Last week we saw a piece on a law firm blog about how copy machines can make a health care provider vulnerable to data breaches and HIPAA violations in a way we hadn’t considered.
It’s not enough, apparently, to make sure a copier’s software is set up to prevent patient data breaches by locking down the scan-to-email function. It’s not enough to force the copier to wipe or format its disk drive periodically, to make sure files are routinely deleted.
No, this article shows that enterprising identity thieves can circumvent even those measures — because of the way copier operating systems generally work. This isn’t the first time we’ve heard health care IT authorities talk about shredding hard drives as the only truly fail-safe way to prevent data breaches. But it’s the first time anyone’s brought it up while discussing copy machines, devices usually managed by third parties.
Which brings up our tip of the day: In your HIPAA business-associate agreements with copier providers, make sure that disk-shredding — or at least a strong scrubbing — becomes part of the decommissioning process. Don’t let your patient information be exposed, because it’s likely that CBS News didn’t come up with this idea for hacking into copiers for patient data on its own; other opportunists might be lurking around your facility.