Part 14: USB Port Security 2015

Transcription

1 Part 14: USB Port Security This article is part of an information series provided by the American Institute of Healthcare Compliance in response to questions we receive related to Meaningful Use and CEHRT (Certified Electronic Health Record Technology). This information is not intended as consulting or legal advice, but posted in an effort to provide direction to those interested in learning more about Electronic Health Record mandates and the stages of Meaningful Use. Abbreviations used below applicable to this measure are: EHR" = Electronic Health Record; EP = Eligible Professional; EH = Eligible Hospital. USB Port Security Security is at risk regardless of who you are or where you are located. Case-in-point is Edward Snowden, a trusted contractor at one of the most untrusting, secure, government agencies in the world, the National Security Agency (NSA). All it took was going to work, on multiple occasions, with a simple universal serial bus (USB) flash drive in his pocket, plug it into his workstation, and download tens of thousands of classified documents. He then unplugged the drive, put it back into his pocket, walked past security, and left with all that data. If this can happen to the NSA, it can happen to your organization. Luckily, there are ways to protect your computers and your network. A Rose is a Rose, but is it always? USB drives go by many names: USB storage device, flash drive, keychain drive, portable electronic media, or thumb drive. Drug stores and supermarkets sell 32 GB USB drives for about $11 that can easily hold over 600,000 Word document pages. But these are not the only portable drives to worry about. Almost everyone who comes through your door has a smart phone that is designed to connect to computers by way of a USB port. Even if the intent of plugging in a phone is only to charge the battery, viruses can still be unknowingly uploaded to the computer. Anything that your users can access on your network, database, or EMR system can be copied to a USB storage device and taken off-site. That device can then be lost, stolen, sold for profit, or used for commercial blackmail. All of the policies and procedures in the world will not stop a disgruntled employee or criminal from sneaking in a USB drive, plugging it in, and downloading your entire patient database. The National Institute of Standards and Technology (NIST) permits employees to use USB drives and removable media at work, but the NIST meticulously manages these devices, prohibiting the use of personally owned devices. A non-profit 501(c)(3) training organization Page 1

2 More bad news: USB drives can also contain software that can be uploaded to your system. If a patient is alone in an exam room with one of your laptops or workstations, that patient can steal PHI (protected health information), download viruses and malware, and take control of the computer and your entire network. And you might never know about it until it is too late. One tactic that hackers have used involves dropping infected USB drives in the employee parking lots of companies that they wish to infiltrate. Curious employees pick up the drives and plug them into their company workstations, unleashing unauthorized mayhem and destruction. Advice: If you pick up free promotional flash drives that are given away at tradeshows, have your IT department or anti-malware software scan it before you use it. HIPAA & Risk Analysis While nothing in the Health Insurance Portability and Accountability Act (HIPAA) Security Standards specifically mentions USB port security, components of all three safeguards address the protections that should be taken to control unsecured ports. Administrative Safeguards Related administrative safeguards (45 CFR ) would include a risk analysis that considers unsecured ports, controlling workforce access to electronic personal health information (ephi), and training the workforce on security issues involved with external drives and ports. Physical Safeguards Facility Access Controls ( (a)(1))60 HIPAA Standard: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. o The computer system and the ephi on the system must be protected from unauthorized access, which includes access to unprotected USB ports. Policies should also be established that govern the addition or use of electronic media that contains ephi. Technical Safeguards Access Control ( (a)(1)) HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. o Determine the access control capability of all information systems with ephi. A USB port is a vulnerable point that requires controlled access. A non-profit 501(c)(3) training organization Page 2

3 In the event of a breach, even if the government determines that your organization was unaware of the threat and the breach was not due to willful neglect, hefty monetary penalties can be imposed, and confidence in your organization will be jeopardized by the public relations embarrassment. Add to that, the time and money required to notify individuals of a breach, and to provide them with identity theft protection. Considerable effort will also be required to determine the extent of a breach and to wipe every infected computer of hidden malware. So what can be done? Beyond privacy and security policies and staff education, hardware and software options can help protect your systems from unauthorized access. The author and publisher do not endorse these systems and cannot guarantee anything, and the ultimate decision for which system or software to use should be made by your IT department, contractor, or computer expert. Most front USB ports are connected to the main motherboard via an internal cable; these cables can be unplugged from the motherboard. Most rear USB ports are hard wired and cannot be unplugged. The cheapest and easiest solution is to fill the USB ports with permanent glue, if you know you will never need access to those ports. The physical lock options featured at will not only block USB ports, but also access to the CD/DVD drive and other ports. The device is a keyed lock that is glued to the computer, with a hinged section that is locked over the drive or port. This solution would be better for smaller offices with just a few computers to protect, but would get cumbersome and expensive to install in larger offices with many computers. Microsoft provides ways for administrators to (1) prevent installation of all devices, (2) allow users to install only authorized devices, (3) prevent installation of only prohibited devices, and (4) control the use of removable media storage devices. This can be done for individual computers or on a network level for multiple computers, but the process is quite technical and best left to information technology (IT) professionals and network administrators. Take a look at this Step-By-Step Guide to Controlling Device Installation Using Group Policy if you believe you can perform this on your own: or Click Here Even IT professionals prefer to use after-market software because of the ease of use and flexible controls. USB ports can also be disabled via the system register by editing certain registry keys. A non-profit 501(c)(3) training organization Page 3

4 To disable usb storage devices: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\DWORD start value=4 To enable usb storage devices: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\DWORD start value=3 USB ports can also be disabled in the windows Device Manager. Normal users without Administrator rights would not be able to re-enable these devices. The following are just three of the many available software options. On the low end of the cost and power scale is a product called MyUSBOnly that focuses on USB control and monitoring. At the high end are products that may already be a part of your existing security and antivirus software or available as an added option. McAfee Device Control claims to prevent unauthorized use of removable media, including USB drives, MP3 players, CD s, DVD s, and Bluetooth devices. McAfee enables administrators to monitor and regulate use, and to generate audit reports for compliance. Kaspersky Endpoint Security 8 for Windows provides similar solutions. Everything from smart phone to printer connections can be disabled or controlled. If there is a device that a trusted user must be allowed to use on all devices at all times, the admin can make this device a trusted device, or a specific user can be designated as a trusted user. For example, a physician brings in research materials on a device that was downloaded at home, but wants the freedom to upload and use the information at the office. Any trusted devices should be scanned for viruses and malware after every download. Remember, a trusted device is only trustworthy under the control of a trusted user following proper security procedures. Another option is not to stop use of USB, but control what can be put on the USB. There is software that will encrypt data when copied, and a key must be requested by the employee from management to unencrypt the USB drive. Other software monitors the files on the machine and keeps a log or even alerts when specific types of files are copied to the drive. The internet has been the most common route for hackers to infiltrate computers or networks, but firewalls, anti-virus programs, filters, encryption, and increased awareness have made it tougher for the average hacker to breach systems. Unprotected USB ports offer an easy way in. Today it seems the question is not if you will be hacked, but when and how you will be hacked. Be aware of all the opportunities for access when updating your facility s Risk Assessment. Most of our employees and patients are great, amazing people, and we hope that everyone who comes into our facilities is trustworthy, but hope is not a strategy authorized by the Security Rule. Useful links A non-profit 501(c)(3) training organization Page 4

5 Kowalczyk_usability-security_ISPAB.pdf 24/fissea-2015-willis-ford.pdf A non-profit 501(c)(3) training organization Page 5