PITTSTON — Could the office copy machine pose a threat to the security of staff or clients?
Yes, says a local expert.
A 2010 CBS investigative report, revealed a hard drive from a digital office copier from Affinity Health Plan Inc. was repurchased and found to contain nearly 344,579 confidential medical records. The copier’s hard drive was never scrubbed, or erased.
Due to the data breach, Affinity Health was found to be in violation of HIPAA Privacy and Security Rules and fined $1,215,780 in 2013.
Stories like this concern Carmen Pitarra, owner of 4 The Office, a business-to-business office supply service in Pittston. He said digital copiers and multi-functional devices contain internal hard drives allowing the devices the ability to multi-task. Although, most devices have disk encryption, breaches such as what happened to Affinity Health can occur.
To prevent a repeat, Pitarra is trying to educate his clients on industry security measures and how to use them.
“We are not like ‘the sky is falling’ because it is not,” Pitarra said. “The industry has done its job in creating security measures and kits. We want to raise awareness.”
Data breaches can happen easily, he said.
• Step one: a business leases a digital, multi-function copier.
• Step two: overwriting or hard drive clearing options are not utilized, which allow for every document scanned, copied, printed or faxed to be saved to the hard drive.
• Step three: When the lease expires or the machine reaches its end-of-life the hard drive is not scrubbed or replaced. All information from payroll to clients’ travels off with the copier to a new owner, which could be overseas.
“Sixty to 70 percent of leased digital copiers are remarketed,” Pitarra said. “In today’s data-driven world, information can be easily obtained if the safe guards are not used.”
The copier’s hard drive is similar to that of a laptop, he said, and can be removed, The information could be accessed through a hard-drive reader, available online starting at $16.95.
Large corporations have become aware of potential data security breaches and implemented a variety of precautions, including having incoming jobs held until the recipient enters a pass code or swipe a card to release the information, Pitarra said.
“It is the small businesses I am worried about,” Pitarra said.
The local dentist office, small car dealership or independent financial advisors who may not have access to an IT department are the ones more frequently at risk, he said.
Many manufacturers have a standard security feature called “Hard Disk Image Overwrite,” which if turned on can erase images on the hard drive after every print-job. A report will print confirming a successful overwrite.
Don Nelson, chief technology officer with Luzerne County Community College in Nanticoke, said their security policy requires hard drives to be removed from the machine before it can be taken from the campus. Hard drives are then disposed.
“One way to destroy a hard drive, is to take a drill and put holes through the middle of it,” Nelson said.
Pitarra said his staff is trained to remove the hard drive and give it to the business owner before removing the machine from the property. A new hard drive is installed with the proper firmware, which is the programming to make the copier operational.
Pitarra said he has been considering placing a sticker on his machines with hard drives to make business owners aware and take data security precautions.
Not every copier has a hard drive
It is important for business owners to know what kind of copier they have and whether or not it has a hard drive. Pitarra and Nelson advise that if an owner is not sure to contact the manufacturer or licensed technician.
Melissa Werner, executive director at the Hoyt Public Library, said the library’s printer — used for a variety of purposes by the general public — does not have a hard drive.
“When we purchased our copier, we choose one that did not have that feature,” Werner said.
A store representative from the UPS Store in the Gateway Shopping Center in Edwardsville, stated the copiers and fax machines within the store are designed for public use and “do not have a memory and do not store any information.” The highly used copier and fax machines are leased through a independent company through the United Postal Service.