“Did somebody lose their thumb drive? I found one in the main conference room. It contains the medical records of John Smith from Hope Hospital. If this is yours, it’s on my desk.”
These are not words that should ever be uttered at your law firm. Why?
This means that some lawyer or staff member has left confidential information – HIPAA protected and/or Personally Identifiable Information (PII) – in a public place where someone with no right to the information, or worse, someone with a nefarious purpose, can access it. The thumb drive in our example (a real-life situation) clearly had no password or encryption because the person who found it was able to figure out exactly what it contained.
USB drives (commonly called “thumb drives”) are useful at times, but lawyers should use them sparingly if at all.
The saying goes that USB drives should be used as a briefcase, not as a file cabinet. The reasons are simple – they are small and easy to misplace. If you must use a thumb drive, be sure to encrypt it and password protect the information on it. In addition, back it up. If the USB drive is the only place the information is stored, you are up a creek when the drive goes missing.
In addition, never plug an unknown USB drive into your computer. Use caution when anyone provides you with information on a thumb drive.
If possible, do not allow their use - refuse to accept information on a thumb drive and require the information to be provided through a secure link or other protected method. If thumb drives are allowed, take precautions: use USB blocking or scanning technology; or have your IT staff scan the drive to ensure it doesn’t contain malware that can deposit a malicious code onto your computer or steal information from your computer. If that isn’t an option, buy an app for your laptop to allow it to scan the drive.
A few additional tips:
Keep your personal and business thumb drives separate.
Disable Autorun on your computer, so that removable drives such as USBs and DVDs will not open automatically.
Apply updates and security patches routinely to your computer and use antivirus and antispyware software.