Security researchers have long chastised its use for a wide range of privacy issues, such as faxes with personal data being sent to the wrong recipient. The risk exponentially increased when Check Point researchers recently discovered a vulnerability in the device that could allow a hacker to launch a cyberattack with just a fax number.
But the healthcare sector’s use of fax machines and antiquated technology pose yet another threat: The data left on devices at the end of its lifecycle.
The fax machine has many benefits. It’s inexpensive, difficult to intercept the signal, and easy on the other end to verify the signature, explained Michael Harstrick, Chief Global Development Officer of Garner Products.
But fax machines operate much like a printer or scanner. It takes in information, sorts it, and replicates it through a scan or other mechanism. The problem is that the hardware stores the last several gigabytes of data that have been processed, Harstrick explained.
“Fax machines made since 2004 have a hard drive, and they store the last 20-40,000 pages of data on the hard drive,” said Harstrick. “The machine is not sanitized and that data walks out the door unencrypted to be resold. The same is true for printers and scanners.”
“All three of these devices are considered office supplies so IT does not have a role in their management,” he continued. “The problem is most fax machines are leased, and it’s an office supply, not handled by the tech team. After the hold is up on the lease, it’s sent back. And [the vendor] walks out of the organization with the last pages and hard drive of the fax machine.”
The fax machine is left on a shelf until it’s sent to the next organization, explained Harstrick. “It’s arguably a huge data breach risk. If I let a printer out of the organization without wiping it, I can’t report a breach because, frankly, no one really knows what the issue is and how it works.”
In August, the Office of the National Coordinator for Health Information Technology and the Centers for Medicare and Medicaid Services announced a collaborative effort to end the use of fax machines to transmit patient data by 2020.
“People talk for endless hours about protecting data and about how they protect their organization. But they forget about trash.”
The goal, CMS Administrator Seema Verma said at ONC’s Interoperability Forum, was to develop a free flow of information between patients, insurers and healthcare providers. In doing so, she encouraged developers to create an alternative.
While Harstrick said that the initiative is a good start, it doesn’t fully solve the legacy tech issues, as there will still be printers, scanners and all-in-one devices in use.
“Getting rid of fax machines wouldn’t hurt, but that’s not the only potential problem,” he said. “For example, if you’re a law firm, billing hundreds of dollars an hour, you may call to fix your printer. The technician could lift data from the machine, and you’d never know.”
“It’s basically a lack of awareness. People just don’t know,” he added. “People talk for endless hours about protecting data and about how they protect their organization. But they forget about trash.”
Even HIPAA has its gaps when it comes to these legacy devices, explained Harstrick. There’s obviously potential fines for breaching data, “but they don’t have any prescription for how to prevent it.”
Shoring up fax machine and printer flaws starts with the security leader. To Harstrick, the CISO or other infosec leader needs to look at the problem from a policy level. They need to evaluate potential areas where data could leak and consider potential solutions for closing those gaps.
To start, those end of lifecycle devices need to be degaussed — or demagnetized.
“Most storage media today is magnetic. All hard drives, laptops and other devices with magnetic storage should be degaussed,” Harstrick said.
Harstrick explained that the magnetic record is similar to how vinyl records store data. A groove is put into the vinyl, and the height or depth of the needle determines the sound.
“Magnetic media is the same, only it happens much faster,” said Harstrick. When a field is created on a disc drive, the field is measured and needs to be demagnetized to eradicate the data. It doesn’t take long to erase, but the machines are expensive.
“The advantage is that the magnetic field no longer exists, and no force can override it,” he added. “The problem is trying to get people in front of this to be responsible.”
While most infosec leaders are cognizant of what’s going on in their security center, physical equipment may not be handled by that team, Harstrick explained. Before these devices leave an organization they need to be erased and outdated storage devices should be shredded.
“Everyone is consumed with protecting active databases online. But people aren’t paying attention to the end of life,” Harstrick said.