Healthcare’s Continued Dependence Upon the Fax Comes with Risk

Original Article by Sean Hughes, EVP of Managed Print Services, CynergisTek
March 5, 2019

Fax technology has been around a very long time, with most of its history tracing back to 1843 when Alexander Bain received a British patent for the technology that would eventually become today’s fax machine. It took the fax machine quite a while to integrate its way into the business world, but according to Higgins International’s “History of the Fax Machine,” between 1973 and 1983, the number of fax machines in the United States increased from 30,000 to 300,000. By 1989, the number had jumped to 4 million.

In a scene from “Office Space,” Ron Livingston, left, David Herman and Ajay Naidu take their revenge on the office fax machine. Photo By Getty Images

In a Ring Central blog post by Jemma Garrett in March 2013, there is a reference to an infographic that represents more than 17 million fax machines in the U.S. alone. The key takeaway is that the number of fax machines has continued to grow even with the increased use of alternative information-sharing technologies.

While these numbers don’t specifically show how healthcare as an industry performs relative to its reliance on fax as a communication technology, there are several other sources of data to get a feel for that. According to recent studies, fax machines account for 75 percent of all medical communication even after the rush to implement EHRs.

Why is this an issue? Why should this be a concern? Healthcare is housing and transmitting more data than ever before, with a large percentage going via fax. Add to this that there is an assumption that fax is secure. But is it really?

Fax Machines Aren’t Secure

It was long thought that the only way to leverage fax technology was to gain physical access to a fax machine or fax line. That is not the case any longer as evidenced by the results published by Checkpoint Research in its 2018 report, Faxploit: Sending Fax Back to the Dark Ages. The researchers identified vulnerabilities in fax technology that allowed someone to send a fax image to a fax machine that included the needed code, such as in the WannaCry or NotPetya attacks, to exploit that device and gain entry to an organization’s network, all without ever physically touching the device or the fax line.

This means that all the effort over the last several decades to integrate fax technology into our infrastructure and operational processes now poses a very real vulnerability to healthcare. Technology advancements have enabled legacy fax capability to be more connected to networks, and organizations have integrated connected fax into clinical and business workflows and processes to “ease” the sharing of information. This means that not only do the individuals with bad intentions have easier access into our systems, but they have access to a treasure trove of more data.

This access to our systems and data poses not just a security risk but also a significant privacy issue. A previously assumed secure transmission protocol is now known to be remotely vulnerable, yet several core processes, both internal and external to medical providers, still rely on this technology. Adding to the complexity of the issue and the difficulty in moving away from fax is that clinicians are reluctant to change. In October 2018, an article by Advisory Board reported that when one health system sought to require providers to send patient information digitally rather than by fax, some physicians threatened to refer their patients elsewhere.

How to Make the Fax More Secure Online

Ultimately, the need to move away from fax as a method of transmission and communication is what needs to be achieved, and the ability to integrate and communicate into core systems is the solution to that. However, it is not wise to just wait for that.

In December 2018, the U.K. Secretary of State for Health and Social Care, Matt Hancock, announced that he would ban fax machines from the National Health Service (NHS) by 2020. This is quite a lofty goal, and a particularly dramatic shift considering the NHS once led the world in purchasing this outdated technology.

While most healthcare organizations cannot make such a bold commitment to immediately remove this technology from their day-to-day operations, there are somewhat simple approaches to help mitigate the risk. These devices should be treated just like any other computing or printing device from a security and privacy perspective, including:

    • Obtaining a full inventory of all devices, whether connected to the network or not
    • Assigning singular ownership of devices and their management and maintenance
    • Performing an assessment of the devices to determine compliance with patch levels associated to firmware and other software
    • Including the devices and associated workflows in risk assessments
    • Identifying processes requiring transmission or receipt of sensitive or protected information and evaluate alternative solutions already in existence
    • Implementing mitigation controls and periodically reassess to track remediation efforts of identified risks

The recognition that these devices are in the organization, they process a significant amount of data, and they are vulnerable is enough to tell all that it is imperative to take the necessary steps, just like all other endpoint devices connected to the network.

Sean Hughes is EVP of managed print services for CynergisTek.

Contact us today to view a demo of Vaultara’s self-hosted image sharing software, Flight.