Small storage devices carry big risks

Flash drives. Thumb drives. CDs. DVDs. These devices may help employees do their work, but they can inflict harm to Asante and its Mission.

As corporate firewall management and employee phishing training become more effective, cybercriminals are finding other ways to infiltrate targeted systems and networks for profit, damage and control. As an important critical infrastructure organization, Asante is a target. One way cybercriminals gain a nefarious foothold in our organization is through infected removable storage devices.

A “digital beachhead” for cybercriminals

Past security breaches have shown that booby-trapped and malware-infected removable storage devices can take control of a computer, upload files, infect software and even provide remote keyboard control — all while running in the background without the user ever knowing their computer has been hijacked.

Since an Asante computer may be connected to thousands of other computers, including medical devices, such malware must be avoided at all cost. Flash drives, CD/DVDs or charging devices brought from home, provided by a vendor, provider or another non-Asante source, can transmit malware.

Removable storage “drop attacks” happen. Studies show that when infected removable storage devices are randomly dropped in company parking lots, more than half of those people who pick up such a device from a parking lot readily plug it into their work computer. This has been a successful attack vector in the past; human curiosity was used to infiltrate government and corporate organizations with drop attacks. Never plug a “found” storage device into an Asante computer or device.

Supply-chain attacks, a more recent attack method, enable cybercriminals to gain access to their target companies by first compromising one or more of the target company’s vendors or business partners. By using vendor- or business-partner-supplied removable storage for routine system data exchange or system support, a supply chain attack can be realized.

Data loss, leakage and “financial and reputational damage”

Removable storage data are often orphan data, separated from a source system or “owner” who can reliably oversee and protect the data. Data downloaded to removable storage devices are usually not inventoried, so their loss or “leakage” to unauthorized individuals may not be discovered.

IBM considers flash drives and other removable storage devices so dangerous that it prohibits its employees from using them due to the possibility of “financial and reputational” damage if the devices were lost or stolen. One company suffered $2.2 million in HIPAA fines and penalties after a flash drive containing sensitive health information of more than 2,200 people was stolen from its IT department.

How Asante is responding

Asante managers and directors will receive a short survey to let ITS know how their teams may be using removable storage in their work, whether for data backup, data transfer, vendor assistance or simply reading images on CD/DVDs sent from other providers.

With the results from this survey, ITS aims to reduce security risk, improve some aspects of data management, and prepare employees for upcoming controls on USB and CD/DVD use. Employees who have information about removable storage use should notify their manager or director.

The survey results are critical to a smooth transition to new data storage and transfer methods. Responses will help ITS know where removable storage is needed by whom to support our patient care and business workflows. Responses may supplement what ITS already sees in network access and activity reports, so that it can “whitelist” approved use or migrate workflows involving removable storage devices to more secure technology and work processes.

Also, instead of relying on antiquated and risky USB devices and CD/DVDs to share and back up data, Asante, like most companies, is moving to enterprise data management solutions instead. Data should be stored or shared from the Asante data center or an Asante-approved “cloud” vendor for safe storage and accessibility of files. Asante’s Data Governance team is improving proper data ownership, data flow and data use throughout the data lifecycle.

Finally, the security team will continue to maintain and improve technologies that monitor and report Asante system activity so that anomalous events can be investigated. When a flash drive truly is necessary, only ITS-approved and provided flash drives are permitted. These are first-use, password-protected and encrypted to ensure that Asante data is more likely to be protected from malware infection, data leaks and breaches.