The Family Planning Council incident is just the latest in a series of flash drive data breaches to be reported. On Feb. 23, Henry Ford Health System in Detroit notified the public of a lost flash drive containing information on 2,777 patients, and on Sept. 20, insurer AmeriHealth Mercy reported a missing flash drive that stored data on 280,000 Medicaid members.
You’d think HIPPA or some other regulation would cover all that, but there’s still the policy gap and human laziness factor gap at work.
The stolen flash drive at Family Planning Council was simply password-protected rather than encrypted, Schwoebel noted.
Steps companies could take to better secure data include encrypting the devices, monitoring data transfer on the drives using back-end management software and creating an audit trail.
“It’s a bit intimidating for health care organizations to understand what is the right level of encryption for what they need,” Schwoebel said. “There are different types of drives that offer different levels of security, and they should work with someone to analyze what’s the correct level of security they need for their data and put together an overall plan to make sure that the USB drives they do provide to their customers meet the standards for data loss prevention.”