Network Printer Configuration Standards

Overview

Provide Network Printer Configuration Standards

Purpose

Provide Network Printer Configuration Standards to assist with proper printer purchasing and usage.

Scope

This standard applies to UVa Health System employees and associated entities, and personnel

Description

Network Printer Configuration Standards

Health System Technology Services provides centrally maintained network printer support. The objective of this document is to provide standards for printing devices so that the Health System can properly support these devices, ensure that they meet UVa security standards, and provide a standard for procurement of such devices.

Currently acceptable manufacturers / model lines supported are:

  • HP LaserJet line
  • Canon ImageRunner line (Multi-Function Enterprise class only)
  • Ricoh Afficio line (Multi-Function Enterprise class only)

Currently accepted printer models are:

Black & White Network Printing

Low volume Medium volume High volume
HP LaserJet M506n HP LaserJet M607n HP LaserJet M609n

Color Network Printing

Low volume Medium volume High volume

HP Color LaserJet M553dn

HP Color LaserJet M652n HP Color LaserJet M653n

Black & White Multifunction Printers

low volume medium volume high volume
HP LaserJet  M527dn  MFP HP LaserJet M4345 MFP HP LaserJet 9050 MFP
Ricoh Afficio 2510 Ricoh Afficio 3500 Ricoh Afficio 7500
Canon ImageRunner 2270 Canon ImageRunner 3570 Canon ImageRunner 5070

If a customer wishes to add a printer model not listed above, they must submit a service request to have the HSCS LAN and Consulting groups evaluate the model for compatibility with our network. The evaluation will be based on, at a minimum, the following requirements:

  1. Printer must be from a supported manufacturer and model line (listed above).
  2. The device/printer must be network ready with a network interface card (NIC) that is part of the device hardware and not a third party add on. The card must have a fully functional Ethernet port.
  3. All network attached printers must be manageable through SNMP.
  4. All devices/printers must have Microsoft-approved printer drivers compatible with 2008 server, Windows XP Professional and Windows 7 Enterprise.  The printer driver must be a point and print driver which does not install additional software on the server or the client PC.  Either a UPD or compatible 64-bit driver is required.

Printers meeting the above requirements are typically enterprise class devices rather than those marketed for Home or Small Business Workgroups. Printers designed for Home or Small Business Workgroups, in general, are not robust enough for enterprise printing solutions. Maintaining these printers and their associated print queues oftentimes results in time and labor expenses that far exceed that of enterprise class printers.

Security Standards and Configuration

  1. All printers should be placed on the Secure Clinical Subnet (10. network) rather than the public (128. or 172. networks). This provides a measure of security and helps prevent unauthorized access or attacks from outside the Health System. If a printer is used for output containing ePHI, the printer must be placed on the Secure Clinical Subnet.
  2. Unless needed for a specific application, disable the following protocols: IPX/SPX, Appletalk, Telnet, DLC, mDNS, and FTP.
  3. Set an administrative password to prevent unauthorized web console access.  An SNMP Community String other than the default must be set.
  4. If the printer contains a hard drive, overwrite software must be used if available (to cleanse the drive continually of data once printed).  Also, if the printer is leased, upon termination of the lease the hard drive must be destroyed before leaving the Health System.  Typically this entails a contractual arrangement whereby the Health System is allowed to keep the drive on a fee basis.  See the Surplus Equipment Procedures for more information.

In order to help ensure that these security standards are enforced, HSTS performs weekly scans of their installed printer population on the secure clinical subnet, and any printer found that does not meet the above configuration standards will be updated to meet these standards.  Printers installed by vendors may not be able to be scanned in this manner, so it is the responsibility of the vendor to ensure compliance.

Multi-function Printing Functionality

Scanning via email:

Scanning will be supported via utilizing the mail relay method. An HSTS Service Request will need to be entered to request email forwarding for each individual device. The IP address of the multifunction printer will need to be in the request. LDAP support for email address lookup will not be supported.

Fax:

Phone lines attached to multifunction devices may only be used for sending and receiving faxes. Any other feature on the device that could utilize the phone line must be disabled to maintain the security of the Health Systems network infrastructure.

Document Supporting Resources