How printers are increasing the risk of data breaches in hospitals
Thousands of people enter Australian hospitals each day to seek medical help, attend appointments or visit family and friends.1 During 2018 to 2019, 11.5 million people were hospitalised, with patients admitted increasing an average of 3.3% each year.2
Hospitals and healthcare organisations heavily rely on hardcopy files, prescriptions and records. Although digitalisation is occurring, printing remains an important tool for healthcare professionals to review test results, produce prescriptions, provide patients with further information and much more.
A recent report by Quocirca found that 60% of organisations surveyed had experienced at least one data breach due to unsecured printing.3 In Australia, health service providers are the most common victims of data breaches, accounting for 115 of a total of 518 data breaches reported in the period January to June 2020.4 These statistics confirm that hospitals have a high risk of data breaches, which means confidential information can end up in the hands of unauthorised people.
In many cases, hospital printers and multifunction devices are located in areas where members of the public can easily access them. Particularly when healthcare professionals are preoccupied with helping patients, printed documents can be forgotten about and left unattended on printers for potentially hours, putting that information at risk of being read or stolen.
What a data breach could mean for hospitals
Hospitals and healthcare facilities have a duty of care to keep patient information confidential. Data breaches affect three main stakeholders:
1. The hospital or healthcare facility
The hospital or healthcare facility will likely come under review by a higher governing medical board to assess what happened. Financial penalties can be issued if it is found to breach the Healthcare Identifiers Act 20105 or the My Health Records Act 20126. The facility will need to report the breach appropriately to the Office of the Australian Information Commissioner and to affected parties or risk further penalties.
However, reports of a data breach can be enough to damage the reputation of a hospital and weaken community trust in the facility. This community trust is essential to provide adequate medical care, particularly for hospitals in regional areas or small communities.
2. The medical practitioner
All medical practitioners are obligated to uphold the rights of the patient including ensuring their personal data remains confidential. Leaving confidential paperwork exposed is negligent practice and, although it could be the result of a simple error, such carelessness can result in financial penalties and a loss of reputation.
3. The patient
In the event of a data breach, patient trust is broken, usually with the doctor and the healthcare facility. This can impact the patient’s trust in the future when seeking medical care, which may result in the patient limiting or falsifying personal information. For small and regional communities, where there is a limited number of medical professionals, this can mean a patient avoids seeking medical attention, which can result in serious health and wellbeing consequences to the patient. This can translate to higher healthcare costs down the track as patients may only present to hospital with serious or even life-threatening conditions that could have been treated more easily if they had presented sooner.
How to maintain data security
For hospitals, moving printers into a secure office or staff-only room can be inconvenient and may disrupt medical staff and impact the way they interact with patients. Instead, hospitals need to evaluate how to balance the need to minimise the risk of a data breach while still letting staff members print essential information. With this in mind, there are three elements hospitals should consider:
Pull-printing means that documents can be sent to print; however, they won’t actually be printed until the person who sent them to the printer is physically present. This prevents situations where documents are printed and then forgotten, left on the printer for anyone to read.
2. Swipe card functionality
Pull-printing can be managed using PINs or other credentials. Swipe cards issued to individual staff members can make this process easier. With swipe cards, staff members simply need to touch the card to the printer and select the printing job they want from their print queue. Some swipe cards can be further fortified with a password needed at the printer before the print job can be selected. Swipe cards are ideal for infection control because they can eliminate the need for the staff member to touch the printer at all.
3. Print reports
With print reports, hospitals can monitor and track any scans, copies and printed documents. This includes details such as: who printed it; what they printed; the device they used; when they printed it; and the quantity scanned, copied or printed. This helps keep tighter control over information dissemination. A report can also identify any unusual printing or usage so the organisation can take the necessary precautions.
Due to the personalised and confidential nature of information dealt with by hospitals and healthcare facilities, a data breach can result in costly penalties and lost community trust, and cause future trust and health problems with the patient involved. To limit this risk, hospitals should consider implementing a print management solution to ensure documents remain secure and patient information remains confidential.
Seventeen Australians have been appointed to the NACAC to provide expert advice on aged-care...
Inequities pervade the modern world, despite our technological advances and a growing awareness...
Associate Professor Amanda Walker explains why it's time for a consistent approach to using...