The medical industry is drenched in technology. Intricate AI-powered surgery robots and high-tech anesthesia equipment fill surgery rooms, computers and laptops litter nurse stations, and MRI machines and powerful PCs back up teams of expert radiologists.
At the heart of all of this powerful equipment is a small, often discrete, USB connection.
USB connectors and ports breathe life into all of these devices. They supply protocols for communication between machines, can be used as a power supply for smaller equipment, and are even used to transfer patient files remotely between locations (i.e., thumb drives, external hard drives, etc.). Medical technology relies on USB daily, and USB connections play a critical role in medical IT architecture.
But, all of this USB tech also introduces risk. To be fair, USB technology itself isn’t the risk. USB connections open up gateways for internal threat actors to access confidential patient records. Hospitals struggle with their USB ecosystem. These ports that exist on virtually every piece of medical equipment require forward-thinking and strategic planning to minimize risk.
USB and Risk
According to Verizon’s 2018 Protected Health Information Data Breach Report (PHIDBR), over 55% of ALL security breaches in the medical industry come from inside threat actors. Healthcare is the only industry in which internal actors are the biggest threat to an organization. This makes internal security the single most critical channel of risk prevention. And, USBs rank towards the top-of-the-list when it comes to reducing internal threats.
USB drives that house information are incredibly portable, convenient, and easy-to-use. But, they’re also easy to abuse in the wrong hands. Whether it’s a former employee who wants some form of revenge against your healthcare system, a sophisticated threat actor looking for physical hardware, or merely an unaware employee, someone who accesses a USB drive that hasn’t been secured can easily do damage with the files contained within.
There’s risk anytime you’re dealing with portable drives that carry sensitive information. And, there’s also a risk in any communication protocol between two or more machines. So, what do you do? You have to use USB cables; they’re absolutely necessary in the medical industry. How do hospitals prevent USB security issues?
3 Ways to Reduce USB Security Risks
#1) Zero Trust Security
Originally coined by Forrester Research, Zero Trust security involves baking security into your everyday operations granularly. According to Forbes, 66% of external and internal actors are abusing security privileges in the healthcare industry. Instead of blaming the individual, healthcare needs to discover how it is that over half of their employees are capable of abusing privileges in the first place.
Zero Trust security leverages segmentation and perimeters to ensure that systems, cloud resources, and databases are protected in layers. Part of this involves tracking user access routes, using location services, and certainly monitoring logins. But, it also involves securing the physical resources in a structured manner. Who can check out USB drives? Can they plug them into any system? If so, is that safe? These are the questions you need to be thoroughly examining.
#2) Actively Review USB Activities
Securing your USB assets is one thing, but tracking them is an entirely different monster. But, it may be one of the simplest ways to ensure that data leaks are dealt with accordingly. One way to do this is to use a tracking system paired with something small — like QR codes. Another way is to keep USB data transfer under lock-and-key.
#3) Glue Security Education to Onboarding and Beyond
While GI Joe’s tagline “knowing is half the battle” may have been applied to an evil metal-faced villain, it’s instantly applicable to USB security. You can create the best processes, glue expensive and robust security to your IT architecture, and create dynamic role-based access systems; if you aren’t training employees on how to use USB — you’re going to have incidents.
And, training shouldn’t be exclusively an onboarding phenomenon. You need ongoing training. Do your employees understand the roles of USB? Are they aware of how data transfer can impact security? If not, they should be.
While USB technology can be used by internal employees to expose your healthcare organization to risk, It’s also a vital part of standardizing the healthcare IT ecosystem. USB cables, drives, hubs, and connectors are the spirit of your equipment. Through the proliferation of USB, connected devices such as medical ID bracelets and other machines, more and more systems will be able to communicate efficiently.
Technically, a USB hub (both external and internal to a computer) should prevent an attacker from stealing data from adjacent USB-connected devices. But that’s not the case in practice.
As it turns out, some USB hubs don’t sufficiently secure the communication lines between USB ports and the computer, an oversight which attackers can exploit to steal sensitive data.
The purpose of medical technology is to aid in the care of patients. With USB standardization, healthcare professionals can bypass many of the roadblocks that keep them from their patients and deliver more optimized care.
In the medical industry, there’s no room for error. You need innovative technology products that are paired with excellent customer support. If you are currently building a device that relies on USB technology, we’re here to help.