Health Data Breaches Involving Unencrypted Devices Reported
Despite the Decline of Such Incidents, Recent Breaches Serve as Reminders of Risks
“In my opinion, most organizations have not purchased encrypted portable media – encrypted USB flash drives, jump drives, external drives, etc. – for their employees to use,” notes Tom Walsh, president of consulting firm tw-Security.
… That also increases the risk, Walsh notes. “Data should be purged once it is no longer needed,” Walsh says. “Based upon my review of some of the largest data breaches reported to HHS, many could have been prevented if data had been properly sanitized or the media destroyed once it was no longer needed.”
… “Many organizations are using endpoint protection – such as their anti-virus software or a centralized enforcement control – that automatically encrypts at a file level any files, documents, spreadsheets, etc. that are transferred from a workstation to any type of portable media plugged into a USB port,” Walsh says. “This also creates an audit trail of the data movement.”
Some organizations have created Group Policy Objects – or GPO – rules through their Active Directory to enforce the use of certain types of encrypted USB drives, Walsh adds.
“USB drives have signatures – information about the device’s manufacturer and the make/model of the portable memory device. Organizations are using this data to allow data transfers to encrypted USB drives issued by the company while blocking the data transfers to all other types of USB drives.”