July 4, 2026
The Printer, the Badge Reader, and the HVAC System Walk Into a Breach
There is a strange belief in many organizations that if a device does not look like a computer, it does not need to be secured like one. A…

By Travis Ray Caverhill
5 min read
There is a strange belief in many organizations that if a device does not look like a computer, it does not need to be secured like one. A workstation is a computer. A server is a computer. A laptop is a computer. Those get agents, policies, patches, monitoring, encryption, access controls, and at least the occasional angry glance from IT. But the printer down the hall? That is just a printer. The badge reader by the employee entrance? That is facilities. The HVAC controller? That belongs to maintenance. The security camera? That is physical security. The smart TV in the conference room? Nobody knows who owns that, but it has been on the network since the last remodel, so apparently it is a respected elder now.
Attackers love that kind of thinking. They do not care what department bought the device. They do not care whether finance labeled it as equipment, facilities labeled it as infrastructure, or IT labeled it as "please stop plugging things into our network without telling us." If it has an IP address, firmware, credentials, a web interface, remote access, wireless capability, storage, or the ability to communicate with other systems, it belongs in the security conversation. The problem is that many organizations still divide technology into two categories: computers and everything else. The "everything else" category is where risk goes to relax.
Printers are one of the best examples. They sit quietly in departments, nurse stations, clinics, offices, registration areas, and administrative suites. People trust them because they are boring. That is a terrible reason to trust anything. Modern printers are not simple paper machines. They are networked devices with operating systems, storage, address books, scan-to-email functionality, authentication options, administrative portals, firmware, logs, and sometimes years of unpatched vulnerabilities aging gracefully like a security wine nobody should drink.
In healthcare, printers may process patient records, insurance forms, discharge paperwork, prescriptions, lab requests, HR documents, finance records, and legal material. Some store job history or cached documents. Some have default admin credentials that were changed once during deployment, if the organization was feeling ambitious that day. Some use outdated protocols. Some sit on broad internal networks where they can talk to systems they have no business knowing exist.
And because they are "just printers," they often escape the same scrutiny as traditional endpoints. No one asks whether they are patched. No one reviews their access. No one validates whether scan-to-email is properly secured. No one checks whether the admin interface is exposed across the network. No one confirms whether old hard drives are wiped before disposal. Then, during an investigation, everyone acts surprised that the printer had more access than some employees.
Badge readers and access control systems create another uncomfortable problem. These systems are often treated as physical security tools, which they are, but that does not make them separate from cybersecurity. Badge systems manage identity, movement, building access, restricted areas, server rooms, medication storage zones, data centers, and employee entrances. If compromised, they can affect both digital and physical safety.
A weak badge system is not just a door problem. It can become an identity problem, a surveillance problem, a safety problem, and an incident response problem. If attackers can manipulate access logs, clone credentials, disable readers, unlock doors, or interfere with authentication flows, the impact crosses cleanly from cyber into the real world. That is especially dangerous in hospitals, where controlled access is tied to patient safety, medication security, newborn protection, emergency departments, behavioral health areas, and data center access.
Then there is HVAC, the quiet little kingdom of thermostats, building management controllers, sensors, dampers, environmental controls, and remote vendor access. HVAC systems are not glamorous, which is exactly why they get ignored. But when facilities technology is network-connected, remotely managed, and poorly segmented, it becomes part of the attack surface. Hospitals depend on environmental controls for patient comfort, equipment rooms, pharmacies, labs, operating areas, sterile processing, and server rooms. A building management system is not just making sure executives enjoy a crisp 68 degrees in the boardroom. It may be helping protect operational continuity.
Facilities systems often come with vendor-managed remote access, shared credentials, legacy software, weak logging, and a deployment history that predates the current security team. Documentation may be thin. Ownership may be unclear. Patching may be rare because nobody wants to break building operations. These systems may sit on the network for a decade with very little visibility, quietly humming along while everyone assumes they are safe because they have never caused a problem. That is not safety. That is luck with a maintenance contract.
Security cameras are no better. Cameras are often installed in bulk, connected to video management systems, and then quietly forgotten unless one stops recording. Many have embedded firmware, web interfaces, default accounts, outdated software, cloud dependencies, vendor access, and storage systems holding sensitive footage. In healthcare, camera systems may cover entrances, parking lots, emergency departments, pharmacies, behavioral health spaces, loading docks, and other sensitive areas. If compromised, they can create privacy exposure, physical security risk, and intelligence for attackers planning something worse. The same problem applies to smart TVs, conference room equipment, nurse call integrations, kiosks, time clocks, lab devices, pharmacy systems, badge printers, temperature monitors, building sensors, and anything else that speaks network. The phrase "non-computer device" is becoming meaningless. These devices compute. They store. They authenticate. They transmit. They can be exploited. They can be used for persistence, reconnaissance, lateral movement, credential capture, data exposure, or disruption.
The real issue is ownership. In many organizations, these devices fall into political dead zones. Facilities owns the HVAC system, but IT owns the network. Security owns the risk, but procurement bought the device. The vendor manages the platform, but nobody reviews the vendor's access. Compliance asks for evidence, but the evidence lives in three systems and one guy's memory. When something goes wrong, everyone suddenly becomes very interested in who was supposed to manage it. Attackers do not wait for org charts to make sense. A real security strategy for IoT, OT, and facilities technology starts with inventory. Not a spreadsheet someone updates every February when an audit gets spicy. A living inventory. What is connected? Where is it located? Who owns it? What does it talk to? What firmware is it running? How is it authenticated? Who has admin access? Is remote access enabled? Is the vendor using named accounts or one shared login from the Bronze Age? Is it segmented? Is it monitored? Is it patched? Is it even still supported?
Once the inventory exists, segmentation has to follow. Printers should not talk freely to clinical systems. Cameras should not browse the network like tourists. Badge systems should not sit in the same neighborhood as general workstations. Building automation should be isolated. Vendor access should be controlled, logged, time-limited, and reviewed. Remote access should require strong authentication and should never depend on "the vendor said it was secure" as the entire risk assessment.
Default credentials need to die. Shared accounts need to be dragged into daylight. Firmware needs to be tracked. Unsupported devices need replacement plans. Logging needs to exist. Network behavior needs baselines. Procurement needs security requirements before contracts are signed, not after the device arrives in a cardboard box with a cheerful quick-start guide and a terrifying web portal.
Most importantly, leadership needs to understand that these systems are not side issues. They are not beneath the dignity of cybersecurity. They are part of the environment that keeps the business running. In healthcare, they may support patient care, building safety, physical access, clinical operations, privacy, and emergency response. Pretending they are "not really IT" does not make them safer. It only makes them easier to forget. And forgotten systems are exactly where attackers like to live. The printer, the badge reader, and the HVAC system did not walk into a breach by accident. They were invited by poor inventory, weak ownership, flat networks, lazy procurement, vendor trust, default passwords, and years of pretending that only laptops and servers matter. That era is over. If it connects, it counts. If it counts, it needs ownership. If it needs ownership, it needs security. And if your organization still thinks the printer is just a printer, then congratulations. You have already found your next blind spot.