It's been a bad week for USB device security.
A couple of potentially ugly breaches have highlighted, once more, the trouble organizations are having with managing removable media security. Over in the UK, the Sellafield nuclear reprocessing site suffered what turned out to be a very embarrassing breach when an unencrypted USB drive containing details of the site's operations was left in a hotel room. The drive was found by a coach driver who, being apparently more security conscious than the previous owner, turned it in to the authorities.
I think a big "oops" all around on that one.
Sellafield is a site that handles nuclear waste from around Europe and, as you can imagine, is generally fairly concerned about risk reduction. If it can happen to them....
Well, it can happen to a Medicaid. Or specifically it can happen to Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, both insurance plans serving Medicaid. A piece in healthinfosecurity.com reported this week that an unencrypted flash drive was lost (sound familiar?) containing information on over 280 000 patients.
In this case it was information being used to test new hardware and sure enough, the flash drive goes missing.
I think there's a couple of things to highlight here. The first is obvious – that information on removable media devices should be encrypted. Transferring sensitive information on something so small you could almost swallow it with a glass of milk is crazy and frankly, there's really no excuse for it.
But here's the real question – these are events we know about. How many other USB drives go missing with sensitive information on them, that are never reported? Devices that the IT department never know about? Devices that probably belong to the employee in question and thus fly well below the corporate security radar?
Unless there's some kind of Bermuda Triangle for USB flash drives, I can't help feeling there's a lot of information floating around that no one is keeping track of.