WARNING: Your Fax Machine Could be used to Hack You!

American businesses have used fax machines to transmit images via telephone lines since the late 1980s. Now, almost forty years later, many organizations are still relying on these workhorses to do business. As of 2015, about 46.3 million fax machines were still in use, of which 17 million are believed to be operating in the United States. With so much new, cutting-edge technology available at our fingertips today, we’re still relying on antiquated technology, that could put your organization at risk and vulnerable to a hack. This is a huge problem – especially if you work with PHI!

A study shows just how vulnerable fax machines are

People assume that since fax machines have served businesses for forty plus years and have never posed an issue before, they’re not a cybersecurity risk. Surely these dinosaurs could never be the root cause of a cyber attack like a crippling network virus! Oh, could they ever be!

A recent study indicated that fax machines may pres­ent an opening where hack­ers can in­fil­trate an or­gan­i­za­tion’s net­work. The report showed that cybercriminals can infiltrate any home or corporate network by exploiting all-in-one printer-fax machines. Hackers can send an image file over the phone line that contains ma­li­cious soft­ware. That image file lets them take con­trol of the de­vice and ac­cess the rest of the net­work, enabling them to insert a virus or ransomware of their choosing. All the hackers need is a fax number to gain access to the entire corporate network. Think about how easy it is to find out a company’s fax number, and you quickly realize how vulnerable your organization may be.

Protecting clients’ PHI when faxing

If you must use a fax capability, keep these pointers in mind:

  1. Consider using a more secure way of transferring information, like efax, secure email or postal mail. Check out our blog on HIPAA compliant email encryption. If you must fax, be sensible about the information you send.
  2. If you have to fax PHI, only send the information that is important for the claim or the issue at hand.
  3. Always use a cover letter to avoid casual reading.
  4. For any new recipients, send a test fax before sending the actual document.
  5. Locate all fax machines in a secured room that is only accessible to employees.
  6. Use a secure, dedicated fax machine for transmitting PHI. Do not publish this number on your website or business card.
  7. Configure your fax machine so that it does not save any copies of information you have sent.
  8. If you are using a traditional fax machine, pre-program important or frequently used numbers to avoid sending faxes to the wrong recipients. Make sure the recipient of the PHI is aware the fax is coming and is waiting by the fax machine.
  9. If your fax machine can’t support a soft­ware up­date, replace it or get rid of it completely.
  10. If the man­u­fac­tur­er hasn’t released a patch to fix the vul­ner­a­bil­i­ty, only fax using a seg­men­ted part of the net­work that does not connect to criti­cal data.
  11. If you use an all-in-one print, copy, fax machine, dis­con­nect it if a supplier or client does not use the fax func­tions.
  12. Most efax companies today encrypt any information they store, but you need to check to make sure they have a valid SSL/TLS license.
  13. eFax companies you use should sign a Business Associate Agreement and state they encrypt any of your information stored on their site.

Migrating away from sending faxes is advisable. Make your company HIPAA compliant. Don’t allow this ‘back-door” compromise your business.

1. https://www.faxswitch.com/fax_machine_history.html
2. https://www.business2community.com/tech-gadgets/why-faxing-will-outlive-us-all-01297384