Healthcare Firm Secures USB

Earlier this week, the Veterans' Administration saw the impact of the theft of a single laptop. But while the VA's problem has got many enterprises rethinking their laptop security strategies, one healthcare company is also taking steps to seal another emerging source of data leaks: USB devices.

Martin, Fletcher, a fast-growing healthcare staffing firm based in Irving, Texas, is concerned about portable devices such as USB memory sticks, external hard drives, PDAs, and DVD burner drives, which are becoming very popular in the healthcare industry. The company, which provides permanent placement services for physicians and nurses in 49 U.S. states, supports more than 100 desktop devices that allow employees access to sensitive databases related to doctors, nurses, and healthcare facilities.

As it grows, Martin, Fletcher is seeing more and more use of USB devices such as PDAs, flash drives, iPods, and digital cameras. With these devices, users could potentially download sensitive information, inadvertently introduce a virus into the corporate network, or download their own software to a PC, IT executives observed.

"We made a decision to try to block some of that access," to keep data from getting into the wrong hands, says Fabi Gower, vice president of information systems at Martin, Fletcher. The company had not yet experienced any USB-related breaches, she says, but managers perceived the risk to be serious, especially in light of highly publicized data losses suffered by other companies at the time.

Martin, Fletcher searched for a way to deal with the USB threat, trying everything from custom-built scripts to modifying device settings so that certain data was not accessible to end users. But none of those efforts worked, Gower says.

Finally, Martin, Fletcher turned to systems integrator ProNet Analysis to help find a security product that would eradicate the USB access threat. ProNet helped Martin, Fletcher find and deploy an endpoint security software product called Sanctuary Device Control from SecureWave.

Sanctuary Device Control allows administrators to centrally manage users’ access rights from a single console. Rather than using the old method of having multiple administrators regularly check workstations for unauthorized devices, the company now employs a single console to monitor desktop usage at any time.

The SecureWave product employs a “default, deny” approach to endpoint security, in which all users are denied access by default and administrators can limit access to only those devices that specific users need. With this approach, users can't plug devices into the corporate network without approval. The administrator creates an access control list of authorized devices, and any device that isn't on that list is denied access. Managers also can configure the system to allow device usage only during specific dates or times.

To control access, a Sanctuary Device Control administrator associates "objects" -- organizational units, users, or user groups -- with the devices or device classes to which they should have access. The product can support as many as 100,000 users, according to SecureWave. It integrates with existing IT infrastructure by mapping permissions to existing directories, such as Microsoft Active Directory or Novell Directory Services.

Because the security software has granular policy rules, Martin, Fletcher is able to enforce flexible device-use policies, rather than just prohibiting the use of entire classes of devices. Administrators can also use Sanctuary Device Control to create and log a complete copy of all data written to authorized devices, allowing them to monitor USB device usage patterns and trends.

And because they are tracking the use of all devices, Martin, Fletcher managers now have an audit trail that they can use in their efforts to comply with government regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), which is designed to secure electronic patient information.

Before they found the SecureWave product, Martin, Fletcher's IT staff had considered moving to a thin-client environment to help resolve device access problems. By avoiding that move, the company has saved tens of thousands of dollars, Gower says. Martin, Fletcher also is saving the time of IT staffers who previously had to check each device manually, she says.

Gower likes the flexibility of Sanctuary Device Control. "It allows me to give access to an executive or [other users] who legitimately need access for a certain period of time," she says. "I don’t have to tell a vice president of a department, 'Sorry, that’s just not allowed.' "

— Bob Violino, contributing writer, Dark Reading

Organizations mentioned in this story