Some recent major security breaches were caused by thumb drives.
How did we destroy Iranian nuclear facilities? With a thumb drive.
How did Snowden allegedly smuggle out top secret NSA information? With a thumb drive.
How did my wife find out I bought a motorcycle without asking her first? With a thumb drive...
It is common knowledge that gang members are getting their girlfriends to steal patient information. There is a good chance the information is being copied to thumb drives and walked right out of the front door.
One of our clients experienced a breach when employees quit a medical practice and stole EHR data. The data was copied to a thumb drive. There have been many breaches associated with unencrypted data on thumb drives that were lost or stolen.
So what is your IT provider doing to prevent the risk of data loss or leak by this? (and other methods too...)
We would hope and suggest a simple risk assessment be done to find the paths of leakage. Barring that - simply disable USB ports on your equipment, use software to encrypt all drives used and make your employees aware they are being watched (This is a key step...) Additionally - publish and enforce login/logout and permissions policies all over the network. (Start by locking it all down and gradually opening it up to those who truly need access...)
Just be ready for the backlash - as soon as you disable the use of thumb drives, you will hear a million reasons why they are needed - especially from physicians. It is important to monitor employee access to patient information to discover strange habits or improper accesses. If you are not looking at the logs, you will have no idea what your employees are doing on the network and what PHI may be leaving the building.
The danger of thumb drives are real. With the HIPAA Omnibus rule firmly in place, now is an (even more) important time to act. Contact Beringer Associates for a HIPAA Risk Assessment and a network audit. We may not be your compliance officer but, as a Healthcare IT Partner and Business Associate, we certainly have some skin in the security and compliance game now.