Most of you likely know that printers, scanners, and multifunction devices have been a weak link for cybersecurity for many network administrators. There are several reasons for this.
First, like many networked medical devices, there was no built-in process for software updates, so when a security vulnerability was identified, few devices received patches. Second, since many of these devices were designed to allow for printing over the internet, they had "doors" open that were easily exploitable from outside the network. Third, many multifunction devices use shareware or open-source software as part of their architecture. While this is a practical solution from a development perspective, it leaves the devices exposed to vulnerabilities that are later discovered in the public code, with few options for owners to patch them.
But there is yet another weakness in these devices that often get overlooked, and it involves the disposition process. A friend of Acentec recently relayed an experience they had at another company. This company had suffered a ransomware attack and had it not been for their offline backups, it may have wiped them out. The company hired a cyber forensics team to identify the point of entry into their network, and it turns out the hackers gained access through their wifi router. They discovered the attacker obtained their password from a printer they had disposed of 5 years earlier, and since their wifi password hadn't changed, the hacker used that information to get on their network and launch the attack.
There are two takeaways from this story. First - it's a good idea to routinely (we recommend annually) change your wifi passwords. Second, there's a reason why proper asset disposition is a HIPAA requirement. Whether you're getting rid of workstations, network gear, medical devices, or printers, it's essential a formal process be followed. If this isn't something you want to tackle internally, Acentec and others offer this service to clients.
The cybersecurity alarm bells have been ringing loud and often recently. Please keep cyber-hygiene front and center in the minds of your staff, especially as we head into the holiday season.