Computerworld - Baptist Memorial Health Care Corp. in Memphis recently found itself dealing with a proliferation of user-owned plug-and-play USB port drives that posed a security risk to sensitive patient data.
Lenny Goodman, IS director for desktop management at the health care company, said users found it difficult to copy significant amounts of data to floppy disks, and the company "did not allow CD writers."
So users turned to "the USB flash drive, with enormous capacity and zero installation," Goodman said earlier this month. "Very handy, very risky—both as a way for data to leave and a way for malware to arrive. We had to do something."
The result: Baptist Memorial created strict policies around the use of flash memory sticks, iPod music players and other portable storage devices by standardizing on USB memory sticks that have native encryption and password protection.
The Health Insurance Portability and Accountability Act "mandates that all health care organizations develop a methodology to account for all removable media," Goodman said.
But with more than 42 million of Apple Computer Inc.'s iPods sold so far in the U.S. alone, the threat of data theft or loss from downloading information on a USB port device is growing exponentially, according to analysts. Apple officials declined to say whether they plan to improve iPod security.
"An iPod is just storage at the end of a wire," said John Webster, an analyst at Data Mobility Group LLC in Nashua, N.H. "You already see people using [iPods] as backup devices. USB storage devices are a potential source of data leakage."
Such concerns from corporate IT managers about corporate data loss have prompted vendors to develop products that can secure flash memory devices. For example, Kingston Technology Co. earlier this month released a USB flash drive that secures data using password protection and 128-bit hardware-based AES encryption.
Kingston's DataTraveler Elite Privacy Edition device offers up to 4GB of secure storage and has a mechanism that locks out potential users after 25 consecutive failed password attempts.
Recognizing the Risk
Baptist Memorial, which operates 20 hospitals and a network of outpatient and ambulatory surgery facilities, clinics and other health care facilities, uses the 1GB version of Kingston's USB drive.
Goodman said that the health care company has also deployed a USB port-monitoring and policy enforcement application from Philadelphia-based Safend Inc.
"We feel we are ahead of our industry in general in recognizing the extreme exposure of ultrasmall, ultracapacity plug-and-play USB devices," Goodman said.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
