Removable Devices Threaten Storage Compliance

HIPAA compliance can be threatened by anyone with an easy-to-conceal thumb drive. One hospital found a solution to the problem.
Posted November 29, 2005

Drew Robb

Drew Robb

The Health Insurance Portability and Accountability Act (HIPAA) is designed to improve efficiency in healthcare though the standardization of electronic data interchange, as well as to provide measures to make sure that patient data is kept secure. A major threat to HIPAA compliance is posed by the fact that anyone can walk away with up to 4GB of data on an easy-to-conceal thumb drive.

At Ellis Hospital in Schenectady, N.Y., for example, doctors, nurses and other hospital personnel use hand-held USB devices to record patient information or transfer it to various parts of the hospital. The IT department realized this could lead to some potential security issues.

"We frown upon the use of USB drives as a means of transferring data within the hospital, though some use them at certain times," says Mark McGill, a network engineer at Ellis, a 380-bed private hospital serving ER, oncology, cardiac, geriatrics and other needs.

Radiologists, for example, are on call and sometimes have to work from home. Some patient charts are just too large to e-mail, so it is more convenient to bring them home on a thumb drive or CD. But where do you draw the line on such usage, and more importantly how do you control it and prove HIPAA compliance?

Doctors or technicians, say, could be logged on to a system and be interrupted by an emergency. They may leave their desks without logging out. All it takes, then, is someone within the facility to slip a USB drive in and record confidential information. Even if such a scenario never actually happens, hospitals have to be able to prove that it didn't. The question is how?

This problem is compounded by the fact that doctors are notoriously opposed to heavy-handed security. They want nothing standing between them and rapid access to patient data. So a blanket lockdown on thumb drives and CDs could result in a backlash from physicians.

Ellis Hospital solved the dilemma by purchasing Sanctuary Device Control from SecureWave. This tool denies user access by default to hardware such as memory sticks, scanners, MP3 players, iPods, digital cameras, PDAs, and CD and DVD drives. It's up to IT to authorize only those staffers who really need to service patients. No one can plug into the network without approval. Sanctuary also provides a complete audit of what has been downloaded to where, and records every attempt to use unauthorized devices.

"You have to be able to give doctors access to thumb drives under specific circumstances, but at the same time you must protect patient information from unauthorized view," says McGill.

At Ellis Hospital, this means that only certain file extensions can be transferred and only for specific users and workstations. Thus, even at authorized workstations and kiosks in public places, unauthorized persons have several hurdles to overcome — they would have to log onto the system, have an authorized device and have approval to download specified file extensions. In effect, they are shut out.

McGill selected SecureWave because it was the only product with the granularity he needed.

"Other products seemed all or nothing — you could grant all users access or none at all," he says. "With our system, we can allow access to certain devices and specify read and write access rights to specific files, applications and workstations."

Sanctuary Device Control is installed on a dedicated Windows 2003 Server. Software clients were pushed out to about 1,000 machines at Ellis Hospital. The server stays on top of updates automatically. All 110 onsite servers (95% Windows, with a smattering of Novel, AIX, Linux and HP Tru64) in the facility are kept in a secure space so they don't have the client running on them. Anything downloaded (or attempted) from a server is recorded at the client level — the hospital is almost all Windows at the desktop level. The cost of the software works out to about $45 per seat.

McGill tells the story of a new microscope that a doctor plugged in. Doctors needed the images from the scope, but the central server denied access. The doctor had to have IT add it to the database of recognized devices. According to McGill, this took two minutes to accomplish.

Sanctuary Device Control can also be configured to only allow device use during specific dates, times and other granular parameters.

"Through the implementation of SecureWave Sanctuary Device Control, the IT department at our facility is able to regulate the use of devices and give firm evidence of HIPAA compliance," says McGill.

This article was first published on

Comment and Contribute


(Maximum characters: 1200). You have characters left.