Encrypted USB drives proved to be the prescription for protecting patient information at Harris County Hospital District, say Terry Turner (left), Kelly Gonzales and Tim Tindle.

Flash Forward

Organizations safeguard sensitive data with encrypted USB flash drives.

The penalty for data breaches in healthcare has climbed to a possible $1.5 million, making it even more important for organizations to safeguard patient data. Harris County Hospital District accomplishes that goal with an encryption solution that locks down desktops, notebooks and USB drives.

Located in the Houston area, Harris County Hospital District operates three hospitals and 14 clinics in Texas. Kelly Gonzales, senior IT security analyst, searched for encrypted USB thumb drive solutions and chose the Verbatim Store ‘n' Go Corporate Secure FIPS Edition. "It's an elegant solution that turned out to be simple and has worked very well," she says.

While no one disputes the convenience of USB drives, their small size and portability introduce the danger of the devices being lost, stolen or used surreptitiously to steal sensitive data.

"USB storage raises a pretty significant security concern," says Scott Crawford, managing research director of Enterprise Management Associates' security and risk management practice. "But it clearly has strong value in government if it incorporates security functionality and is used and managed in a secure way."

A variety of public-sector organizations are turning to encrypted USB drives from manufacturers such as IronKey, Kanguru Solutions, Kingston Technology, Lexar Media, SanDisk and Verbatim, among others.

Smart Security

The Harris County Hospital District safeguards data using a combination of technologies and policies. First, the organization used Check Point Pointsec Protector to lock down USB ports and control endpoints, says Terry Turner, director of IT security. "We allow employees to have read access to the USB ports, but they can't write to them without prior approval from an executive vice president," says Turner.

69% of users admit to copying confidential or sensitive information onto a USB memory stick, according to a survey from the Ponemon Institute

Only four or five people in the organization can grant this permission, and there must be a good business justification for it. Anyone requesting access to copy confidential information to a USB device must also seek permission from the HIPAA privacy officer for the district. Once employees obtain these two high-level approvals to write to USB devices, Gonzales uses Windows Active Directory group membership to manage permissions, while Pointsec controls access to the USB devices themselves.

In January 2009, the county deployed about 150 Verbatim-encrypted Store ‘n' Go USB drives in a mix of capacities. Users do not have the ability to remove or disable the password. After the 10th invalid attempt to enter a password, Turner says, the USB thumb drive wipes itself clean.

IT staff worried about the push-back they'd receive from employees when they locked down the USB ports. Of the 12,000 computer users, only 150 to 200 have received permission to write data to USB drives. "We thought we would really catch the dickens for this, and as it turns out, it wasn't a big deal," Gonzales says. She attributes the positive reception in part to giving workers ample notice to obtain approval.

"We wanted little to no impact on usability," says CIO Tim Tindle. "Now we basically have idiot-proof security."

The organization paid between $40 to $50 each for 2 gigabyte drives, $80 for 4GB drives and between $120 and $130 for 8GB drives. But if there is a security breach, Turner says, "the cost is going to far exceed what we spent to put this into place."

He notes that the HITECH provisions of the American Recovery and Reinvestment Act as they pertain to HIPAA create an even more compelling case for encryption. "The penalty for some incidents is now $50,000 per incident, with an annual cap of $1.5 million for identical incidents."

To be sure, Harris County Hospital District is serious about encryption. Along with deploying encrypted USB flash drives and locking down USB ports, the hospital rolled out encryption to all desktops and notebooks. "We have about 9,000 or 10,000 devices, and if we were to lose one, we know the data contained on it is secure," says Turner.

Taking It to the Streets

Many employees of the New York Division of Housing and Community Renewal who are out in the field don't have wireless connections in some parts of the state. As a result, some inspectors save data to flash drives and then save it to the network when they return to the office.

Gillian Conover, an information technology specialist with the agency, says New York's cybersecurity policy mandates that if the state issues a flash drive, it must be encrypted. Conover purchased about 100 Kanguru Defender encrypted USB thumb drives. She chose a mix of 2GB and 4GB drives, and 8GB drives for two executives who require that capacity.

Conover says workers previously purchased their own flash drives, so she had to disable all USB ports on PCs. "In order to get the USB port re-enabled, they have to submit a business case form to me, and I decide if it's legitimate," she says. "In this fiscal crisis, we
don't want to be buying devices if we don't need to."

One feature of the Kanguru Defender drives that Conover appreciates is the ability to remotely set a password and wipe the drive clean if necessary. The agency has about 12 offices throughout the state, many of which are several hours away from headquarters
in Albany.

Encrypted flash drives are also a must for the Washington State Department of Social and Health Services' Division of Child Support. "We deal with highly sensitive and confidential information, such as wages, Social Security and employment records," says Adolfo Capestany, community relations chief for the agency.

If collections workers need to take that data into the field, they protect it using SanDisk Cruzer encrypted drives. The deployment of 140 Cruzer drives "was a business decision based on safeguarding the confidential information of our customers," Capestany says.

Seeking Approval

The Federal Information Processing Standard 140-2 validates cryptographic modules. "Although there are no regulatory or legislative requirements in the states to purchase FIPS 140-2-validated encryption products, manufacturers point to the standard as a verification of performance and design integrity, and it carries weight in that regard," says Charles Kolodgy, research director for secure products at IDC.

When state and local government IT leaders evaluate products, if one option is FIPS 140-2 validated and another product isn't, a buyer may prefer FIPS 140-2 validation, Kolodgy says. Many commercial customers also seek to deploy FIPS-compliant products.

Phoebe Rourke-Ghabriel
Dec 09 2009