Marin General now spends $15,000 instead of $400,000 to protect its printers from cyber attack
In the increasingly chaotic world of healthcare cybersecurity, where there is no shortage of threat vectors, Marin General knew it needed to begin addressing the security risks presented by its printers.
"Printers combine the characteristics and threat landscapes of both IoT and servers, so they are unique," explained Jason Johnson, Marin General's information security officer and president of the HIMSS Northern California Chapter.
"We already had security software productions in place, like vulnerability management software, security information event management software and others, but those solutions did not include printers," he said.
Those technologies are not developed for the unique challenges presented by the non-standard IoT characteristics of networked printers, he added.
Because there are more than 60 models in Marin General's fleet of less than 1,000 devices, none of the printer manufacturers' software would cover the whole fleet, either, even if the provider organization had someone available and assigned to operate it.
Finally, the healthcare organization did not have any employees or contractors to even attempt a manual effort.
So Marin General turned to vendor Symphion, a longtime vendor for Marin, and the company's specialized print fleet cyber security technology, called Symphion Print Fleet Cyber Security as a Service. It was the only technology the provider organization found that could perpetually cyber-harden and compliance-report on all of the organization's printers, regardless of make, model, type or age.
"A turnkey service solution to manage, develop and address print fleet security configurations and compliance reporting for our whole fleet," Johnson said. "The solution inventories all imaging devices including security settings, or configurations. Each setting, including its state, is identified for security worthiness. Relevant settings are tagged and classified across Symphion best practices and five leading industry standards."
"Printers combine the characteristics and threat landscapes of both IoT and servers, so they are unique."
Jason Johnson, Marin General
A gold standard is established and the fleet is hardened to that gold standard, remotely monitored hourly and remediated daily to that gold standard, Johnson explained.
"The business outcome for us is an evergreen inventory of all imaging devices, lifecycle management of all imaging devices in the fleet, perpetually cyber hardening to our chosen gold standard, monthly automated compliance reporting to meet our needs, the availability for on-demand reporting, and insulation against changes in the fleet's makes or models," Johnson said. "Plus, no employees or contractors required."
Some vendors provide cyber-hardening services for printers like Symphion, while others build cybersecurity protections into their printers. Different vendors take different approaches. Some of these vendors include CynergisTek, HP, IBM, MCPc Imaging and Printing, Ricoh and Xerox.
MEETING THE CHALLENGE
Symphion, on Marin General's direction, is taking a phased approach to security configuration "turn-up" on the print fleet as the provider organization phases in print fleet cyber security.
"The vendor's concierge service is turnkey and seamless – we do nothing," Johnson explained.
Marin General has been able to completely focus on its advanced IT capabilities and services and gain an even bigger competitive advantage in an increasingly competitive healthcare market, Johnson said.
"We knew that cyber hardening all our printers, bringing them into change control and compliance reporting were what we had to do," he added. "Even with our print fleet of less than 1,000 printers and around 60 models, for us to try to manually do what Symphion does would easily have run us in excess of $400,000 per year for only a fraction of what they provide and would have been wholly ineffective."
Plus, the skill sets of printer security configuration experts are not available anywhere, Johnson contended.
"And, even then, the process would still have been full of human error," he said. "We would have been forced to continue not to address our print fleet. Symphion provides us with everything for less than $15,000 a year, all inclusive. With that ROI, not even considering the costs associated with a breach or fine for not taking action, it was a no-brainer."
ADVICE FOR OTHERS
"You can't ignore your print fleet security or compliance," Johnson advised. "As an information security officer, the security of the network is ultimately your responsibility and even though the initial reaction is to view printers as someone else's problem, the responsibility remains on your shoulders."
At the end of the day, he added, it is important to remember that printers – and the IoT in general – are the juicy underbelly of most networks.