Photocopiers – A Recurring Data Security Risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.natlawreview.com/article/photocopiers-recurring-data-security-risk


In a case that illustrates the data privacy risks associated with
modern copiers, the United States Department of Health and Human
Resources (HHS) has announced a $1,215,780 settlement with Affinity
Health Plan, Inc. (Affinity), arising from an investigation of
potential violations of the HIPAA Privacy and Security Rules.

This matter started when Affinity was advised by CBS Evening News that
CBS had purchased a photocopier previously leased by Affinity.  CBS
explained that the copier’s hard drive contained confidential medical
information relating to Affinity patients.  As a result, on August 15,
2010, Affinity self-reported a breach with the HHS’ Office for Civil
Rights (OCR).  Affinity estimated that the medical records of
approximately 344,000 persons may have been affected by this breach.
Moreover, Affinity apparently had returned multiple photocopiers to
office equipment vendors in the past without erasing the data
contained upon the internal hard drives of those returned copiers.

After investigating this matter, OCR determined that Affinity had
failed to incorporate photocopier hard drives into its definition of
electronic protected health information (ePHI) in its risk assessments
as required by the Security Rule.  Affinity also failed to implement
appropriate policies and procedures to scrub internal hard drives when
returning photocopiers to its office equipment vendors.  As a result,
OCR determined that Affinity also violated the Privacy Rule.

In discussing this issue, Leon Rodriguez, Director of OCR, stated
that, "This settlement illustrates an important reminder about
equipment designed to retain electronic information: Make sure that
all personal information is wiped from hardware before it is recycled,
thrown away or sent back to a leasing agent…HIPAA covered entities are
required to undertake a careful risk analysis to understand the
threats and vulnerabilities to individuals' data, and have appropriate
safeguards in place to protect this information."

In addition to the agreed upon settlement payment of $1,215,780,
thesettlement also requires the implementation of a Corrective Action
Plan (CAP).  The CAP requires Affinity to use its best efforts to
retrieve all hard drives that were contained on photocopiers
previously leased by the plan that remain in the possession of the
leasing agent, and take protective measures to safeguard all ePHI
going forward.

Points to Consider

Affinity’s case demonstrates the risks presented by the modern copier
– they are specialized computers that will store data and retain
itindefinitely.  Thus, they pose a security risk for any company that
processes and/or possesses personally identifiable information or
proprietary information, such as trade secrets, research and
development records, marketing plans and financial information.
Clearly, this risk applies to businesses regardless of specific
business sector.

Therefore, when acquiring a copier, consider all options available to
protect the data processed on that machine, typically through
encryption or overwriting.  Encryption will scramble the data that
remains stored on the copier’s hard drive.  Overwriting (or wiping)
will make reconstructing the data initially on the drive very
difficult.

Finally, anticipate the copier’s return to the vendor or other
disposition.  Make sure that arrangements are made prior to the
copier’s departure to effect the hard drive’s removal and secure
disposition so as to make any data on it unusable to third parties.
Often vendors will provide such a service as will IT consultants.

Note that protecting sensitive information is a company’s ongoing
responsibility.  Make sure that copiers are considered as part of any
comprehensive data security or privacy policy (as are PCs, laptops,
smart phones, flash drives and other electronic devices) to avoid an
avoidable, but costly and embarrassing, data breach.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.