Why the restrictions on personal flash drives at UAB? Print E-mail

Recent changes to HIPAA from the passage of the ARRA/HITECH Act make the encryption of protected health information (PHI) one of only two approved methods for guarding against security breaches involving patient information. Organizations that have a PHI breach involving more than 500 individuals are required to immediately notify the US Department of Health and Human Services, the media, and involved patients, as well as complying with additional requirements. This can quickly lead to major negative financial and reputational impacts for all parties involved. The implementation of an organizationally-managed device such as the Ironkey Enterprise flash drive ensures compliance with UAB Health System, HIPAA, and ARRA/HITECH Act regulations. 

What are flash drives?
A flash drive is a portable device capable of storing large amounts of information. These devices take many shapes, but are usually rectangular and small enough to plug directly into a computer’s USB port. The adjacent photo is an example of a typical USB drive. You may hear people call these devices by several different names including “thumb drives,” “flash sticks,” and “USB drives.”

Why are we recommending Ironkey Enterprise drives and why are they more expensive than other drives?
The Ironkey Enterprise product was selected because it can do what inexpensive software-encrypted flash drives cannot do. Ironkey drives offer:

  • Central management that allows for inventory tracking, password policy enforcement, administrative password/file recovery, and remote disabling.
  • Hardware-based encryption that uses a HIPAA and ARRA/HITECH Act compliant encryption algorithm to protect all data and allow it to be accessed anywhere without installing software on the computer.
  • Cross-platform support, which works on Windows, Macintosh, and Linux operating systems.
  • Increased user experience that provides several unique features, such as an Identity Manager password vault, RSA VPN token utility, onboard Firefox browser, and a backup/restore utility.

Ironkey runs a secure support portal to allow UAB to recover a user’s credentials if they forget their passcode or decide to leave the organization and do not unlock the drive prior to their last working day. Cheaper, nonencrypted drives do not provide such functionality and require manual management.

Where can I purchase and recieve support for an Ironkey flash drive?
Please contact Aeron Gault for this information.. 

What about external hard drives?
External hard drives can hold more information than USB drives. As a result, they tend to be used as back-up devices or storage locations for large datasets (remember the Veterans Administration’s external drive incident?). As a result, the typical portable drive is considered high risk for loss or theft. If devices are lost or stolen, UAB would bear the burden of proving the information on the drive was secured by encryption technologies. For this reason, the use of external drives must be kept to a minimum. When the use of an external drive is required for UAB business, the drive must be encrypted to the same whole-disk standard as our laptop devices. Users are encouraged to back up their critical files on the Psychology server environment. For more information, contact Aeron Gault, Department of Psychology Information Technology Manager, at 205.975. 0489.