Moving away from fax

Overview

This page explains why the University of Oregon recommends replacing existing analog fax lines with alternative services. There are two main reasons:

  1. Security vulnerabilities.
  2. Compliance challenges.

The timing of this recommendation is prompted by the replacement of UO's existing Avaya phone system by Microsoft Teams calling and forthcoming Cisco IP phones.

Please Note: To learn more about specific fax replacement options, please visit recommended fax alternatives.

Security vulnerabilities

Fax is historically the system of choice at the UO for transmitting sensitive information, such as medical and financial information. Many people believe that fax is more secure than digital communications such as email. Although analog fax systems are not as vulnerable to the same kinds of attacks as digital systems, they are more vulnerable to data breaches than encrypted, cloud-based systems. 

Broadly speaking, our existing fax system is vulnerable to three types of data breaches:  

  1. During transmission. Since the current fax system uses phone lines, faxes can be intercepted by tapping the phone lines. Information sent over our analog fax lines is not encrypted and can easily be read in transit by accessing phone lines. Sensitive financial, medical and personal information can be stolen by hackers if it is sent over the existing fax system. 
  2. Fax machines. Fax machines themselves can be compromised. For example, hackers could send a fax to your department containing an image encoded with malware that exploits flaws in fax protocols. When your fax machine scans this incoming fax, this code will be uploaded to the fax machine, which could compromise sensitive information faxed by your department. Hackers can also gain remote execution rights to the fax machine and potentially infect all network components that the fax machine is connected to, including computers, routers, and employee smartphones connected to the Wi-Fi network, leading to a significantly wider data breach. 
  3. Human error. Many of our fax machines are shared between many staff members or sit in common areas of buildings. Faxes with sensitive information on them could be read by people who are not intended to view them.  

Compliance challenges 

For the reasons outlined above, analog fax service is not compliant with General Data Protection Regulation (GDPR) regulations. If your department collaborates with researchers, faculty, or international students based in the European Union, using fax to transmit documents could incur GDPR penalties on the university. 

Additionally, if a fax machine is in a common area of your office and receives sensitive information when it is not being monitored, your department could be in violation of privacy regulations, since anyone on the premises could potentially view or steal private information from the document.  

Here’s a brief summary of how analog fax performs in terms of compliance with key regulations:

Regulation Compliant? Notes
FERPA Yes Not recommended for FERPA.
HIPAA Yes Controlled access or monitoring of the fax machine is a requirement for compliance.
PCI Yes Controlled access or monitoring of the fax machine is a requirement for compliance.
GDPR No  
GLBA Yes Controlled access or monitoring of the fax machine is a requirement for compliance.

Details

Article ID: 140485
Created
Thu 10/13/22 5:10 PM
Modified
Wed 11/23/22 12:14 PM

Related Articles (1)

Learn about alternatives to fax services and how to choose the option that best meet your needs.