USB Security Guidelines With HITECH (Health Information Technology For Economic Clinical Health Act)

Healthcare providers are under-the-gun to implement technology that will meet guidelines that were published under the HITECH Act (Health Information Technology for Economic Clinical Health Act) in August, 2009. February of 2010 begins the enforcement of the guidelines for data health breach notifications.

One such regulation involves USB security and data stored on removable devices. If data is not stored on an encrypted USB flash drive and a loss of the drive involves over 500 patient records within a state, the press must be notified (along with patients). The healthcare provider will also be subject to penalties ranging from $100 to $1.5 million per breach.

These penalties and bad publicity are going to force changes to operations within the healthcare community. Important details of the regulation also refer to the type of USB encryption. The algorithm must comply with NIST (National Institute of Standards and Technology) guidelines, such as AES encryption. Also of importance is the fact that the encryption key cannot be stored with the data. This means that there are issues with implementation of a software-based encryption method.

Software encryption is performed by a computer’s CPU using a program installed on a particular operating system, whereas hardware encryption is performed in an internal USB controller dedicated to the task of encryption. Because the controller is designed for this particular purpose, it can often perform its task faster than a software implementation of the same task running on a computer CPU that is under the control of an operating system.

Assuming the data stored on the secure USB flash drive needs to be accessed by a different computer, software-based encryption falls short. Software-based encryption stores the encryption key on the USB device, whereas hardware-based encryption stores the encryption key in a controller (hardware) on the USB drive separate from the data. This also allows the data to be accessed via any computer.

A further disadvantage to software encryption is the fact that it is specific to particular operating systems. As such, if software encryption is performed on a Windows platform and needs to be decrypted on a Mac platform, the encrypt/decrypt software must be available on both platforms.

For USB security, there are a few options for encrypted USB flash drives. Another option is the use of Windows Bit Locker to provide USB encryption. The downfall here is that it is only available on certain editions of Windows Vista and Windows 7, and the drive data will not be accessible by all computers.