Healthcare is, of course, a particularly sensitive topic. Any printer who produces materials for any type of healthcare organization – even if it is just their marketing materials – could fi nd themselves falling under HIPPA requirements. Konica Minolta’s Chris Belillo, director, Business Solutions & Market Development, has actually come across a situation where a printer inadvertently disclosed PII: “In 2010, a multifunction printer was returned to a warehouse aft er the lease expired. An investigative report discovered that the device’s hard drive contained patient records from a healthcare organization. Subsequently, in 2013 the healthcare organization was fi ned $1.2 million by the Department of Health and Human Services (HHS) for violating HIPAA.” And while that was a specifi c situation, and involved an MFP rather than a full commercial printing press, the same ideas apply. “’Hardware’ actually extends beyond printing devices and servers and also includes site security – access controls, logging, identifi cation, visitor-access procedures, vendor access procedures – as well as the data networking layer,” notes Johnson. Th e mail stream is another potential target, with not only name and address information ripe to be stolen. It oft en includes demographic information as well – information that could be used against those consumers if an unscrupulous party were to garner access to it. “Printers should ensure that any soft ware solutions they use for mailings are certifi ed by regulated agencies such as the USPS and not processed through a secondary or third-party vendor,” stresses McKiernan. “Th e soft ware vendor of choice should be the manufacturer of the solution, rather than a branded reseller to ensure that the printer knows exactly who the party is that is receiving and processing their data, and that this party is credible. “Look for soft ware vendors that have been in the industry for several years and have a history of handling sensitive data. Ask soft ware vendors for customer references and security NDAs or confi - dentiality agreements prior to sending confi dential data for processing. Vendors that process data through services such as NCOALink for move update processing should also share their data security and confi dentiality policies with the printers,” says McKiernan. Planning for, dealing with a breach Given that even the most secure systems in the world can be hacked, the best a print shop can do is ensure it has taken all the necessary steps to try and keep the information secure, and have a plan in place for when – not if – a breach occurs. When it comes to prevention, says Johnson, “Basic security measures like building access, network fi rewalls, and virus/malware-detection soft ware are good business practices to implement for all businesses;. Th ey become even more important when handling customer data. Th ere are well-defi ned security protocols ranging from SSAE 16/ SOC1 (replacement for SAS 70), HIPPA (for healthcare), and implementation is usually handled with the help of consultants and trainers who specialize in these standards.” Johnson goes on to specifi cally address the systems most printers are running, noting: “For the press and workfl ow systems driving the press, best practices are that PII data (name, address, off er information, anything identifi able) should be transient and not persistent beyond the actual print run.” Other basic steps a shop can take to help prevent any attacks from succeeding include: create complex passwords for any system that will touch PII – even if it’s just passing through – and put a system in place to ensure those passwords are changed a minimum of every 90 days; encrypt all hard drives, whether they are attached to the digital front end of the press, live inside a multi-function printer, or are attached to the computers used for prepress or workfl ow processes; secure all mobile devices, Dealing with a Ransomware Attack A ransomware attack is one more way that your customers’ data can be put at risk. Ransomware attacks, which began several years ago and have been on the increase since 2015, are instigated by malware that encrypts valuable digital fi les and then demands a ransom for their release. Small and large businesses as well as hospitals, local governments, school districts, and other institutions (and even individuals) have been subjected to these attacks. As the FBI reports: “Organizations are generally not even aware they’ve been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins (because of the anonymity this virtual currency provides).” Because ransomware techniques and malware are continuing to evolve – and because it’s diffi cult to detect a ransomware compromise before it’s too late – the FBI says that companies and organizations should focus on two main areas: prevention efforts, both in both in terms of awareness training for employees and robust technical prevention controls; and the creation of a solid business continuity plan in the event of a ransomware attack. The FBI does not support paying a ransom in response to a ransomware attack: “Paying a ransom doesn’t guarantee an organization that it will get its data back – we’ve seen cases where organizations never got a decryption key after having paid the ransom,” states the organization. “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And fi nally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.” 16 16 Printing News News ® February February 2017 PrintingNews®com Continued on page 19
Printing_News_February_2017
To see the actual publication please follow the link above