In August of 2018, a group of researchers at Check Point Research successfully breached a system of computers through a vulnerability in a Hewlett Packard printer and fax machine. The team sent a fax containing malware disguised as an image to the machine, which stored the document, and gave the researchers access to all the computers on the network.
Some companies that have all-in-one printers, but do not use the fax feature may believe that they have nothing to worry about. But the fact that no one monitors incoming faxes means that malicious documents will likely pass through undetected. While HP has patched the vulnerability, other brands may still be suffering the same issue.
This revelation reopened the conversation of whether fax machines are secure forms of communication for healthcare providers. In spite of being considered outdated technology, an estimated 45 million printer-fax machines are still being used globally, with the National Health Service (NHS) in the UK using about 9,000 of them.
What is worrying is that according to Yaniv Balmas, a Check Point researcher, the security applied to fax machines was "standardised in the 1980s and has not been changed since". Consequently, he believes that fax has virtually no security measures.
Accordingly, researchers recommend that companies update their fax machines where possible or replace them completely. They could also separate their computer networks into sub-networks and keep their important data disconnected from fax machines.
Seema Verma, the head of Centers for Medicare and Medicaid Services (CMS), said government agencies in the U.S. are working towards making healthcare entities "fax free zones by 2020." The CMS aims to work with other agencies to develop a system that ensures an easy flow of health information between patients, healthcare providers and payers.
CMS is currently searching for suitable candidates who can make this possible. The expected final result is that developers can build a user-friendly application that allows Medicare recipients to integrate the data and healthcare services that they trust into one application.