Are document scanners and other ‘scan to email’ devices really secure???….
Most businesses today are dependent on the use of email and this form of technology has become one of the top sources of infections and identity thefts. It should be no surprise that email is not always private. It can be one of the least secure methods of communication. Emails are stored in multiple locations– the sender’s computer, your ISP server, as well as the receiver’s computer. Therefore when a document is scanned onto a device with the option to send as an email the document is attached to a new email message which is sent through the client’s email application to the recipient. There mail servers allow firewalls and antivirus software to scan the outbound email and its attachment as well as create a trail of what was sent and when. Now a day, in the digital age, most copiers and multifunction printers (MFPs) come with the ‘scan to email’ feature allowing a document to be scanned and converted to a PDF that can be emailed directly from the device itself. However there is no regard for encryption or password protection which raises the question, how secure is the ‘scan to email’ feature and the attachment being sent?
The devices used to send documents to email transmit the data in a clear text by default allowing them to easily be intercepted by unintended outside parties resulting in the possible exposure of sensitive information. Scanned documents are not encrypted automatically. Many of the devices with the ‘scan to email’ feature do no support email encryption and the device as well as the recipient must be specifically configured to use transport layer security (TLS) encryption to email scanned documents. TLS encryption allows the server and the client to authenticate each other and assign an encryption key before exchanging data. Most scanners and ‘scan to email’ devices are not configured with TLS encryption posing many risks. These devices should be reconfigured to use the ‘scan to folder’ feature rather than the ‘scan to email’ feature. For users scan to folder is much safer and lets them share the scanned file using an encryption took instead of emailing it directly from the device itself. Here are some reasons why the ‘scan to folder’ option is more secure than the ‘scan to email’:
- Files scanned to email do not guarantee encrypted delivery
- Files scanned to a folder then attached to an Outlook email message can always be secured using 3rd party email encryption tools
- Emailing scanned documents can be better controlled and tracked through ‘scan to folder’
- The ‘scan to email’ feature requires MFPs and other devices to have outbound Internet access over unsecured ports
Overall scanning to a folder is much more safe and reliable than scanning directly to an email. There is a huge security risk with scanning to an email because the Internet access required to do so presents many threats. Many failures may occur, go undetected, and be unknown to the sender. When using the ‘scan to folder’ option if the document fails to arrive to its destination it isn’t floating around in cyberspace waiting for unintended recipients to pick it up.
Due to the lack of security in ‘scan to email’ devices it is crucial to implement a solution that offers the necessary security features to eliminate concern. Our recommendation is to use a secure scanning method to avoid mistakes. Some companies choose to classify documents based on their sensitivity to determine if they are safe to use scan to email. It is not only good practice for companies and their clients and employees but it is often required by law to safeguard specific information. Many industries including healthcare, government, and financial services must be compliant to certain regulations while dealing with private, sensitive information. Some federal industry regulations include:
- The Gramm-Leach-Biley Act (GLBA): requires that all financial institutions explain their information-sharing practices to their customers and to safeguard sensitive data
- The Health Insurance Portability and Accountability Act (HIPAA): US law that provides data privacy and security protection for medical information
- The Health Information Technology for Economic and Clinical Health (HITECH) Act: states that all personal health information should be made “unusable, unreadable, or indecipherable to unauthorized users”
All of these acts work to protect the security, integrity, and confidentiality of a customer’s or patient’s information. A handbook on information security best practices created by The Federal Financial Institutions Examination Council (FFIEC) was released to inform financial institutions of the use of encryption to mitigate the exposure or modification of private information during storage and transit. Although we have these regulations and laws in place to keep sensitive information safe it is still an ongoing challenge. As technology advances so do security threats, data breaches, and identity theft. Always be conscious of the regulations as well as the advantages of protecting the most used form of communication in business today– email.
Here at Simplified Innovations we have designed a proven solution to the security risks associated with ‘scan to email’. This solution not only ensures security of scanned information for our clients and their clients, it also simplifies the process of scanning.