A Medicare contractor's failure to adequately implement security controls over USB devices put sensitive information for more than six million Medicare beneficiaries at risk, according to a report published this month by the U.S. Department of Health & Human Services Office of Inspector General.
The contractor--Columbia, Md.-based Quality Software Services, Inc.--is responsible for independent testing services for changes to Medicare Part A and B "Fee-for-Service" standard systems. OIG found that QSSI did not list "essential system services or ports" in its security plan, nor did it disable, prohibit or restrict use of unauthorized USB device access. According to the report, QSSI failed to implement USB security controls "because its management had not updated its USB control policies and procedures."
"As a result … the PII of over six million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft," the report added.
In addition to calling on QSSI to update its security plan and its policies and procedures to prohibit use of unauthorized USB devices, OIG recommended that the contractor limit USB port access to essential connections. QSSI responded by revising its Network Access Control policy, and said it plans to implement "read only" restrictions for USB ports in all laptops. The company also said it will mandate scans of all portable and mobile devices to check for malicious code. It did not, however, agree to list essential system services and ports in its system security plan.
USB drives have been involved in several data breach incidents in the past year alone. In January, an employee of an outside contractor for the Utah Department of Health lost an unencrypted USB memory stick containing the personal information for 6,000 Medicaid clients. Meanwhile, information for more than 2,000 patients at the University of Texas M.D. Anderson Cancer Center was put at risk when a medical student trainee working for the facility lost an unencrypted portable hard drive while riding on an employee shuttle bus in July.
Additionally in July, information for more than 14,000 patients at Oregon Health & Science University Hospital was put at risk when a USB drive was stolen during the burglary of a hospital employee's home.
To learn more:
- read the OIG report (.pdf)