USB drives are trouble

Useful, powerful, small, cheap, and very easy to use. More things in life should be like USB drives, also known as flash drives, memory sticks, thumb drives, or USB keys. Since they were introduced in 2001 their increase in storage capacity has only been matched by their decrease in price. Fun fact: When first introduced, a 128-megabyte flash drive cost about $30. Now you can get 512 gigabytes for that price, and they’ve become devices most people can’t live without. Like all power tools, though, they must be treated with care and can cause a lot of damage if misused.

The obvious risk, and one that cost a dermatology practice $150,000, is putting ePHI on a drive then losing it. If you must put ePHI on a USB drive, the best way is to use an encrypted USB drive, one that automatically encrypts the whole drive. Ironkey and Integral are two good options. If you can’t or won’t use an encrypted drive, document the “why” and the “how” for using the USB drive and how you will secure the data: by deleting it the moment you’re done, and always keeping it in the same, secure place. That way, if it is lost, you can say that the lost drive contained no data.

A less obvious risk stems from the fact that USB drives are so ubiquitous, no one pays any attention to them. This fact can be used by hackers to “hide in plain sight”. A USB drive will be left in a public place, waiting to be picked up and plugged into a computer – at which point the malware hidden on the USB goes to work. This bait is probably how the Iranian nuclear program was attacked with the Stuxnet virus in 2010. At least one US Department of Energy National Lab will leave USBs around its campus, waiting to be found. When someone picks it up and plugs it in to a work computer, the USB alerts the security department and the person is immediately fired. And many have said that NSA computers have their USB ports sealed with glue to prevent this.

It’s not likely that you’ll be deliberately targeted by elite hackers, and you’d probably never notice if you were. It’s the less-than-elite hackers that are more of a problem, who are out to wreak havoc or to use your computers to attack some other target. While you don’t need to look for glue, your IT staff can block USB drives from being used at all, if you don’t need them. And whatever you do, don’t pick up a USB drive that’s “just lying around”. You may get more than disk space.


Feisal Nanji

A seasoned C-Level Technology Risk expert with over 25 years of experience in developing and executing large information security and product development programs. Feisal brings deep knowledge of regulatory frameworks, technology capabilities and process constraints to consistently deliver quality information risk management programs for large health care institutions. He has served as Interim Chief Security Officer for a 14 Hospital system with over $5 Billion in revenue and conducted multiple security risk assessments for providers of all sizes. At EY he lead a team to review and improve the security of an integrated managed care organization’s electronic medical records (EMR) system with over 8 million members and 3 million health records.