How to Adopt Zero Trust Printing

If someone were to tell you you should be scared of your printers, you’d likely laugh in their face. While clunky, they aren’t exactly an intimidating adversary. What everyone doesn’t know is that printers pose a huge, costly threat to your organization.

Printers connected to your corporate network are a wide attack vector for hackers. Along with being an entryway into your business’s network, hackers are able to attack other applications and launch ransomware through a compromised printer, wreaking havoc on your organization. 

According to this print security report by Quocirca, over two-thirds (68%) of organizations have experienced data losses due to unsecured printing practices in the past 12 months, leading to an average of $770,000 per data breach.

Since the need for printers remains high in the workplace, companies must pivot from traditional security measures towards Zero Trust printing in order to protect company data. 

 

Understanding Zero Trust

Before jumping off the deep end, it’s important to understand the basics. A Zero Trust Network Architecture (ZTNA) is a completely new approach to traditional network models. The structure as a whole is based on one principle: Never trust, always verify.

Traditional Network: This model inherently trusts anyone inside their network’s perimeter and is protected through a single verification point (typically a basic password based on an employee’s pet). 

Zero Trust Network: A security model in which no device is trusted by default, and users must be continually authenticated, authorized, and validated before being allowed access to applications and data, whether they are inside or outside the organization’s network.

Traditional networks are no longer safe because once any endpoint inside the network is compromised, attackers can move laterally and gain access to anything else on that network. Within a  Zero Trust network, access is limited, which is one of the most critical pieces of an effective Zero Trust strategy since most cyberattacks are internal and, more often than not, accidental.

 

Strengthening Your Network Security

Remote work is here to stay. While employees enjoy the conveniences of not commuting to an office, IT departments are flailing to put in place the robust back-end infrastructures needed to protect organizations’ data amid the transition. 

As employees use their own home printers for company printing, this poses two potential attack surfaces for hackers:

  1. An unsecured machine connected to a company computer. Connecting a company computer to an unsecured home printer provides a gateway past any VPN or security. Once a hacker moves from the printer to the company drive, they can gain access to the company’s primary network.

  2. Information is stored on the printer’s hard drive. Printer hard drives store previously queued print jobs for a varying degree of time. Hackers are able to break into these hard drives using a back door to view sensitive company information by accessing the employee’s home Wi-Fi.

Organization’s using a traditional network model don’t stand a chance against these threats. However, shifting to a Zero Trust approach means avoiding these types of vulnerabilities altogether by eliminating outdated infrastructure, like print servers, and going serverless. This reduces attack surfaces, strengthens security for remote workers, provides threat detection and prevention, and allows companies more visibility into print activity overall. 

 

Investing in Print Security 

Now that you understand the time to transition to a Zero Trust printing architecture is now, it’s important to select the right print management solution for your organization. The best possible solution will check these four critical boxes:

✔ Access and identity management

✔ Authentication for all connections and endpoints

✔ Segmentation of data to limit harm from breaches

✔ Simple, secure management features

PrinterLogic inherently checks off every box and possesses the necessary tools for your Zero Trust Printing environment. You can finally address your organization’s needs with a scalable solution that offers round-the-clock network protection and unlocks the true potential of your document and print management processes. 

 


Ready to see what Zero Trust Printing from PrinterLogic can do for you? Schedule a demo today. 

How to Achieve the Printing Efficiency You Need with Rule-Based Automation

Output Management Rules & Routing

Your electronic medical record system, enterprise resource planning, and other large-scale applications your organization relies on form critical parts of business processes. It’s crucial the output from those systems ends up in the right place, in the correct format, and on time.

With Vasion’s introduction of Output Management comes higher reliability, speed of delivery, and unification of management for both office and back-end application print management when printing from these systems, but still leaves the opportunity to further increase the efficiency, accuracy, and reliability of print and workflow tasks. 

 

Our customers stress that better efficiency is necessary for their output processes.

One of the concerns commonly brought up by customers I’ve spoken to has been ensuring uptime for critical printing with their printers themselves. If the printer designated for shipping labels or customer invoices breaks, it can put a serious dent in productivity while it’s down, and it’s not always easy to redirect traffic to a new printer within a customer’s application, resulting in unacceptable downtime.

Additionally, these environments often bring processes requiring manual intervention. A healthcare organization we worked with hoped to reduce costs by printing the majority of their documents in black and white, with only after-visit summaries printed in color to maintain a positive patient experience. Now, a manual touchpoint is introduced into the printing process, and it’s up to the individual clinician to remember to select the correct setting for just that type of job every time. 

 

These, and many other examples, drove Rules & Routing, a rule-based automation feature, as part of our Output Management Bundle. 

I challenge you to look deeper into your printing processes–you’ll notice those manual touchpoints often arise in your print environment, like manually converting documents to print-ready PDFs, paper notes taped to the printer reminding employees to print only in black and white, and attaching digital files to emails after scanning. These can all be automated as rules that trigger specific actions based on a set of behaviors. 


The three main components of Rules & Routing: 

  • Triggers are used to watch for specific events that should prompt the Rules & Routing service to decide which course of action to take.
  • Conditions provide the qualifying attributes that decide whether or not an action should be performed.
  • Actions are the actual behavior applied when conditions are met. 

These automated rules reduce or even eliminate any manual intervention, alter print data, increase document security, ensure proper delivery of documents, and more. In addition, document delivery goes beyond printers, including delivery direct to storage folders or through email, eliminating the manual touchpoint for your coworkers. 

 

Let’s look back at the example above from our customer needing to ensure continuous uptime for their printing processes. 

To solve this issue, I would create a rule that automatically reroutes my print data to a backup printer in the event we detect print failures on the primary printer to avoid long periods of downtime by following these steps:

  1. Create a rule with the trigger “Print Job Failed”
  2. Choose a condition selecting the primary printer(s) you are watching for failures
  3. And the “Redirect print job” action, where you’d select the backup printer
  4. Optionally, you could also add an additional action to email the originating user to alert them their job is located on a new printer

Your Guide to Secure, Uninterrupted Printing with SAP

This blog is part of a three-part Output Management series about the Oracle Health EHR, Epic, and SAP connectors. Read the other installments on Epic and Oracle Health EHR

SAP is the world’s leading ERP solution that processes operational data and manages complex business processes in enterprise organizations. Organizations, like manufacturing and distribution that require continuous delivery of printed orders and invoices to keep their systems running, rely on highly available printing methods. 

 

Print Servers and High Availability

The typical method of printing from SAP is through a print server—often Windows print servers. On the back end, SAPWIN hands an initiated job to a print server running SAPSprint, which then processes and delivers to a standalone SAP print queue to finally be printed. 

Windows print servers may do the job of managing the high volumes of printing from your SAP environment, but what happens when hardware fails and halts printing? Microsoft deprecated print spooler clustering in Windows Server 2012 and instead, to maintain redundancy, put their print servers behind a load balancer to split print traffic. Unfortunately, when a print job has already been received or a print queue has an error, those jobs won’t print and often the load balancer won’t detect the failure. 

Connection interruptions and hardware failures aside, print servers in complex print and output webs require continued maintenance by trained IT professionals which fills up daily schedules. We’ve spoken to admins like you who struggle with the demand of managing complex print server environments. We recommend: 

  • Reducing print server hardware
  • Consolidating front- and back-end printing
  • Adopting Zero Trust values

If you’re asking yourself, “Is this even possible?”, we have the answer, and PrinterLogic has the solution you’re looking for.

 

How can I reduce print server hardware while maintaining redundancy?

The end-to-end process without a print server is simple when you have PrinterLogic facilitating your back-end printing from SAP. Here’s what that process looks like: 

All of your existing print queues are migrated into PrinterLogic using our built-in migration utility. From there, you can deploy those queues to your end users automatically. If you’re an existing PrinterLogic customer, you have likely already done this and are one step ahead!

Your print job originates from your SAP environment and is sent over TCP 515 to a designated Service Client, a lightweight desktop LPD Service that intercepts your jobs from SAP and routes them to your printers. These can run anywhere you want, but we recommend hosting them on an existing utility server used for other (non-printing related) tasks. You can spin up multiple Service Clients to achieve redundancy and high availability that you wouldn’t otherwise be able to do with your old print servers. Your print job data and metadata are received and analyzed by the LPD Service to determine where and how it will be printed.

A copy of the job persists in your own configured storage solution until the job is printed; either via direct IP printing or held securely until manual release with no threat of interruptions from connectivity loss. That’s it! All without the need for print server clustering. 

 

 

What is meant by front- and back-end printing consolidation? 

There is generally a disconnect between SAP back-end printing, print server management, and general office printing. With PrinterLogic’s cloud-based Administrative Console, administrators can have control over all back-end configuration and redundancy and the entire printing lifecycle, while still maintaining visibility to front-end printers and print activity. No more managing a web of print servers and output locations when the entire process can be consolidated on a unified platform from a single pane of glass. 

 

How can I adopt Zero Trust on top of all of this?

We understand that managing network security in a complex net of print servers is time-consuming and stressful (that’s why we got rid of our print servers). Zero Trust levels the playing field for all employees by demanding verification from everyone. There are a few print methods that follow this principle: 

  • Off-Network Printing allows your guest or contracted users to print without you giving them access to the local network. Off-network jobs pass through a load-balanced gateway on your instance, then release via authentication at the printer.
  • Secure Release Printing holds print jobs on the queue until identity authentication at the printer to ensure all proprietary information gets into the right hands. PrinterLogic offers these features and more in our add-on Advanced Security Bundle. 

In addition to secure print methods that help you adopt a Zero Trust environment, there are new features currently in progress with our development teams, which will offer even more output and print management capabilities. 

 

Why PrinterLogic?

It just works! PrinterLogic gives you centralized administration control to ease your security management burden while maintaining high availability in every print job. We think you’ll be pleased with what you see. 

We’d love to hear from you and discuss the PrinterLogic Output Management solution further. If you’re interested in interfacing with a member of our team, contact your PrinterLogic representative or schedule a demo here.

Managing Your Clinical Printing with Epic from a Unified Platform

This blog is part of a three-part Output Management series about the Oracle Health EHR , Epic, and SAP connectors. Read the other installments on Oracle Health EHR and SAP

Epic Systems Inc. is the leading supplier of Electronic Medical Records (EMR) software in the U.S. and is expanding its customer base worldwide. It’s a highly trusted solution for many healthcare organizations. 

Despite Epic’s many strengths, managing printing in this environment is often challenging for IT because Epic queues are handled separately from other forms of (non-clinical) printing. There’s a way to unify the management of both administrative and clinical printing in a single Administrative (Admin) Console, with additional secure print methods—I’ll explain below.

But first, how can Epic host your environment?

Epic has two primary hosting architecture options: an on-premises, customer-hosted model and a cloud-based, Epic-hosted model. Customers may choose either model based on their infrastructure and the amount of control they want to have over their environment.

On-premises

An on-premises, customer-hosted model is a traditional method for Epic installations. It offers IT admins more control but requires more infrastructure and resources. Print management can be labor-intensive. Because printing is mission-critical, IT admins must create and manage multiple identical print servers for load balancing. They monitor their status and keep them synchronized.

Cloud-based

When Epic hosts the solution in the cloud, print servers are no longer controlled by the healthcare client, and administrators can no longer add to, remove from, or make changes to their print queues. Nor can they install software to help them manage their environment. They must contact Epic to open a ticket for every change. The response can be fast, but in some cases, there are delays. Many admins we work with want a more straightforward solution they can control. 

Either model has upsides and downsides. In any case, managing printing can be cumbersome without a solution to reduce the complications of multiple asynchronous servers and limited administrative access.

That’s where PrinterLogic comes in. 

PrinterLogic gives IT full control and allows healthcare organizations to manage all of their printing from one Admin Console—both for the clinical Epic environment and business-management office printing.

There are two ways PrinterLogic manages printing for Epic customers. One involves keeping the traditional Epic print servers but providing a powerful Admin Console for managing drivers and print settings across the Epic infrastructure. The other method is available by installing the PrinterLogic Epic Connector. Our Epic Connector eliminates the need to deploy drivers and queues to print servers altogether, unifying all forms of healthcare print management—including clinical and general office printing—from a single pane of glass. I’ll explain how it works. 

How does the PrinterLogic Epic Connector work?

The PrinterLogic Epic Connector reroutes print jobs so that, rather than flowing through a web of disconnected servers and drivers, it’s directed through PrinterLogic to the destination printers. The PrinterLogic Admin Console then becomes “mission control,” enabling you to manage the various servers, drivers, and queues across both Epic and clinical printing without the need for third-party equipment or services. 

Here’s how it works in 4 steps:

  1. The Epic Connector utilizes Epic’s Output Management API to receive documents to be printed directly from Epic, sent via HTTPS.
  2. These documents are sent with an XML file specifying the destination printer, print settings, the user who sent the job, and additional metadata. 
  3. The Epic Connector processes the job without a driver, eliminating the need to spool and render the job as with a traditional driver. If a driver is needed for specialty printers like label printers, the Connector will fall back to a selected driver for direct IP printing.
  4. Once printed, the Connector will use the included metadata to properly report user-level printing records and respond back to Epic that the job was successfully printed. This service includes automatic redundancy to protect against failures ensuring business-critical Epic printing is not interrupted. 

 

 

This architecture can be used with either on-premises or cloud-hosted instances of Epic on version 2018 or later.

This solution allows end users to securely hold their print jobs, which requires the user to authenticate their identity at the printer with an employee badge swipe, QR code scan from a mobile device, pin or password, and other release mechanisms, for the job to print. Secure Release can reduce print volume by up to 20 percent and prevent PHI or PII from being exposed to unintended viewers. 

Off-Network Printing is another method—allowing any traveling or contracted providers working in a hospital or clinic temporarily to still access networked printers and print, while not having official network access. When a job is printed via an off-network print queue, the job travels through the cloud, is received by an Internal Routing Service on the network, then pulled to the destination printer. 

How is the Epic Connector set up with an existing environment?

Setting up centralized management of printer drivers and settings for all Epic print servers is very straightforward. It only requires one simple step: The administrator installs the PrinterLogic agent on each server and allows the agent to import all existing print queues and their settings. 

Once imported, the administrator can work completely from PrinterLogic’s web-based Admin Console to update drivers, change settings, add or remove queues, and more, to gain more granular control over their environment. 

These changes automatically apply to all appropriate print servers to keep them in sync with one another without the need for manual changes or scripting. This method is only supported with on-premises instances of Epic.

Interested in eliminating all of your print servers?

We deliver a highly available serverless printing infrastructure, all managed from a cloud-based centralized Admin Console. We’d love to show you how. Schedule a demo here to learn more. 

How it Works: Oracle Health EHR Printing with PrinterLogic’s LPD Service

This blog is one of a three-part Output Management series about the Oracle Health, Epic, and SAP connectors. Read the other installments on Epic and SAP here. 

PrinterLogic’s healthcare customers value our serverless printing solution for the secure, unified print management it provides. We help simplify the complexity of conducting general office printing alongside EHR/EMR solutions, which almost always come with their own print infrastructure and framework. 

As part of our efforts to make that day-to-day experience even better for all healthcare personnel, while reducing the load on IT admins, we’ve developed tools to better manage back-end Oracle Health electronic health record (EHR) printing and overall front-end output.

The LPD Service is the bridge between Oracle Health EHR software and your printers, and has big benefits of convenience and ease of use for healthcare organizations. 

 

Let’s dig in a little deeper.

The line printer daemon (LPD) is part of a standard software protocol that allows networked computers to submit print jobs to printers on the same network. The LPD is the liaison responsible for relaying print jobs to the network printer.

The PrinterLogic LPD Service works by identifying a service client device on the network that is running the standard PrinterLogic client agent. It runs in the background and listens for compatible print jobs.

Once the LPD Service has been enabled by an admin, it can receive LPD print traffic and extract information from the print job’s bundled metadata. That data includes who printed the job, which printer it’s targeting, as well as details like finishing options (e.g., duplex, B/W, output tray) and secure release settings. Based on that metadata, the print job will be routed to the correct printer, including off-network configured printers, and/or held for release if requested.

The same metadata is also used for PrinterLogic’s reporting functionality. Details like the initiating user, destination printer, timestamp, and filename are collected and uploaded to the PrinterLogic Admin Console.

Behind the curtain information: The PrinterLogic LPD Service will first try to send the job to the printer without using a driver via the Internet Printing Protocol (IPP). IPP is another printing standard that supports advanced capabilities like access control, authentication, and encryption. If IPP isn’t supported on the printer, you can use any signed Type 3 printer driver instead.

VAS 3440 23 Cerner OM Connector Diagram@2x

 

What does the LPD Service offer Oracle Health and print management?

Oracle Health provides one of the world’s leading EHR solutions for the healthcare industry to access and securely maintain vast data stores of confidential patient medical information. By design, it also becomes the central source of printing for the organization, as almost every record originates from or passes through Oracle Health before it’s printed. 

Unfortunately, this can cause issues with general office printing and back-end applications, because Oracle Health has its own server-based print infrastructure. Device incompatibilities, downtime, and routine printing errors are common occurrences that multiply in IT environments with diverse printer fleets.

PrinterLogic’s LPD Service leverages the universal line print remote (LPR) printing standard—the same one that Oracle Health’s own EHR system uses—to enable users to print from back-end applications without the need for legacy print servers, sidestepping all the problems inherent to those print servers. Additionally, with PrinterLogic’s advanced printing features, IT admins get even more control over printing:

  • Comprehensive reporting: See who printed what, when, where, and why.
  • Secure Release/pull printing: Jobs are held until the user has authenticated their identity at the printer to release them. This keeps protected health information (PHI) from sitting unclaimed in print trays accessible to anyone.
  • Off-Network Printing: Conveniently allow devices to print, without direct access to your network, while maintaining strict Zero Trust policies.

These features complement the stringent security requirements of EHR systems and enable organizations to maintain compliance with HIPAA and other industry regulations.

The LPD Service also increases with print resiliency to avoid downtime. Multiple PrinterLogic LPD Service clients can be used to create redundancy. These can be set up behind a load balancer or configured to communicate amongst themselves for failover scenarios.

 

Availability 

The PrinterLogic LPD Service is available in our Output Management Bundle, an add-on license to the core print feature set. The service supports connections with Oracle Health, Epic, and SAP systems to provide organizations control over everything they print. Stay tuned for exciting features coming soon that include automations to increase uptime and avoid disruption to your business-critical printing. 

Additionally, Off-Network Printing and Secure Release Printing are available in our Advanced Security Bundle to help you adopt Zero Trust principles and practices. 

 

A Complete Solution for Printing and Print Management 

The LPD Service is just one benefit among many that PrinterLogic offers to healthcare organizations. With our serverless printing solution, you can:

  • Lower costs: Fragmented solutions and all the required support infrastructure can lead to mounting costs. By minimizing the hardware footprint and eliminating deep-rooted print inefficiencies, PrinterLogic keeps costs down.
  • Simplify print management: It can be difficult to bridge the different systems for EMR and general office printing. PrinterLogic helps to unify the print environment and provides a single window for IT to oversee it.
  • Harden security: Thanks to its Secure Release and Off-Network Printing functionality, PrinterLogic increases the security of Oracle Health and similar EMR/EHR solutions without sacrificing ease of use.
  • Provide insights: In addition to capturing extensive metadata for every print job, PrinterLogic offers a convenient way to view, filter, and sort that information. IT can easily monitor print activity across the organization.

 

Interested in eliminating all of your print servers?

We deliver a highly available serverless printing Infrastructure using a centrally-managed direct IP printing platform. If you want to empower end users with mobile printing, Secure Release Printing, and many advanced features, we’d love to show you how.