Site icon

OMG USB! Physical Media and Protecting PHI

HIPAA featured

Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system. 

Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results, in hand, in a USB key that they plug into their computer. 

This, of course, is a considerable risk. HIPAA regulations require that institutions protect PHI in specific ways with straightforward controls, and many threats can undermine physical media. 

So, what’s the issue with using USB thumb drives? 

 

What’s Wrong with Using USBs to Transmit PHI?

The job of regulated organizations in healthcare is to secure PHI against an unauthorized breach. This is true for any context in which data is found–in transit between computers, stored in a server, and carried in removable media. 

What’s important to understand is how PHI is threatened by passing a USB drive around:

With these problems appearing, healthcare organizations that use physical media to exchange information must understand how regulations apply to such practices. They can turn to critical documents like HIPAA and NIST Special Publication 800-66 to understand that, while it’s possible to use USB drives for PHI, it takes significant planning and effort. 

 

What Do HIPAA and NIST Say About Physical Media?

It’s important to note that HIPAA, the regulations that govern data protection and technology in healthcare, are relatively vague. Not in their directives, necessarily, but in their implementation. This is by design; leaving their requirements broad allows them to stay relevant without calling for updates every time a new technology, encryption method or security threat enters the market. 

NIST 800-66, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” provides updated guidance on implementing HIPAA security requirements. This document links the guidelines stated in HIPAA law with NIST security rules to help with specific implementations. 

However, these documents still have different aspects that impact physical media security.

HIPAA and Removable Media

This isn’t just to protect PHI on the device. Insecure workstations without the proper isolation, antivirus or scanning tools could allow the introduction of a potentially debilitating ransomware attack against the system. If not ransomware, the USB could also house some form of malware that implements some sort of Advanced Persistent Threat (APT) that silently compromises all connected systems, collecting data for weeks, months or even years. 

NIST 800-66 and Removable Media

Due to its specificity, NIST 800-66 can offer us a more specific understanding of the pitfalls of using a USB stick to share PHI:

 

To USB or Not to USB with PHI

The short answer is that it’s really not advisable to use USB memory to share information when managing PHI and HIPAA compliance

However, let’s be clear that this is strictly from a compliance perspective. We also understand that emergencies happen. In many cases, most compliance breaches come from accidental exposure when doctors or other professionals share information to provide life-saving care. While this isn’t ideal, it’s understandable and sometimes unavoidable (someone’s life is not worth maintaining compliance, and there are literal exceptions to HIPAA to this effect). 

However, this isn’t an excuse to pretend the rules don’t exist to make it simpler to pass around x-ray scans. Regulations are there for a reason–to protect critical PHI. If you’re going to use physical media to share PHI, you must maintain security. 

 

Tightening Up Your HIPAA Security?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version