With the dramatic increase in volume of sensitive confidential information in electronic form, various government sponsored security regulations tie together the security and Screen Shot 2013-10-04 at 11.23.06 AMintegrity of technological systems and processes. Technology security has become critically important as various organizations and businesses use their electronic systems to comply with government regulations. Recent laws and regulations include;

  • HIPAA (Health Insurance Portability and Accountability Act)
  • Sarbanes-Oxley (Financial Accounting)
  • Gramm-Leach-Bliley Act (Finance)
  • Federal Information Security Management Act of 2002 (FISMA) and FDA 21 CFR Part 11 (Food and Drugs)
  • ISO 15408, also known as, Common Criteria

In response to these regulations, Konica Minolta is taking the lead in developing and implementing Security based information technologies in Multi-Function office machines. Ever since the introduction of the first Konica Minolta MFP, Konica Minolta has strived to develop and implement technologies that safeguard the confidentiality of electronic documents.With the rising popularity of network connected Office Machines for printing and scanning, people in various industries will increasingly look to MFPs as an efficient and cost-effective method of distributing, storing and receiving sensitive electronic information. Security measures for Konica Minolta MFPs can easily be adopted for use in a wide range of Screen Shot 2013-10-04 at 11.23.51 AMindustries where electronic document security is important. This requirement will grow more relevant as the trend towards electronic storage and maintenance of sensitive information continues. Whether installed in a small office as a workgroup device or in a large hospital as a departmental workhorse, Konica Minolta MFPs can provide the security, reliability and stability that healthcare professionals demand and require.

This document will discuss IT related security initiatives and explain how Konica Minolta MFPs comply with the various rules and regulations set forth in HIPAA (Health Insurance Portability and Accountability Act) legislation.

What is HIPAA?

HIPAA is a law passed by Congress in 1996; its intention is to protect basic personnel information related to healthcare privacy. The law was also intended to streamline heathcare document management practices by providing a set of rules for electronic document management, related to the privacy of the patient and the accountability of the healthcare provider.

With the passage of HIPAA, healthcare related facilities are concerned about HIPAA regulations and how they apply to the security of Multi-Functional Printers (MFP) printing, copying, faxing and scanning functions in the office. In addition to the healthcare industry, many organizations are aware of this emerging trend for electronic document storage, and are concerned about security issues related to electronic document distribution.

Security regulations have recently come into effect for both large healthcare providers (2005) and for small healthcare providers (2006).

To achieve HIPAA compliance, a healthcare organization must implement technical, administrative and physical safeguards to protect the security and integrity of patient healthcare information.

Many healthcare providers are asking if the MFP is “HIPAA Compatible”. To date there is not an official designation for being “HIPAA Compatible”; the correct question is: How can the MFP help my organization comply with the HIPAA Security Rule? And more specifically; how can the bizhub MFP comply with the technical requirements of the Security Rule?

This white paper will review how Konica Minolta multi-functional devices offer a broad range of features supporting individual privacy and security rights. Major security features included in Konica Minolta bizhub MFPs are:

User Authentication / Account Job Tracking:

Konica Minolta devices (as standard factory equipment) offer the feature of User Authentication and Account Job Tracking by user (accountability). This is standard in most current models.

Password Protection:

When programmed, the device can be set up to allow copies or prints only by users who have a valid password or account number. Users who do not possess a valid password or account number cannot make a copy or produce a print.

AccountTracking:

When Account Track is turned on, Konica Minolta MFPs (Multi- Functional Devices) can track detailed print usage by an individuals’ credentials or account information.

Document Tracking:

When enabled, Konica Minolta bizhub MFPs can track prints by user name, time of the print, and how many copies were produced. In addition, this detailed information can be downloaded electronically from the machine to a desktop computer and imported as a common data file into popular applications such as Microsoft Excel. This feature allows healthcare administrators to track individual usage by who printed a document, the name of the file, when it was printed, and how many copies were produced.

On most bizhub OP based products, an administrator can view the actual documents that a user printed, copied, faxed, or scanned.

As a walkup electronic distribution device, Konica Minolta MFP’s offer the ability to store scanned, faxed and printed documents in a password protected electronic mailbox. To secure this function against user error, Konica Minolta devices can be programmed to automatically reset after a fixed period of inactivity. For example,
a healthcare worker logs into an MFP with a unique — USER ID password, scans a file to a secure mailbox and walks away forgetting to log out of their session at the device. The MFP would detect no user activity and after 30 seconds reset itself to the password protected log-in state.

The final HIPAA Security Rule was published on February 20, 2003. The rule details several standard and implementation specifications for Protecting Health Information related to IT, Technology and systems that contain Private Health Information. Contained in this paper is a list of these Standards and implementation specifications and how Konica Minolta MFP’s comply.

The HIPAA Security regulations are applicable to Electronic Protected Health Information (ePHI) and not for traditional office communications such as facsimile or telephone. As one can imagine, the Standards and Implementation specifications are general in nature and open to interpretation. It is also important to note that many of the Security specifications are not related to Technology but to HR and other areas of compliance. For example, there is a required specification, which calls for workforce sanctions for violations of security policies and procedures.

It is also important to know the difference between Required and Addressable specifications:

Required – Measures include workforce sanctions for violations of security policies and procedures, a data backup plan, unique user identification access controls, device and media disposal procedures, and person or entity authentication procedures.

Addressable – Covered entities must first assess whether each addressable specification constitutes a “reasonable and appropriate safeguard” in its environment, based on the specification’s likely contribution to protection of electronic PHI. If the entity determines that an addressable implementation specification is reasonable and appropriate, it must implement the measure. If it determines the opposite, then it must document that decision and implement an equivalent alternative measure, if reasonable and appropriate.

The Security Rule sets forth security standards that define administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic Protected Health Information (“ePHI”). Subpart C of the Security Rule sets forth eighteen security standards that must be implemented through thirteen “required” implementation specifications or twenty-two “addressable” implementation specifications. Although the majority of the Standards do not apply to Digital Office MFPs, we list all of the standards and implementation specifications at the end of this document for the convenience of the reader.

HIPAA Security Standards that are applicable to Konica Minolta bizhub Multi-Functional Machines.

Listed below are Standard features on Konica Minolta bizhub MFPs that satisfy specific HIPAA Security Specifications (the Standards and Specifications are in Blue/Italics):

Access Control, Technical Safeguards

The following functions satisfy the HIPAA Security Specification, Access Control Section Technical Safeguards (Section 164.312): (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec.164.308(a)(4).

(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique name and/ or number for identifying and tracking user identity.

Secure Printing

Konica Minolta MFP’s offer a standard feature called Secure Printing. This feature provides to the User sending a print job, the ability to hold the Job in a secure electronic mailbox…..Until that person walks up to the machine and releases the job by inputting a unique, secure, password at the control panel of the MFP. This password is input by the User when they submit a print job from the PC workstation. This process ensures that only the sender of the job can access an electronic document that contains ePHI. In addition, those MFPs equipped with a hard drive have the ability to store electronic PHI inside the system. When these documents are stored – either by sending them from a PC or by scanning them in at the copier – users cannot retrieve the document unless a secure password is input at the copier’s control panel.

Below is an example from the bizhub 361 print driver showing the Secure Print Function.

Screen Shot 2013-10-04 at 10.56.27 AM

From here the User inputs their Secure Print ID and Password.

Screen Shot 2013-10-04 at 10.57.01 AM

This is an example of the control Panel of the Konica Minolta bizhub 421 where there is a “Secure Print” waiting to be released:

Screen Shot 2013-10-04 at 10.57.28 AM

User Authentication and Account Tracking

Konica Minolta bizhub MFPs come standard with the ability to enable User Authentication. When this function is enabled, a user
is required to input User Name and Password before they are granted access rights to make a copy, send a print, or perform other functions at the MFP. If a user does not submit or enter the proper credentials, the print job submitted will not be printed. If a user does not enter their ID and password at the copier control panel, they will be denied access rights to the system. When logged in, the user’s activities are electronically recorded onto a log file inside the system. Only an Administrator or Key Operator can access this file. This is a very popular feature for many customers, who use this to bill departments and audit individual’s copier activities. The User Authentication process can even be connected to Windows Active Directory in real time. Which makes User Administration for bizhub MFPs a non-issue for IT personnel.

This is an example of the secure User Authentication access screen from the Konica Minolta bizhub C452 control panel:

Screen Shot 2013-10-04 at 10.59.38 AM

This is the User Authentication dialog box for the Konica Minolta bizhub 361 print driver:

Screen Shot 2013-10-04 at 11.00.04 AM

Notice that there are fields to input the User Name, Department Name and Passwords.

When equipped with a hard disk drive some Konica Minolta devices support walk up scanning and storage of documents to the MFP’s internal hard disk drive. This application is popular for users who would like to store frequently used jobs for later recall and printing. This function is commonly referred to as scanning or printing to a “Mailbox”. On Konica Minolta MFPs, mailboxes are password protected. A user must set up a mailbox using a unique password in order for the user to store a job into a mailbox storage folder in the internal hard drive.

Click here to download the full PDF of this Case Study