Building cyber resilience: Enhancing MemorialCare's fax security

MemorialCare is a non-profit health system in the heart of Southern California. With an expansive network that includes four hospitals, two medical groups, and various specialty centers, MemorialCare has established itself as a leader in delivering comprehensive care. Serving the evolving needs of communities in Orange and Los Angeles counties, they are known for their innovative approach to healthcare, constantly seeking new ways to enhance patient care and operational efficiency.

‍Overview: Addressing Security Flaws in Fax Protocols

Fax machines and MFPs, while essential in healthcare, have significant security vulnerabilities. They are often connected to IT networks without adequate firewalls, allowing hackers to exploit them as backdoors. The tactic (called “faxploit”) is alarming because all that’s required is a fax number.

Techio partnered with MemorialCare's IT Security Management and Compliance Department to address critical security vulnerabilities associated with their fax protocols. This initiative was both a technical necessity and a strategic move to prevent potential cyber threats.

Challenge: A Centralized System

Similar to many organizations navigating complex technological environments, MemorialCare faced an operational challenge: the need for a centralized system for managing enterprise input and output devices. The gap in identifying and updating vulnerable fax machines and MFPs threatened the integrity of MemorialCare's IT infrastructure and risked the health system's compliance with HIPAA regulations.

Solution and Implementation: Strategic Cyber Defense

Techio initiated the Faxing Cybersecurity Challenge Mitigation Project. This strategic approach aimed to mitigate the risk of infiltration through faxploit, a vulnerability that could allow unauthorized access to the healthcare system's network.

Critical Steps in Implementation:

1. Identifying Vulnerabilities: We identified all fax-capable devices within MemorialCare's network that are susceptible to faxploit attacks.
2. Security Patching and Firmware Updates: For devices identified as vulnerable, we implemented the latest security patches and firmware updates, effectively closing the security gaps that could be exploited.‍
3. Device Replacement and Digital Faxing: In cases where outdated devices could not be secured through patches or updates, we replaced them with advanced, secure, fax-capable MFPs. Additionally, Techio introduced digital faxing solutions, reducing the risk by eliminating the need for traditional fax machines.

Securing Long-term Vigilance

Our commitment went beyond the initial project completion. Aware of the ever-shifting nature of cybersecurity threats, Techio implemented a robust and compliant framework for MemorialCare's fax machines and MFPs protocols. This ongoing strategy includes:

• Continuous Monitoring: We established protocols for ongoing network surveillance to identify and mitigate emerging threats promptly.
• Regular Updates and Patches: We ensure all communication devices and systems are up-to-date with the latest security measures to prevent potential vulnerabilities.
• Education and Training: We provide regular training sessions for MemorialCare staff to enhance awareness and understanding of cybersecurity best practices.
• Adaptive Security Measures: We developed a flexible security framework that can quickly adapt to new technological advancements and threat landscapes.
  

Value: Future-Proofed Security Strategy

Through a comprehensive approach, Techio addressed the immediate vulnerabilities and laid the groundwork for a more secure, compliant healthcare communication network. By focusing on eliminating the root cause — outdated and unsecured devices — Techio's effort extended security patches and firmware updates to all multi-function devices on the health system network, not just fax machines and MFPs. This ensured that MemorialCare's operations were safeguarded against potential cybersecurity threats, reinforcing the health system's commitment to patient data security and regulatory compliance.