The following policy change is recommended for all medical practices.
USB memory sticks should not be used on any networks storing protected health information. Researchers revealed at the 2014 Black Hat conference that they have identified a security flaw in the USB technology itself that could result in your PHI getting exposed. The threat is being dubbed BadUSB.
While most security experts discourage the use of USB memory sticks (aka thumb drives or flash drives) in medical offices, we’re changing our position from discouraging their use to considering their use to be a high risk factor that will increase your HIPAA Risk Score and potentially make you ineligible for certification from The HIPAA Institute.
The recently uncovered threat posed by USB devices involves the software imbedded in the chips, known as firmware. Firmware is a base level software that resides on the hardware of most computer devices. The identified vulnerability involves malicious code being installed into the firmware of USB drives, as opposed to attacking or installing on the drive itself. Once the device is connected to a computer through a USB port, the malicious code can then install itself onto the host PC, travel across a network, take control of the PC, or establish it’s own internet connection and transfer data from the network or the workstation to foreign servers. Essentially, the exploits are equivalent to the capabilities of most potent malware.
In addition to the potential exploits, further complicating the risk is the difficulty detecting the code presents. Standard tactics like deleting all the files on the drive, scanning the drive for viruses, even reformatting the drive, won’t erase or expose the existence of BadUSB.
Our risk analysis concludes this vulnerability is currently unlikely to occur, however, our expectation is it will increase in prevalence over the next few years. Due to the difficulty of detection and the potential impact of the threat if it is encountered, in our opinion this represents a significant vulnerability and warrants an aggressive and proactive response.
If you are using USB devices to transport or store PHI, and you accept the risk described above, here are options you should be aware of. To date, at least one USB manufacturer, Imation Corp, has adapted their IronKey Secure line of USB devices to be immune from BadUSB. Another option is to use USB devices that offer code signing with their firmware updates. With this security step, firmware that has been modified will not be accepted for installation by the computer or the USB device, or at least the user will be alerted during the update. A third option, and our recommendation, is to change your policy and your workflow to eliminate the dependency on USB devices. We recommend use of secure, HIPAA compliant, online storage like Box.com. Box touts their security and HIPAA compliance and importantly, is willing to sign a Business Associate Agreement.
If you have any questions, contact our HIPAA compliance team.