http://www.computerworld.com/printthis/2006/0,4814,109911,00.html
ComputerWorld
How much damage can a memory stick or iPod do? Plenty,
say users and analysts
News Story by Lucas Mearian
MARCH 27, 2006 (COMPUTERWORLD) - Baptist Memorial Health
Care Corp. in Memphis recently found itself dealing with a proliferation of
user-owned plug-and-play USB port drives that posed a security risk to
sensitive patient data.
Lenny Goodman, IS director for desktop management at the
health care company, said users found it difficult to copy significant amounts
of data to floppy disks, and the company "did not allow CD writers."
So users turned to "the USB flash drive, with enormous
capacity and zero installation," Goodman said earlier this month.
"Very handy, very risky—both as a way for data to leave and a way for
malware to arrive. We had to do something."
The result: Baptist Memorial created strict policies around
the use of flash memory sticks, iPod music players and other portable storage
devices by standardizing on USB memory sticks that have native encryption and
password protection.
The Health Insurance Portability and Accountability Act
"mandates that all health care organizations develop a methodology to
account for all removable media," Goodman said.
But with more than 42 million of Apple Computer Inc.'s iPods
sold so far in the U.S. alone, the threat of data theft or loss from
downloading information on a USB port device is growing exponentially,
according to analysts. Apple officials declined to say whether they plan to
improve iPod security.
"An iPod is just storage at the end of a wire,"
said John Webster, an analyst at Data Mobility Group LLC in Nashua, N.H.
"You already see people using [iPods] as backup devices. USB storage
devices are a potential source of data leakage."
Such concerns from corporate IT managers about corporate
data loss have prompted vendors to develop products that can secure flash
memory devices. For example, Kingston Technology Co. earlier this month
released a USB flash drive that secures data using password protection and
128-bit hardware-based AES encryption. Kingston's DataTraveler Elite Privacy
Edition device offers up to 4GB of secure storage and has a mechanism that
locks out potential users after 25 consecutive failed password attempts.
Recognizing the Risk
Baptist Memorial, which operates 20 hospitals and a network
of outpatient and ambulatory surgery facilities, clinics and other health care
facilities, uses the 1GB version of Kingston's USB drive.
Goodman said that the health care company has also deployed
a USB port-monitoring and policy enforcement application from
Philadelphia-based Safend Inc.
"We feel we are ahead of our industry in general in
recognizing the extreme exposure of ultrasmall, ultracapacity plug-and-play USB
devices," Goodman said.
Eric Ouellet, an analyst at Gartner Inc. in Stamford, Conn.,
said that only about 10% of companies have any policies dealing with removable
storage devices.
"It's actually a fairly big problem," Ouellet
said. "You can put a small database on them. It's just a matter of time
before we hear about someone losing data because of this."
He suggests that companies consider flash-drive monitoring
software on PCs and laptops, from companies such as Pointsec Mobile
Technologies AB, Utimaco Safeware Inc. and Centennial Software Ltd. Such
applications can lock out USB drives or require that they have encryption and
password protection in order to work.
For a free but unsophisticated application, companies can
use the native lockout capabilities in the Windows operating system, Ouellet
noted.
Meanwhile, SanDisk Corp. in Sunnyvale, Calif., last month
said it plans to bolster the security in its line of USB flash drives and
mobile cards by using TrustedFlash technology, which combines its 32-bit
controller architecture with an embedded cryptographic engine to provide
real-time encryption.
Copyright © 2006 Computerworld Inc. All rights reserved.