A new inspector general report criticizing a government contractor's USB drive security practices is an important reminder of why all healthcare organizations need to control the use of mobile storage media and ports.
See Also: Don't Be The Next OPM: Recognizing Risk
"Because USB devices connect directly into computers and can store large amounts of data, they can potentially cause serious harm to computers and networks or compromise sensitive data if their use is not properly controlled," says the report from the Department of Health and Human Services' Office of Inspector General.
Security weaknesses such as those identified by the OIG are common throughout healthcare and need to be addressed to help protect patient privacy, says independent IT security consultant Tom Walsh.
The OIG report summarizes the findings of an audit last year on the USB security controls put in place by Quality Software Services Inc. of Columbia, Md. QSSI provides testing services to the Centers for Medicare and Medicaid Services.
QSSI had not sufficiently implemented federal requirements for security controls over USB ports and devices, the report states. "Specifically, QSSI had not listed essential system services or ports in its system security plan or disabled, prohibited or restricted the use of unauthorized USB device access. As a result of QSSI's insufficient controls over USB ports and devices, the [personal information] of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access or theft."
The report recommends the contractor update and implement sufficient policies and procedures to ensure that USB controls comply with federal requirements. That includes prohibiting the use of unauthorized USB devices on its systems that store or process Medicare information; limiting USB port access to essential connections; and disabling, prohibiting or restricting unauthorized USB device access.
Karen Rosenbauer, QSSI's vice president of business operations support, tells HealthcareInfoSecurity: "QSSI is dedicated to the highest standards of information security in our work. We implemented all of the enhancements recommended by the OIG prior to the publication of the final report, and have informed CMS of our actions."
Steps to Take
Walsh, the consultant, points out: "All healthcare organizations need to pay closer attention to their policies on USB ports for computer workstations, laptops, and biomedical devices. The USB ports are a source of data leakage," he says, calling for the use of technology that restricts how ports can be used.
Walsh suggests healthcare professionals carefully consider how they use mobile media. "How many USB drives can you find? Do you know, with absolute certainty, what data is stored on every one of those USB drives just by looking at the device? Probably not," he says. "That's the challenge that healthcare organizations face."
Encrypting data that's stored on USB devices is an important step that can prevent a breach if the devices get lost or stolen, he adds.
At Stanford University's various healthcare facilities, the encryption of USB thumb drives soon will become standard, says Bill Lazarus, information services security officer at Lucile Packard Children's Hospital at Stanford.
While Stanford prefers that its employees do not use USB devices, workflow requirements make banning the devices impractical, he says. So, as part of a larger effort to bolster information security in the wake of several healthcare data breaches, Stanford will soon launch an encryption program for USB devices. Lazarus says. Earlier, the organization mandated encryption for mobile computing devices.
Don't Forget Medical Devices
When dealing with USB device security issues, hospitals and clinics need to make sure they address the risks tied to biomedical devices, Walsh stresses. "Many of the newer 'smart' devices also have USB ports where data could be downloaded," he notes.
At the Department of Veterans Affairs, protecting against malware infections of medical devices is top of mind, says Christian Houterman, manager of clinical informatics and medical technology at the Veterans Health Administration.
USB devices, CDs and all other storage media are regularly scanned for computer malware that could infect medical devices, including when the devices are serviced by vendor technicians, he says. That's because service technicians often use USB devices to apply software updates or perform other maintenance of medical devices.
In addition, the VA limits the USB ports that are open on medical devices to only those that are needed to communicate, Houterman says. The VA works with its medical device manufacturers to enforce that policy.
USB Security Tips
Walsh offers several tips for how healthcare organizations can improve their USB security:
- Buy only encrypted USB drives and issue them only to users that have a clear business need. "In some cases, the justification process for obtaining the USB may reveal where data could be leaked and [provide] an opportunity to improve a workflow process so that data could be exchanged more securely," he says.
- Use well-configured, standard workstation images and Microsoft Active Directory Group Policy Objects, or GPOs, to help enforce security policies. "The Windows AD policies can be configured to only allow certain types of USB drives - each drive has an manufacturer's ID that can be read," he says. "For example, workstations can be configured to only recognize USB drives issued by the IT department when they get plugged into the USB port. All other USB memory devices are ignored."
- Use GPOs for workstations to configure them to prevent auto-run of executable programs from the CD drive or USB port. "This would prevent malicious code from automatically executing when a USB device is plugged into a USB port," he says.
- Implement security tools that monitor USB port activity and can encrypt data that is transferred to a USB. "Many of the endpoint security manufacturers offer this type of centralized management," Walsh says. "It also provides an audit trail. Then if the question arises as to what data was stored or transferred onto a USB device, there is a record."