It seems some technologies are hard to get rid of and it seems that people are still using fax machines to send data despite them being slow, cumbersome, unreliable and, most importantly, insecure. As it is 2013, it should go without saying that fax machines are not an appropriate mechanism to send anything sensitive and certainly not sensitive personal data.
However, this is exactly what has cost the North Staffordshire Combined Healthcare NHS trust £55,000 this week. To make matters worse, the Trust has a set of policies to cover sending data over fax machines, but they appear to have been ignored. As a reminder – normal fax machines are insecure. And we would even go as far as to say even if you set up good cryptography to secure your fax machines, they are still the worst option.
In an announcement on 13 May 2013, the Information Commissioners Office (ICO) reported that the NHS Trust had sent sensitive medical data over their fax machines to the wrong number on three separate occasions. The Trust only became aware of the problem when the recipient eventually wrote to them.
It appears that this breach was the result of a combination of factors. First off, fax machines are a bad idea for sensitive data. To make it worse, it appears the trust staff were not aware of how to use fax machines in a secure manner. Combining these two almost guarantees a security breach.
The ICO is less damning over the use of fax machines and concentrates on the process and user awareness:
Let’s make no mistake, this breach was entirely avoidable. One phone call ahead to the trust’s Wellbeing Centre would have alerted its staff to the fact that the number they were entering was incorrect. This would have stopped highly sensitive information about the care of vulnerable people being sent to a member of the public on three separate occasions.
This case should act as a warning to all organisations that routinely send out sensitive personal information by fax. Make sure you have appropriate procedures and controls in place, so that errors can be spotted before it is too late.
We would suggest that this is the bare minimum to consider if you use fax machines – for any data – but first you should review why you are using them in the first place.
Recently we have been engaged with a couple of organisations who have used fax machines to send corporate data. In two instances this included information that would be considered sensitive in most context (although not covered Data Protection Act 1988).
Both companies have detailed security policies governing the transmission of data and what encryption is required. However, neither appeared to realise that data over fax machines was sent in the clear with very little way of knowing who the recipient was.
Fax machines are not suitable for sensitive information.
Just in case you aren’t convinced, lets look at some reasons why fax machines are risky.
- The data is (normally) unencrypted. Fax machines simply scan the image and send the bits over the phone line. Anyone between you and the recipient can read the data.
- You cant be sure the line between sender and recipient is direct. Most telephone connections use IP somewhere along the path. This means the day of a single bit of copper between each machine are long gone. When you use fax machines, you have as much control over what equipment is between parties as you do with email.
- Using fax machines gives you no control, or assurance, over who is at either end. Most of the time, documents you fax end up falling out of the machine onto the floor where they wait to be found.
- When you send documents over fax machines, you have no real way of knowing if they arrived unless you implement a laborious process of telephone calls before and after.
Obviously you can implement mitigating controls (such as telephone calls before and after, or expensive encrypted fax lines) and still use fax machines. The problem is this all creates a cost just to allow you to use an outmoded communications path. Would you put this much effort in to allow your business to still use smoke signals?
What compounds the problem is the vast majority of documents sent by fax are generated on internet connected computers, using networked data, and then printed off before being sent. This creates the new problem of having to secure the printed copy at both ends.
A much easier solution is to email the document and use any of the good (often free) encryption tools that are available. Now the only challenge is to share the encryption key (password) with the other side, but this can be easily done over different channels. If you regularly exchange sensitive information with a single endpoint (as in the NHS example), rather than use fax machines, you can set up an end to end encrypted email system. If that is too technical, then you can still pre-arrange what your passwords will be and use any free encryption packages.
Of course, nothing in security is perfect and every solution will have risks. The problem with fax machines is that they actually increase the risks over what you would get using unencrypted email.
Now, having said all that, one use for fax machines is as a third line disaster recovery option. If your online comms are down and you absolutely must send a document, then fax it. Just don’t think it is in any way secure.
Take this opportunity to review your processes. If you have fax machines, find out why you use them and what business functions they provide that cant be replicated using email. Don’t accept the argument that you need to capture signatures – this can be done electronically or even scan a signature in. Make sure there is a good, strong business reason to take this risk.
If you absolutely must use fax machines make sure that you have good policies and processes to secure their use.
Finally, and this is the important bit, make sure all your staff are 100% sure how to use them and have the time and space to do it properly. Do not allow your managers to rush staff into unsafe practices and do not allow your staff to develop bad habits.
Fax machines are bad news from a security standpoint, so if you want them, you have to work hard to minimise your risks.