White Paper. Document Security and Compliance. April 2013. Enterprise Challenges and Opportunities. Comments or Questions?



Similar documents
Document Imaging Solutions. The secure exchange of protected health information.

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

HIPAA PRIVACY AND SECURITY AWARENESS

User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection

Compliance in the Corporate World

HIPAA Compliance and the Protection of Patient Health Information

SeCUritY. Safeguarding information Within Documents and Devices. imagerunner ADVANCE Solutions. ADVANCE to Canon MFP security solutions.

Security in Fax: Minimizing Breaches and Compliance Risks

Sharpen your document and data security HP Security solutions for imaging and printing

Why Encryption is Essential to the Safety of Your Business

IMAGER security solutions. Protect Your Business with Sharp s Comprehensive Document Security Solutions

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection Data

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Compliance in 5 Steps

Reform PDC Document Workflow Solution Streamline capture and distribution. intuitive. lexible. mobile

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

The Impact of HIPAA and HITECH

HIPAA/HITECH Compliance Using VMware vcloud Air

plantemoran.com What School Personnel Administrators Need to know

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Samsung Security Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

10 Hidden IT Risks That Threaten Your Practice

My Docs Online HIPAA Compliance

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

HIPAA Compliance for Students

Streamlining Paper-Based Document Processes with Distributed Capture Solutions

Bridging the HIPAA/HITECH Compliance Gap

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Healthcare Compliance Solutions

Education ADVANCED SOLUTIONS FOR

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Basics of Internet Security

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Top Ten Technology Risks Facing Colleges and Universities

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Using Managed Print Services to Improve Document Security

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

HIPAA and HITECH Compliance for Cloud Applications

HIPAA: In Plain English

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

Somansa Data Security and Regulatory Compliance for Healthcare

ADVANCED SOLUTIONS FOR. Healthcare. patient safety quality of care Meaningful Use unstructured documents

Information Resources Security Guidelines

Federal Trade Commission Privacy Impact Assessment

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Security Information Lifecycle

Addressing document imaging security issues

HIPAA Security Alert

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Information Security Policy

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

HIPAA Compliance Guide

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

HIPAA Security Rule Compliance

California State University, Sacramento INFORMATION SECURITY PROGRAM

Data Protection Act Bring your own device (BYOD)

SECURITY WITHOUT SACRIFICE

Information Security Policy

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

10 Hidden IT Risks That Might Threaten Your Business

PageScope Enterprise Suite 3.0

itrust Medical Records System: Requirements for Technical Safeguards

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

7 Ways your Fax Machine is Putting You at Risk for Identity Theft. How is your company protecting private information in everyday transactions?

PCI Compliance for Cloud Applications

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Transcription:

White Paper April 2013 Document Security and Compliance Enterprise Challenges and Opportunities Comments or Questions?

Table of Contents Introduction... 3 Prevalence of Document-Related Security Breaches... 3 Document-related Security Threats and Opportunities... 4 Exposed Hardcopy Documents... 4 Exposed Digital Documents... 5 Insufficient User Restrictions... 5 Uncontrolled Print Environment... 6 Unsecured Scan Infrastructure... 6 Threats and Opportunities by Industry... 6 Education... 6 Financial Services... 7 Healthcare... 8 Legal... 8 InfoTrends Opinion... 9 List of Figures Figure 1: Partial List of More than 500 Health Information Security Breaches... 3 Figure 2: Top IT Initiatives... 4 Figure 3: MFP with Secure Access... 5 Figure 4: For your organization, how would you rate the importance for each of the following goals and objectives?... 7 Figure 5: Do you still maintain a hardcopy file/files of relevant case paperwork?... 9 InfoTrends 2013 2

Introduction In today s age of interconnectivity, the potential for security breaches has multiplied. Not only has it become easier for outsiders to infiltrate company IT infrastructures, but it has also become easier for people within the organization to commit a privacy breach (either on purpose or accidentally). While many companies have responded to the first type of problem by installing network firewalls, anti-malware software, and intrusion detection/prevention systems, the area of internal security threats particularly those related to document security has largely been ignored. Organizations awareness of potential security problems that exist, or familiarity with the solutions that can prevent these types of breaches, varies from company to company. Within this white paper, InfoTrends will highlight the prevalence of document-related security and compliance breaches, provide examples of vulnerable elements of the document infrastructure (in the general office environment and in a variety of key vertical markets), and discuss proven solutions for addressing these risks. Prevalence of Document-Related Security Breaches According to a recent IT research study 1, 90% of U.S. organizations experienced leakage or loss of sensitive or confidential documents over the past 12-month period. The U.S. Department of Health and Human Services, meanwhile, lists over 500 health information security breaches that have affected 500 or more individuals over the last several years. Figure 1: Partial List of More than 500 Health Information Security Breaches 1 The study is titled 2012 Confidential Documents at Risk Study; it was conducted by the Ponemon Institute. InfoTrends 2013 3

Given the prevalence of document-related security breaches in the workplace, in addition to the potential costs associated with these breaches, it is not surprising that many companies consider security a top IT initiative. In fact, InfoTrends research has identified security as one of two principal IT initiatives among U.S. businesses. Figure 2: Top IT Initiatives Mobility Security Business Intelligence/Analytics 45.4% 43.7% 49.7% Cloud computing ERP/enterprise applications Content management 32.2% 35.5% 34.8% CRM/sales automation Compliance Social media 16.5% 21.2% 24.3% Other 6.6% 0% 20% 40% 60% N = 487 Source: Mobile Business Process Initiatives and Obstacles, InfoTrends 2011 The fact that mobility was also a top response does not come as a surprise, as issues around security and mobility are very much intertwined. While only 21% of respondents identified compliance as a top IT initiative, it is clear this initiative is also very much tied to security. In addition, vertical-specific government legislation has created an increased need for compliance. The Gramm-Leach-Bliley Act, for example, requires financial institutions to implement the appropriate technical, physical, and administrative safeguards to preserve the privacy of customer information. Document-related Security Threats and Opportunities There are many ways that confidential documents and data can get into the wrong hands. While many people are aware of threats related to e-mail and computer hard drives, they may not be so aware of potential dangers tied to their printers and multifunctional peripherals (MFPs) (i.e., those that print, copy, scan, fax) two key elements of the document infrastructure. Exposed Hardcopy Documents One risk (that has existed for some time) is that of employees forgetting to pick up their documents in the printer/mfp output tray, leaving them exposed to anyone who happens InfoTrends 2013 4

to walk by. This issue can be addressed through secure access solutions that only release documents after proper authentication (via password, security card, PIN code). Most of these solutions also provide an audit trail of who printed what and where, adding another layer of security. Figure 3: MFP with Secure Access Secure Access Exposed Digital Documents Digitized documents can also be exposed. In fact, many printers and MFPs have hard disk drives that log and store documents, user authentication data, and other sensitive information 2. Sometimes the data is stored temporarily to help speed up a task, while other times it is stored indefinitely. Users can protect these documents and data through encrypting the hard disk drive. There is also the option of disk image overwrite, which can automatically remove data once a job is complete either on a scheduled basis or as needed. Additionally, network security protocols, such as Transport Layer Security, can protect data that is in transit. Insufficient User Restrictions As mentioned above, organizations can implement secure access solutions that require password, PIN, or card authentication. To further enhance security, they can restrict the access privilege of certain users to ensure they are only using the features that are required for their job. For example, certain users may not have access to faxed documents, while other users may not be able to access scanned files. In addition, companies can limit who can transmit stored documents and where these documents can be sent. All of these measures, as well as the associated audit trail, can help companies achieve their security and compliance goals. 2 There are a number of ways the documents can be transmitted to the hard drive, including through a print, copy, fax, or scan job. InfoTrends 2013 5

Uncontrolled Print Environment While organizations can implement any of the security solutions mentioned above, the ideal solution is a comprehensive approach that enables companies to gain full control of the print environment. A number of vendors offer print management software, for example, that tracks all MFP activity across the company, enforces pre-set print and copy quotas to ensure proper usage and prevent waste, and improves security by releasing documents only when users are at the device. Other common features of a comprehensive print management solution consist of a PIN or swipe-card log-in system, the ability to redirect print jobs to the most cost-efficient printer, and the option to allocate costs to particular departments or offices. While print management solutions are largely designed to increase document security, it is clear they also provide cost, environmental, and convenience benefits. Unsecured Scan Infrastructure With many organizations focused on digitizing and storing documents, there is a heightened need to ensure these documents are protected through every stage of the scanning process. The best security solution safeguards critical business data from the moment the MFP or scanner is accessed to the moment the document arrives at the appropriate destination including all steps in between. Organizations looking for this level of protection are encouraged to pay special attention to solutions incorporating user authentication, document encryption, secure deletion of temporary files, scanned document access restrictions, and activity logging. Similar to print management solutions, document capture solutions can be integrated with cost recovery systems. Threats and Opportunities by Industry Every industry has unique challenges and requirements when it comes to safeguarding company documents and data. This section addresses industries with a relatively high level of confidential data/documents as well as compliance obligations. InfoTrends has used its recent Business Process Automation Opportunities for Vertical Markets study (2012), which covers the education, financial services, insurance, healthcare, and legal industries, to provide insight into these vertical markets. Education According to InfoTrends Business Process Automation Opportunities for Vertical Markets study, around 55% of K-12 teachers identify improving student privacy as an important goal for their organization. This concern for privacy is to be expected, given federal laws like the Family Educational Rights and Privacy Act (FERPA) that prevent federally funded schools from releasing information from students education records without written permission from a parent InfoTrends 2013 6

or eligible student 3. Penalties for noncompliance include loss of federal funds, as well as criminal and/or civil penalties for the person who disclosed the information. To ensure information such as grades, enrollment details, and bills are protected, grade schools, high schools, and universities may want to consider the solutions mentioned above. In addition, they can password-protect PDF documents to guarantee the information is not accessed or altered by third-parties. Financial Services The financial services industry is one of the most highly regulated industries due to the private nature of customer finances. As mentioned earlier, the Gramm-Leach-Bliley Act requires financial institutions, such as banks and insurance companies, to implement the appropriate technical, physical, and administrative safeguards to maintain the privacy of customer information; other similar regulations are in place, as well. Financial services employees are well aware of the need to protect sensitive data. InfoTrends research shows that an overwhelming 92% of bank employees believe privacy and integrity of data and information is an extremely important goal for their organization. Similarly, 89% of these individuals consider compliance and regulations to be an extremely important goal. Figure 4: For your organization, how would you rate the importance for each of the following goals and objectives? Not important at all Somewhat unimportant Neutral Somewhat important Extremely important Privacy and integrity of data and information Abiding by compliance and regulations 92.4% 89.4% Accuracy of the collection of information 89.4% Speed of processing for customers Customer touch and interaction Speed of processing for the organization 25.8% 21.2% 10.6% 28.8% 68.2% 72.7% 56.1% 0% 20% 40% 60% 80% 100% N = 66 Respondents that are agents or work for a branch of a bank Source: Business Process Automation Opportunities for Vertical Markets, InfoTrends 2012 3 An eligible student is one who has reached the age of 18 or attends a school beyond the high school level. InfoTrends 2013 7

Insurance agents surveyed by InfoTrends voiced similar concerns. One way for banks, insurance companies, and other financial institutions to protect customer data is through print on demand. This term is used to describe the act of retrieving and printing documents via the printer or MFP touch screen. When the documents are accessed from a secure network folder, this method can be preferable to sending print jobs from a desktop computer. A number of risks are reduced, including the possibility of the document being seen on the desktop computer, the chance of it being intercepted during transmission, and the likelihood of it being left on the print/mfp output tray. Healthcare The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that requires healthcare organizations to protect private medical information. Under this law, medical institutions cannot release information related to health status, the administration of healthcare, or payment for healthcare that can be linked with a particular person. HIPAA violations can result in costly fines (the maximum annual penalty per violation is $1.5 million), imprisonment, and exclusion from participation in Medicare. Healthcare institutions appear to be taking regulations like HIPAA very seriously. In fact, 95% of medical practitioners surveyed by InfoTrends said compliance with regulations is an extremely important goal for their organization. Furthermore, confidentially of patient data was an extremely important goal for 94% of respondents. The October 2014 mandate for the adoption of an Electronic Medical Records (EMR) system has resulted in a significant increase in scanning activity. Given the privacy issues discussed above, it is crucial that healthcare organizations implement the appropriate MFP and network protections to guarantee that only authorized personnel are accessing the scanned files. There are also ways to restrict access to specific information, trace unauthorized accesses, and encrypt e-mail sent from the MFP. Legal A key concept in the U.S. legal industry is that of attorney-client privilege, where certain communications between a client and their lawyer are considered confidential. While client-attorney privilege laws can differ from state to state, the underlying assumption as that information passed between the two parties is protected. With this in mind, it is not surprising that 90% of law firm employees surveyed by InfoTrends identified privacy and integrity of information as an extremely important goal for their organization, and 84% view compliance with regulations as extremely important, as well. InfoTrends 2013 8

Given that many law firms continue to be highly dependent on paper-based processes, including printing and faxing, they may want to consider a secure print/fax release system, or a fax routing system that directs incoming fax messages to the intended recipient s e-mail inbox or network folder. Figure 5: Do you still maintain a hardcopy file/files of relevant case paperwork? No 3.2% Yes 96.8% N = 62 Respondents that work for law firms Source: Business Process Automation Opportunities for Vertical Markets, InfoTrends 2012 InfoTrends Opinion As more and more documents become digitized, the possibility of these documents being transmitted to unauthorized individuals has increased especially in industries where regulatory compliance is of paramount importance. While this document explores a number of highly-regulated verticals, including education, financial services, healthcare, and legal, the truth is that a wider spectrum of verticals (including government, retail, and manufacturing) could benefit from improved document and data security. It is important for organizations to consider the entire document infrastructure when deciding on the appropriate security plan. This includes their hardcopy document storage systems, their printers and multifunctional devices, and their digital document storage systems (including network folders, cloud services, vertical-specific databases, and mobile devices). If all of these elements of the business are not protected, there is a very real possibility documents will end up in the wrong hands potentially resulting in exorbitant fees, angry clients, or even criminal charges. This material is prepared specifically for clients of InfoTrends, Inc. The opinions expressed represent our interpretation and analysis of information generally available to the public or released by responsible individuals in the subject companies. We believe that the sources of information on which our material is based are reliable and we have applied our best professional judgment to the data obtained. InfoTrends 2013 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information