Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system.
Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results, in hand, in a USB key that they plug into their computer.
This, of course, is a considerable risk. HIPAA regulations require that institutions protect PHI in specific ways with straightforward controls, and many threats can undermine physical media.
So, what’s the issue with using USB thumb drives?
What’s Wrong with Using USBs to Transmit PHI?
The job of regulated organizations in healthcare is to secure PHI against an unauthorized breach. This is true for any context in which data is found–in transit between computers, stored in a server, and carried in removable media.
What’s important to understand is how PHI is threatened by passing a USB drive around:
- Potential Data Loss: So, USB keys aren’t secured more often than not. Following that, it’s clear that there are several ways in which data can be lost by using a USB drive. Drives can be lost, copied or erased quite easily, especially if precautions aren’t taken to monitor the devices as it is passed between users or organizations.
- Potential Data Breach: more insidiously, a hacker may, if given access to a USB with medical data, opt to copy the data and leave it unaltered. Instead, they will put malicious software or ransomware onto the USB so that it infects the entire system when placed into a (potentially unprepared) workstation.
- Breaking Compliance: Compliance around PHI is strict and encompasses more than just technical security. There are requirements regarding auditing and documenting data that, while somewhat reliable in electronic transmissions or data platforms, aren’t necessarily geared to create audit trails for drives physically passed between doctors.
With these problems appearing, healthcare organizations that use physical media to exchange information must understand how regulations apply to such practices. They can turn to critical documents like HIPAA and NIST Special Publication 800-66 to understand that, while it’s possible to use USB drives for PHI, it takes significant planning and effort.
What Do HIPAA and NIST Say About Physical Media?
It’s important to note that HIPAA, the regulations that govern data protection and technology in healthcare, are relatively vague. Not in their directives, necessarily, but in their implementation. This is by design; leaving their requirements broad allows them to stay relevant without calling for updates every time a new technology, encryption method or security threat enters the market.
NIST 800-66, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” provides updated guidance on implementing HIPAA security requirements. This document links the guidelines stated in HIPAA law with NIST security rules to help with specific implementations.
However, these documents still have different aspects that impact physical media security.
HIPAA and Removable Media
- Data Must Be Encrypted: PHI, no matter if it’s on a computer, in transit over an Internet connection or stored in removable media, must be encrypted in a manner that renders the data unreadable to unauthorized readers. Furthermore, this encryption must maintain a feasible level of resistance, using modern algorithms that aren’t compromised by encryption-breaking attacks.
- IAM Security Must protect Data: Data on a USB, much like data on a laptop or tablet, must lie behind authentication and authorization controls. Someone shouldn’t be able to pick the device up and open it–they should be prompted to provide some identity verification credentials. It’s important to note that this is not the default behavior of most USB devices and requires special software or hardware.
- Devices Must Be Logged: HIPAA requires that PHI must be logged, with an audit trail of any attempts to access that data, modifications to that data, and any potential location where that data could have faced compromise. In the case of USB drives, this would require something like handwritten or manually-typed logs of ownership, device ID registration, and other controls.
- Workstations and Servers Must Be Protected: The challenge of securing PHI in a USB isn’t limited to the device itself, but also to the device from which the user accesses that data. If workstations, servers or laptops used to access the data on the USB aren’t secured according to HIPAA rules, then the organization is clearly out of compliance.
This isn’t just to protect PHI on the device. Insecure workstations without the proper isolation, antivirus or scanning tools could allow the introduction of a potentially debilitating ransomware attack against the system. If not ransomware, the USB could also house some form of malware that implements some sort of Advanced Persistent Threat (APT) that silently compromises all connected systems, collecting data for weeks, months or even years.
NIST 800-66 and Removable Media
Due to its specificity, NIST 800-66 can offer us a more specific understanding of the pitfalls of using a USB stick to share PHI:
- Physically Protecting Devices: HIPAA includes requirements for physically securing data-containing systems, including door locks, guest logs, security cameras and physical device locks. This applies to USB sticks as well. A secured device compliant with HIPAA standards will not just allow the user to plug any media into it without some sort of security, including locks on computer ports.
- Encryption: Data must be encrypted. NIST 800-66 provides more specific guidelines for this, pointing specifically to NIST SP 800-53 for reference. Generally speaking, if you’re using encryption that matches AES-128 or AES-256 (for data at rest) will remain compliant for the time being.
- Data Backups: HIPAA requires organizations to provide specific, secure backups of PHI to promote usability and accessibility. If, for example, modifications to data on a USB drive fundamentally change that information, then the organization cannot ignore the fact that there must be a way to back that up. This is a real problem, considering that this would call for manual copying, storing and auditing.
- Data Destruction: PHI that is no longer used must be destroyed, with physical media like a hard drive (or USB drive) either zeroed out to destroy the information or physically destroyed. Passing around a USB stick doesn’t absolve compliant organizations of this duty.
To USB or Not to USB with PHI
The short answer is that it’s really not advisable to use USB memory to share information when managing PHI and HIPAA compliance.
However, let’s be clear that this is strictly from a compliance perspective. We also understand that emergencies happen. In many cases, most compliance breaches come from accidental exposure when doctors or other professionals share information to provide life-saving care. While this isn’t ideal, it’s understandable and sometimes unavoidable (someone’s life is not worth maintaining compliance, and there are literal exceptions to HIPAA to this effect).
However, this isn’t an excuse to pretend the rules don’t exist to make it simpler to pass around x-ray scans. Regulations are there for a reason–to protect critical PHI. If you’re going to use physical media to share PHI, you must maintain security.
Tightening Up Your HIPAA Security?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.