Condemning the USB in Healthcare Space: The Cure

By CIOReview | Monday, August 8, 2016
641
1039
206

When computer specialist and subcontractor Edward Snowden leaked extensive sensitive CIA, NSA and federal government data, it brought an offshoot: storage devices being banned at most federal facilities and installations. It worked out pretty well for herculean entities as they had the tech and financial brawn to forfeit USB storage devices but the small and medium scaled organizations would end up sacrificing efficiency and productivity.

For the medical and healthcare entities, which produce patient data in various locations, moving medical images, log files and personal information is made comfortable and more effective by such storage devices. Forbidding USB might create lack of coordination and melioration or is it just a reason for the healthcare organizations’ to stay smuggish?

Cybersecurity breaches in healthcare organizations exist because of phishing or malware or ransomware or a combination of these threats. Healthcare organizations have extensive database of Personally Identifiable Information (PPI) or Personal Health Information (PHI)—assets that the hospitals must safeguard at any cost. Intentional attacks or even accidental disclosure of delicate information can have severe impacts on the patient and the organization can suffer from heavy penalties to extreme cases of criminal and civil charges.

Organizations commonly fall prey to tracing procedures and practices that give rise to a perilous endpoint environment. They end up trusting the end users quite a little which obscures the user’s ability and control. User types vary, from the ‘uninformed employee’ who ends up using a stray USB, the ‘timeserving individual’ who creeps into secluded drives, the ‘disappointed employee’, to the ‘professional’ who can sneak in and decide the fates of individuals and organizations. Regardless of the user type, the major reason for in-house attacks is USB devices due to critical vulnerability in the design of USB devices which lets hackers and cybercriminals to hijack a user’s Internet traffic, install additional malware and even sneakily gain control of a user’s keyboard and mouse.  But the fact that practitioners can avoid the gauche network file transfers and get the work done faster makes USB devices an efficient tool for boosting productivity and reducing costs.

By adopting certain practices that can protect and conform to compliance requirements, healthcare organizations can reap the benefits of USB storage devices without compromising their security.

Company Policy and Education

The foundation of security lies in well-defined policy through which security measures can be implemented, but mirrors the organization’s goal and measures to keep the goal primary. Poorly defined policies can lead to misinterpretations and leave the organization vulnerable to security misconfiguration and failure.

With respect to USB storage devices, policies should document the type of devices permitted, the nature of files that can be downloaded or stored on the device, and monitoring of USB activities–informing the users about the same under the authority of compliance policies.

IT organizations need to bespeak a need for education in connection to information security training. IT and help-desk staff should receive training to recognize fundamentals of security since, they are most probable to stumble upon system misconfigurations, malware infections manifests and attack evidence. Moreover, non-IT staff like nurses and physicians should be trained enough to help them avoid common mistakes, and detect attacks, contributing to the overall security of the organization.

Monitoring and Tracking

A strong security structure demands constant observation in order to recognize weaknesses, possible attacks in progress, or boffo attacks, to eradicate such occurrences quickly. The facility must have robust logging, monitoring, and response procedures in hand and exercised. 

Every insertion and removal of any type of device in the system and network should be logged timely. Alert the IT staff if any personnel is witnessed in violation of any company policy, also disable the person’s access to the system. A recorded log of files copied to the devices at all times would be very beneficial for reporting and forensic purposes.

Surveillance on unauthorized access

Disable access to all unknown devices and restrict access to a list of devices which are known and tracked by the IT staff. Workstations might not let the organization be very stringent, since employees would need the freedom to move around if they are working across multiple locations, interacting and collaborating with rest of the staff. To tackle this problem, organization can leave USB access open for such individuals but have them under surveillance by monitoring their usage and file transactions on the USB. Mandate analyzing and investigating any suspicious activity as a part of the security policy, sign-off and schedule reports by actively reviewing all USB activities under the same.

Hardening

Systems, devices and network infrastructure residing within the organizations contact must be hardened and configured to be in the most secure state. Enterprises need to revisit the configuration including the policies, and the endpoints to preserve and assure the security of the whole system.

Data aggregation and a stable SIEM or SEM system that monitors suspicious user activity can also help increase the quality and care provided by healthcare organizations to their patients without compromising the efficiency of USB devices.