Dawn of the USB Drive
Flash drives are ubiquitous in today’s digital society. It is an easy, cost-effective way to transfer large amounts of data from computer to computer. With devices reaching 256GB of storage, users are storing more and more data on these small handy plastic devices. But what happens when that device is lost and it contains sensitive information such as Protected Health Information (PHI), Social Security numbers, or confidential financials. How can you protect the data on your USB device from ending up in the wrong hands?
In the past, IT organizations have tried to implement a host of security measures to prevent users from copying confidential information on USB drives. An IT department would use end-point security software as well as establish policies and procedures for employee use of removable media and yet employees would always find a way to copy the data they wanted. While other security breaches are more traceable, such as data leaking through the corporate firewall, a flash drive is very difficult to monitor, especially when the user takes the device out of the corporate network.
There are many approaches to preventing users from utilizing the USB slots on their computers.
- Many security professionals lock down USB flash drives by putting caulk or glue into the physical USB slot on the computer. This will prevent users from plugging anything into it. This forces users to transfer files using other means, such as email, which IT departments can more easily monitor.
- The software can also be used to disable the USB slots on the computer.
- Many endpoint security suites include software to disable the front, back, or both USB ports.
Once again this prevents users from utilizing the USB connections on their computers and forces them to use another method to transfer files.
Unfortunately physically destroying or using software to disable the USB port is not a good solution. IT departments know that employees need to utilize USB flash drives to do their jobs. For example, in a sales organization, employees often need to load PowerPoint slides, which may contain company financials, onto a USB flash drive.
Encryption can be used on Flash Drives to allow data to be securely stored on them. By encrypting the Flash Drive only users that know the key or password to decrypt the drive will be able to access the data. Low-cost software-based encryption technologies can be utilized to convert any USB Flash Drive into an encrypted device. Utilities such as BitLocker, which is built into Microsoft Windows 7 Ultimate Edition, or OpenSource utilities such as TrueCrypt can be used to create secure flash drives.
The encryption works by creating a secure partition on the device. Typically when the user plugs the drive into another computer a prompt will pop up asking for the encryption key or password. If the user does not know the unique key or password, the data on the drive will be unreadable. This is especially important in the health care industry as a lost non-encrypted drive can result in a data breach. This data breach will result in up to a $1.5 million fine per record lost. If the drive was encrypted the Office for Civil Rights (OCR) or the United States Department of Health and Human Services (HHS) does not need to be alerted.
“For low-cost drives that do not contain their own encryption engines, a strong software-based encryption solution is fine and can meet even the lower-end government certifications,” says John Girard, a Gartner analyst. “The best practice is to never write data to external media that was not encrypted in the first place.” (Source: CIO)
An example of a lost USB drive can be seen here. An unencrypted USB drive ended up costing Adult & Pediatric Dermatology (known as APDerm) $150k after a thumb drive containing PHI of approximately 2,200 people was stolen from a vehicle of one of its Workforce members.
Ultimately use common sense. If the data being stored or transferred on a Flash Drive is sensitive, evaluate if it should even be stored on the drive. If it must take preventative measures and encrypt them to prevent any data breaches. Utilizing low-cost encryption methodologies can save your organization time and money, especially when HIPAA-related fines can reach upwards of $1.5 million per breach.