Treading the Line Between Security & ProductivityBy Eileen Feretic | Posted 2014-09-08 Email Print
Baptist Health's security plan encompasses two key issues: making printers secure and making security easy to implement so it does not decrease productivity.
"There's a thin line between security and productivity," said Brad Nelson, IT manager at Louisville, Ky.-based Baptist Health, at an HP security-related event in New York City. "Our environment must be secure, but it must be productive as well."
On the security side, Nelson has taken things a step further than protecting just desktops, servers and networks. He is also in the process of securing approximately 3,000 printers at the health care organization's seven hospitals and more than 300 outlying facilities, which include clinics and physicians' offices.
As a health care organization, Baptist Health's primary concern is safeguarding patient privacy, but, in the past, securing printers was not a main focus. That changed quickly, according to Nelson, when industry reports revealed that some old multifunction printers with confidential information on their hard drives were found in landfills.
Realizing that printer lifecycles created potential security and privacy problems, "printing was immediately raised to a top priority," he stated.
"Hackers go for the path of least resistance," pointed out Ed Wingate, HP's vice president of solutions, LaserJet & Enterprise Solutions. So unsecured equipment like a printer or multifunction device can threaten the entire network. Companies need to protect the network and all the devices on it, as well as the stored documents, he added.
To deal with this critical issue of printer security, Nelson asked HP for help. They assessed Baptist Health's print environment, and, together, they developed a plan that dealt with two key issues: making printers secure and making security easy to implement so it did not negatively affect employee productivity. Nelson then began deploying HP Imaging and Printing Security Center (IPSC) systemwide.
The organization's plan encompassed security policies, password management, authentication, network security, certificates, and both device and data protection, including encrypted hard drives, file-erase software and lifecycle management.
Including embedded devices in a security plan is essential, according to another participant at the HP event, Jonathan Pollet, founder and director of Red Tiger Security, a multinational IT security practice that focuses on critical infrastructure protection. He stressed the danger of unsecured devices. "Unmanaged embedded systems led to the Target security breach," he said.
Pollet urged organizations to actively monitor and manage their entire IT infrastructure, even rogue devices and systems purchased without the IT organization's knowledge or approval. "Companies need to carefully set up all security settings, features, capabilities, policies and protocols," he said.