Fax may seem like an archaic form of communication, but it’s still widely used in several industries. Fax machines pose an increasing risk to cybersecurity, so why are people still using them?
In healthcare, fax is a heavily used method of communication and there’s several reasons why the healthcare industry still depends on fax—government regulation. A common interpretation of HIPAA has lead many in healthcare to view fax as the most acceptable medium for transmitting protected health information (PHI) electronically. Though email can now be encrypted, most offices continue to fax because the process is simpler. In fact, the use of fax in healthcare is so prevalent that CMS Administrator, Seema Verma, recently called for a total end to physician fax machine use by 2020.
Though standalone fax machines are rare, the fax function present in common all-in-one printers is a big cybersecurity threat. In a recent report, Check Point researchers demonstrate vulnerabilities in Hewlett Packard all-in-one printers proving that all companies should reevaluate their IT infrastructure to ensure they’re following industry best practices to protect their data and business.
By faxing lines of malicious code disguised as an image file to printers, hackers can exploit the fact that no one usually checks content received over fax. The file then can be decoded and stored in the printer’s memory, which allows hackers to take over the machine and eventually infiltrate the entire computer network connected to the printer.
“Faxploit is far worse than any of the theoretical Spectre or Meltdown Attacks,” says Seth Majors, Director of Service Delivery at Onepath. “Once exploited, fax machines can be used as a beachhead into the rest of your organization.”
If you’re currently using a fax machine or all-in-one printer, here are some ways to protect yourself:
- Patch Your Software – If available, work with the manufacturer of your printer to update the device’s firmware and mitigate the vulnerability.
- Protect Your Network – Place vulnerable devices on a network that is separated and protected from your critical infrastructure.
- Remove Your Device – Unless you need to send a fax, unplug the device from the phone line. If the device is required to always be available, then unplug the device from the network and patch as soon as it becomes available.
To maintain a high level of IT hygiene, stick to a frequent patching schedule and ensure proper segmentation of your infrastructure. If you have an HP printer, click here for a list of effected models and the firmware needed to protect them.
For a general look at your organization’s information security, take our cybersecurity self-assessment now.