Posted in Breaches

Another great reason for healthcare providers to phase out fax machines

Chris Nerney
Chris Nerney, Contributing Writer |
Another great reason for healthcare providers to phase out fax machines

Fax machines make it hard for healthcare providers to share patient data in the digital era, which is why the Centers for Medicare and Medicaid Services (CMS) recently announced a goal to make hospitals and private practices fax-free by 2020.
Here’s another incentive for providers to ditch those archaic, noisy machines: They can be breached by hackers to attack a network.
Researchers from security vendor Check Point Software Technologies say they have uncovered a vulnerability in the ITU T.30 fax protocol that could be used to gain access to digital networks.
“A fax number is the only thing required to carry out the attack,” Check Point said.
Though most industries have phased out use of the fax machine as email and other digital communication methods have become ubiquitous, they still are heavily used in the healthcare industry for a number of reasons.
These reasons include lack of interoperability between provider electronic health records (EHR) systems, HIPAA requirements for guarding patient privacy that make fax machines a safe regulatory choice for transmitting data, and competitive disincentives to digital data sharing (if other doctors have your patient’s health data, that patient may switch to another provider).
All of which makes healthcare providers particularly vulnerable to fax attacks.
Describing how it conducted its “Faxploit” research, Check Point writes,
“With merely a fax number as its sole piece of information, our team of researchers was able to penetrate though the vulnerabilities inherent in the fax protocol to gain access to an entire IT network.”
Check Point stressed that no type of fax machine was safe from hackers.
“While this research focused on all-in-one printer fax machines, the same communication protocols apply to all fax machines from all vendors, and the same vulnerabilities likely lie in these devices too,” the company said.
For organizations such as those in the healthcare industry that are still reliant on fax machines, Check Point offers some security advice.
“One of the best ways to protect your organization from attacks that could come from fax machines, and many other types of attack is through the segmentation of your network,” researchers say. “So, if you do not want to disconnect your printer-fax machine, then at least make sure it is placed in a segmented area. By doing this, even if it does become compromised the attacker will not be able move laterally and infect other parts of your IT network.”