OMG USB! Physical Media and Protecting PHI

Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system. 

Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results, in hand, in a USB key that they plug into their computer. 

This, of course, is a considerable risk. HIPAA regulations require that institutions protect PHI in specific ways with straightforward controls, and many threats can undermine physical media. 

So, what’s the issue with using USB thumb drives? 

What’s Wrong with Using USBs to Transmit PHI?

The job of regulated organizations in healthcare is to secure PHI against an unauthorized breach. This is true for any context in which data is found–in transit between computers, stored in a server, and carried in removable media. 

What’s important to understand is how PHI is threatened by passing a USB drive around:

• Potential Data Loss: So, USB keys aren’t secured more often than not. Following that, it’s clear that there are several ways in which data can be lost by using a USB drive. Drives can be lost, copied or erased quite easily, especially if precautions aren’t taken to monitor the devices as it is passed between users or organizations. 
• Potential Data Breach: more insidiously, a hacker may, if given access to a USB with medical data, opt to copy the data and leave it unaltered. Instead, they will put malicious software or ransomware onto the USB so that it infects the entire system when placed into a (potentially unprepared) workstation.
• Breaking Compliance: Compliance around PHI is strict and encompasses more than just technical security. There are requirements regarding auditing and documenting data that, while somewhat reliable in electronic transmissions or data platforms, aren’t necessarily geared to create audit trails for drives physically passed between doctors.

With these problems appearing, healthcare organizations that use physical media to exchange information must understand how regulations apply to such practices. They can turn to critical documents like HIPAA and NIST Special Publication 800-66 to understand that, while it’s possible to use USB drives for PHI, it takes significant planning and effort. 

What Do HIPAA and NIST Say About Physical Media?

It’s important to note that HIPAA, the regulations that govern data protection and technology in healthcare, are relatively vague. Not in their directives, necessarily, but in their implementation. This is by design; leaving their requirements broad allows them to stay relevant without calling for updates every time a new technology, encryption method or security threat enters the market. 

NIST 800-66, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” provides updated guidance on implementing HIPAA security requirements. This document links the guidelines stated in HIPAA law with NIST security rules to help with specific implementations. 

However, these documents still have different aspects that impact physical media security.

HIPAA and Removable Media

• Data Must Be Encrypted: PHI, no matter if it’s on a computer, in transit over an Internet connection or stored in removable media, must be encrypted in a manner that renders the data unreadable to unauthorized readers. Furthermore, this encryption must maintain a feasible level of resistance, using modern algorithms that aren’t compromised by encryption-breaking attacks.
• IAM Security Must protect Data: Data on a USB, much like data on a laptop or tablet, must lie behind authentication and authorization controls. Someone shouldn’t be able to pick the device up and open it–they should be prompted to provide some identity verification credentials. It’s important to note that this is not the default behavior of most USB devices and requires special software or hardware. 
• Devices Must Be Logged: HIPAA requires that PHI must be logged, with an audit trail of any attempts to access that data, modifications to that data, and any potential location where that data could have faced compromise. In the case of USB drives, this would require something like handwritten or manually-typed logs of ownership, device ID registration, and other controls. 
• Workstations and Servers Must Be Protected: The challenge of securing PHI in a USB isn’t limited to the device itself, but also to the device from which the user accesses that data. If workstations, servers or laptops used to access the data on the USB aren’t secured according to HIPAA rules, then the organization is clearly out of compliance. 

This isn’t just to protect PHI on the device. Insecure workstations without the proper isolation, antivirus or scanning tools could allow the introduction of a potentially debilitating ransomware attack against the system. If not ransomware, the USB could also house some form of malware that implements some sort of Advanced Persistent Threat (APT) that silently compromises all connected systems, collecting data for weeks, months or even years. 

NIST 800-66 and Removable Media

Due to its specificity, NIST 800-66 can offer us a more specific understanding of the pitfalls of using a USB stick to share PHI:

• Physically Protecting Devices: HIPAA includes requirements for physically securing data-containing systems, including door locks, guest logs, security cameras and physical device locks. This applies to USB sticks as well. A secured device compliant with HIPAA standards will not just allow the user to plug any media into it without some sort of security, including locks on computer ports.  
• Encryption: Data must be encrypted. NIST 800-66 provides more specific guidelines for this, pointing specifically to NIST SP 800-53 for reference. Generally speaking, if you’re using encryption that matches AES-128 or AES-256 (for data at rest) will remain compliant for the time being. 
• Data Backups: HIPAA requires organizations to provide specific, secure backups of PHI to promote usability and accessibility. If, for example, modifications to data on a USB drive fundamentally change that information, then the organization cannot ignore the fact that there must be a way to back that up. This is a real problem, considering that this would call for manual copying, storing and auditing. 
• Data Destruction: PHI that is no longer used must be destroyed, with physical media like a hard drive (or USB drive) either zeroed out to destroy the information or physically destroyed. Passing around a USB stick doesn’t absolve compliant organizations of this duty.

To USB or Not to USB with PHI

The short answer is that it’s really not advisable to use USB memory to share information when managing PHI and HIPAA compliance. 

However, let’s be clear that this is strictly from a compliance perspective. We also understand that emergencies happen. In many cases, most compliance breaches come from accidental exposure when doctors or other professionals share information to provide life-saving care. While this isn’t ideal, it’s understandable and sometimes unavoidable (someone’s life is not worth maintaining compliance, and there are literal exceptions to HIPAA to this effect). 

However, this isn’t an excuse to pretend the rules don’t exist to make it simpler to pass around x-ray scans. Regulations are there for a reason–to protect critical PHI. If you’re going to use physical media to share PHI, you must maintain security. 

Tightening Up Your HIPAA Security?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→