Improving Security for USB Drives

New Government Report Spotlights Weaknesses

By , June 21, 2013.
Improving Security for USB Drives

A new inspector general report criticizing a government contractor's USB drive security practices is an important reminder of why all healthcare organizations need to control the use of mobile storage media and ports.

See Also: Security Alerts: Identifying Noise vs. Signals

"Because USB devices connect directly into computers and can store large amounts of data, they can potentially cause serious harm to computers and networks or compromise sensitive data if their use is not properly controlled," says the report from the Department of Health and Human Services' Office of Inspector General.

Among the risks posed by USBs are the spread of malware and the inappropriate download, storage and removal of data by users, resulting in breaches or possible fraud.

Security weaknesses such as those identified by the OIG are common throughout healthcare and need to be addressed to help protect patient privacy, says independent IT security consultant Tom Walsh.

Report Findings

The OIG report summarizes the findings of an audit last year on the USB security controls put in place by Quality Software Services Inc. of Columbia, Md. QSSI provides testing services to the Centers for Medicare and Medicaid Services.

QSSI had not sufficiently implemented federal requirements for security controls over USB ports and devices, the report states. "Specifically, QSSI had not listed essential system services or ports in its system security plan or disabled, prohibited or restricted the use of unauthorized USB device access. As a result of QSSI's insufficient controls over USB ports and devices, the [personal information] of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access or theft."

The report recommends the contractor update and implement sufficient policies and procedures to ensure that USB controls comply with federal requirements. That includes prohibiting the use of unauthorized USB devices on its systems that store or process Medicare information; limiting USB port access to essential connections; and disabling, prohibiting or restricting unauthorized USB device access.

Karen Rosenbauer, QSSI's vice president of business operations support, tells HealthcareInfoSecurity: "QSSI is dedicated to the highest standards of information security in our work. We implemented all of the enhancements recommended by the OIG prior to the publication of the final report, and have informed CMS of our actions."

Steps to Take

Walsh, the consultant, points out: "All healthcare organizations need to pay closer attention to their policies on USB ports for computer workstations, laptops, and biomedical devices. The USB ports are a source of data leakage," he says, calling for the use of technology that restricts how ports can be used.

Walsh suggests healthcare professionals carefully consider how they use mobile media. "How many USB drives can you find? Do you know, with absolute certainty, what data is stored on every one of those USB drives just by looking at the device? Probably not," he says. "That's the challenge that healthcare organizations face."

Encrypting data that's stored on USB devices is an important step that can prevent a breach if the devices get lost or stolen, he adds.

At Stanford University's various healthcare facilities, the encryption of USB thumb drives soon will become standard, says Bill Lazarus, information services security officer at Lucile Packard Children's Hospital at Stanford.

While Stanford prefers that its employees do not use USB devices, workflow requirements make banning the devices impractical, he says. So, as part of a larger effort to bolster information security in the wake of several healthcare data breaches, Stanford will soon launch an encryption program for USB devices. Lazarus says. Earlier, the organization mandated encryption for mobile computing devices.

Don't Forget Medical Devices

When dealing with USB device security issues, hospitals and clinics need to make sure they address the risks tied to biomedical devices, Walsh stresses. "Many of the newer 'smart' devices also have USB ports where data could be downloaded," he notes.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE PCI: Retailer Security Failures

Troy Leach of the PCI Security Standards Council says data security standards are not failing; they...

Latest Tweets and Mentions

ARTICLE PCI: Retailer Security Failures

Troy Leach of the PCI Security Standards Council says data security standards are not failing; they...

The ISMG Network