- The storage capacity and portability of universal serial bus (USB) devices has made them efficient and useful tools for the modern enterprise. Storage devices such as USB sticks, pens or thumb drives are popular ways to store large data files efficiently and easily. For the medical and healthcare communities, which generate patient information and data in different locations, moving medical images, log files and personal information is made easier and more efficient by such storage devices.
With massive storage capacities available, patient X-rays in high definition and patient data can be downloaded onto the USB devices and immediately delivered for review and assessment, boosting productivity and decreasing costs. Physicians can have immediate access to the files they require, rather than dealing with cumbersome network file transfer mechanisms.
However, USB management in healthcare organizations can become a complicated and sensitive endeavor. In June 2013, the Department of Health and Human Services (HHS) released a report castigating Quality Software Services, Inc.’s failure to properly implement Centers for Medicare and Medicaid Services (CMS) security requirements. The Health Information Trust Alliance (HITRUST) reported nearly 500 healthcare breaches that affected 500 individuals or more between 2009 and 2012. Recent security breaches have shown that information theft and disclosure is a real problem with real costs. Security breaches in the last five years have accounted for billions in lost productivity, increased security measures, lost of reputation, and heavy fines. For health care organizations, regulatory compliance must be an ongoing concern. Cyber criminals are becoming more sophisticated and methodical in their attacks.
Healthcare organizations have highly detailed personal patient information databases. Accidental or intentional theft or disclosure of this personally identifiable information can be detrimental to the organization, and to the patient. When sensitive data is compromised and goes outside the “green zone,” the patient’s identity and private information can be stolen and misused placing the healthcare organization at risk for heavy fines and penalties, in addition to criminal and civil charges and the loss of trust from the public. Larger healthcare organizations usually have security procedures in place to meet HIPAA requirements, but must extend the security envelope down to the endpoint. Smaller groups need to be actively engaged now.
Among the common myths underpinning this false sense of security is a belief that end users can be trusted to follow the company’s best practices and procedures to maintain a secure endpoint environment. This confidence in the end user’s ability to follow through is often misplaced. User types include the clueless employee who is unaware of the inherent risks of using USBs (often during security audits, spare USBs will be left out in the open. Invariably, an employee will find the stray USB and plug it into their computer, compromising the network), the opportunist, who stumbles across files and data to which they are not privy; the disgruntled employee or soon-to-be-ex-employee who actively looks to find ways to steal, damage, or destroy sensitive information, and the professional who can patiently penetrate a network and masquerade as an insider. Such attacks often remain undetected for months and can result in long term data exfiltration.
The fallout from the theft and leaking of sensitive CIA, NSA and federal government data by computer specialist and subcontractor Edward Snowden has resulted in the ban of storage device use at certain federal installations, but such practices in healthcare organizations sacrifice efficiency and productivity for what can still be a false sense of security.
So how can healthcare organizations protect themselves and meet compliance requirements without compromising the benefits associated with USB storage devices? Here are some helpful tips:
Policy and Education
Company policies and procedures regarding the use of USB storage devices should document what types of devices are permitted, what types of files are allowed to be downloaded and/or stored on these devices, and inform users that USB activities are being monitored for compliance.
Track every insert or remove
Employ continuous monitoring. First, log every insert and removal of any type of device. Second, disable and immediately alert IT staff on an attempt to violate policy. Third, log all the files copied to USB devices in every instance, and retain those records for forensic and reporting purposes.
Disable and alert on unauthorized access
Restricting USB devices to a list of devices known and tracked by IT staff, with any other access disabled. Workstations are trickier – you want employees to have the freedom to move work around if they are working in multiple locations and are collaborating with others. We suggest leaving USB access open but monitoring the usage and the files being placed on USBs.
Record activity of permitted access and maintain records for reporting
Schedule reports and actively review all USB activities. Make it part of the security policy for someone to analyze and investigate any suspicious activity and sign-off on the reports.
USB storage devices can vastly increase the quality and care provided by healthcare organizations to their patients, but can also place the enterprise at risk for HIPAA violations and other equally expensive catastrophes if compliance is not met. Vigilance is the key to averting potential compliance failures. A well designed SIEM or SEM system that monitors user activity can help identify when suspicious activity occurs, and aggregate data to make IT security awareness less costly and time consuming.
As the co-founder and CEO of EventTracker, A.N. Ananth was one of the original architects of the EventTracker product, our enterprise log management solution. With an extensive background in product development and operations for telecom network management, he has consulted for many companies on their compliance strategy, audit policy and automated reporting processes. He is a leading expert in IT compliance with over 20 years’ experience in IT-control and operations and speaks frequently on these topics.