Body
Overview
This page explains why the University of Oregon recommends replacing existing analog fax lines with alternative services. There are two main reasons:
- Security vulnerabilities.
- Compliance challenges.
Security vulnerabilities
Fax is historically the system of choice at the UO for transmitting sensitive information, such as medical and financial information. Many people believe that fax is more secure than digital communications such as email. Although analog fax systems are not as vulnerable to the same kinds of attacks as digital systems, they are more vulnerable to data breaches than encrypted, cloud-based systems.
Broadly speaking, our existing fax system is vulnerable to three types of data breaches:
- During transmission. Since the current fax system uses phone lines, faxes can be intercepted by tapping the phone lines. Information sent over our analog fax lines is not encrypted and can easily be read in transit by accessing phone lines. Sensitive financial, medical and personal information can be stolen by hackers if it is sent over the existing fax system.
- Fax machines. Fax machines themselves can be compromised. For example, hackers could send a fax to your department containing an image encoded with malware that exploits flaws in fax protocols. When your fax machine scans this incoming fax, this code will be uploaded to the fax machine, which could compromise sensitive information faxed by your department. Hackers can also gain remote execution rights to the fax machine and potentially infect all network components that the fax machine is connected to, including computers, routers, and employee smartphones connected to the Wi-Fi network, leading to a significantly wider data breach.
- Human error. Many of our fax machines are shared between many staff members or sit in common areas of buildings. Faxes with sensitive information on them could be read by people who are not intended to view them.
Compliance challenges
For the reasons outlined above, analog fax service is not compliant with General Data Protection Regulation (GDPR) regulations. If your department collaborates with researchers, faculty, or international students based in the European Union, using fax to transmit documents could incur GDPR penalties on the university.
Additionally, if a fax machine is in a common area of your office and receives sensitive information when it is not being monitored, your department could be in violation of privacy regulations, since anyone on the premises could potentially view or steal private information from the document.
Here’s a brief summary of how analog fax performs in terms of compliance with key regulations:
Regulation |
Compliant? |
Notes |
FERPA |
Yes |
Not recommended for FERPA. |
HIPAA |
Yes |
Controlled access or monitoring of the fax machine is a requirement for compliance. |
PCI |
Yes |
Controlled access or monitoring of the fax machine is a requirement for compliance. |
GDPR |
No |
Use of fax could incur penalties on the university. |
GLBA |
Yes |
Controlled access or monitoring of the fax machine is a requirement for compliance. |