Q&A: Tracking the use of USB drives

Q: How can you track or prevent the use of USB drives in a hospital setting?

A: If you are working in a Windows® environment, your IT department can use Microsoft Group Policy to disable the use of all USB drives or select USB drives. If you are working in a Mac® environment, you can do the same thing but through Terminal. There are tools out there that can assist with enabling or disabling USB drives, even down to only disabling non-approved USB drives.

You need to block the use of USB drives unless there is a business need to use USB drives—and if such a need exists, the drives used must be encrypted if they will store PHI or personal identifiable information. This needs to be addressed not just in policy, but also in a technical solution that actively blocks the use of some or all USB drives. Adopting a “here’s the policy and I trust you” approach is risky and does not prevent the storage of PHI on unencrypted USB drives.

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.