flexible). Then, voila, out comes the information, easily readable to the human eye. The information can include the aforementioned PHI data, or billing data, or anything else that is printed. If the sniffer is placed with a little intelligence, then the sensitivity of the data is increased.
What happens if the documents are printed from the public cloud? Is there some mechanism to prevent this data from being grabbed by sophisticated web-based bots trained to look for this? Generally not. Print data and print traffic are often not considered in the security planning.
The Problem of Print
The core issue here is not just the vulnerability, but rather the common mistake of taking print traffic for granted. Many consider printing to be some magic thing that is just supposed to happen, and just supposed to take care of itself. This is often true in the very IT organizations that are assigned to protect these print streams. Within these organizations, little is known of how print is created, sent, and received other than that “Windows just handles it.” Or “my EMR just deals with it.” Beyond the clear security risks, people neglect to ask what happens if those wristbands do not print? Or if patient care is delayed because of some glitch in the print mechanisms? Do those who architect our systems have any knowledge of print, or the necessity of critical output in the healthcare workflow?
Just like any other problem, lack of management in the print environment is the core issue. Looking solely to printer manufacturers for help is not enough, as they do not understand the business of health care. Looking to our EMR vendors is also not enough. They know how to format the data, and how to make it appear on paper, but have no clue about the network that moves the traffic. Our network engineers are also not up to the task on their own. They know how to build networks with reduced vulnerability, but depend on applications like web servers and web browsers to keep things safe. To complicate this further, many organizations put the most inexperienced personnel in charge of the print environment because it *is* so challenging and problematic. Experienced people know it’s hard and want nothing to do with it.
If print vulnerability is the problem, ownership is the answer. Stable, intelligent, and experienced teams must own the print environment. Those people must study how network print traffic works. They should know what systems produce those data streams, and what is the best way to secure them. There must be both highly competent technical staff members and management focused on this ever-changing environment. Large shops must have staff dedicated to this issue. Many forward-thinking organizations today are forming output management-related positions both for staff and leadership. Some are even establishing departments that own the print landscape.
Many printers today have the ability to decrypt data; IPSEC and TLS decryption are often available. Some printer drivers can encrypt the data, but not all. EMR vendors do not encrypt the outgoing data, but depend on other mechanisms to do this.
This is where LRS comes in. LRS personnel have been working with this environment for many years. LRS has been encrypting data streams to printers and from EMRs to LRS output management systems for nearly two decades. We can help you get ahead of the curve in this area to prevent the data loss described above.
Information loss via print-ready data is very real, and is happening today. By making plans to address this subject, you can protect your organization, your patients, and maybe even yourself.