Flash Drive Policy 2

[thegirlofsteel]

I was wondering if anybody has a Flash Drive, Thumb Drive policy at the organization. Our agency is a Hipaa agency and we do not allow the use of flash drives. We had a few employees backup their files onto flash drives so they can take it home to do work from home.

 

[SantaMufasa]

We had a few employees backup their files onto flash drives so they can take it home to do work from home.

If your agency does not allow the use of flash drives, do they allow you to work from home?

If they allow you to work from home, then how on earth can they justify your not using flash drives? It seems to me that if the agency restricts flash-drive use based upon their worries about breaking HIPAA regs, then they should be even more worried about working from home.

Mufasa
(aka Dave of Sandy, Utah, USA)
[I provide low-cost, remote Database Administration services: www.dasages.com]

 

[AndrewTait]

The company I work for actively promote the use of pen drives, and to some key staff, even provide them. For instance, I have just ordered 6 4GB pen drives for our sailes team to carry presentations around on.

However, at the last place I worked, they were initially discouraged. However, as more and more people got them for themselves, it was increasingly hard to police, without disabling USB ports etc.

=======================================
So often times it happens that we live our lives in chains
And we never even know we have the key

Ne auderis delere orbem rigidum meum
======================================

 

[thegirlofsteel]

Sorry Santa Mufasa, I meant a couple of my employees had purchased flash drives and backed up their docs onto the flash drive without IT knowing. We just received encryption software but we are first going to test it.

Anyhoo....I am just looking for some sort of policy restricting the use of these devices. They are valuable little tools, especially for presentations...but we want (IT) to be able to control who has them and ensure that they don't take home any confidential patient information.

 

[johnherman]

Aaaah, HIPAA problems. Just get them to sign a sheet acknowledging their responsibilities to protect PII and specifically noting their use of portable storage devices to transport data to other work locations and explaining that no PII can be transported that way.

From a legal perspective, you should be covered. From a realistic perspective, if you can't trust then away from the office, why bother to trust them in the office.

-------------------------
The trouble with doing something right the first time is that nobody appreciates how difficult it was - Steven Wright

 

[LadySlinger]

I'm sure that you can restrict the installation of any USB devices through GPO (if you run any Windows servers).

We discourage rather than restrict here. You're only allowed to have a thumb device if someone in IT has given you one.
Mainly its due to the fact that we have some of our computers off the network that sometimes we have to transfer information between. With laptops and desktops coming without floppy drives (as a standard, I know you can still get them with floppies installed), I have accidentally ordered a few and their manager preferred for me to order a Flash drive instead.

The ones with encrypted software work pretty well. One of my users does use it since he travels a lot.

 

[AlexCuse]

I work at a hipaa agency as well, but I have never heard anything about prohibiting flash drive use. I wonder if I should have? Maybe I just signed a paper saying I wouldn't put PII on them when I started. Now I am wondering if I'm in trouble :-(

Ignorance of certain subjects is a great part of wisdom

 

[Grenage]

If you've got a policy telling people not to take confidential data off-site without permission, I would imagine you are covered, Alex.

Our policy is configured to disable WRITE access on USB drives (XP feature, through registry/GPO), it's enabled if you're an administrator. On the few remaining 2k machines, I think we disable it completely.

Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[traingamer]

I, too, work at a hipaa organization, and we have specific rules about what we can and cannot backup to thumb drives.

At my last job, we had lots of hipaa, phi and credit data and usb ports were completely disabled for the bulk of the organization.

Greg
"Personally, I am always ready to learn, although I do not always like being taught." - Winston Churchill

 

[finalee]

We're strict. We block floppy, cd, and usb drives on every machine via Group Policy.

Legal IT Jobs:

http://www.legalitjobs.net

Financial IT Jobs:

http://www.financialitjobs.net

 

[Demonpiggies]

I work for an Agfa company who uses Hippa and all I signed was a sheet saying I would not use any client data for personal or proprietary purposes or I'll be prosecuted. I just hooked up my portable HD so I could listen to Lynard Skynard. There is no policy on drives or copying client info here. Mainly because a large number of people work off site and need access to our server. Some even create their own DB so they don't have to connect. It seems a little barbaric to disallow use of a portable drive. Are employees allowed to use/load personal content (pictures, music, doc.'s) on their workspace/office?

 

[Diancecht]

Well, this is an old discussion, but there's a point on blocking it. The office equipment's primary objective is just work, and should have priority over personal matters.

I'd never block that, the right policy for me would be an employee agreement, but I can't agree the personal documents reason: you can take you music on your mp3 player and I don't think your personal files or photos are a business matter.

Cheers,
Dian

 

[Demonpiggies]

True but if I can bring in an mp3 player what is there to say I won't just hook it up to my workstation whether to play it through the system or to copy some files? If you make a policy against thumb drives and such you do have to basically outlaw all types of extra/personal drives that can access the hardware. And truthfully unless you're uber corporate/professional or on a networked workstation why can't you put a background picture of say your wife/daughter/son/brother etc. on? True that statement is case by case but it does allow for the same argument. Then also what about internet storage space where I can upload/download whatever (including business apps/doc.'s)? This discussion does lead down a philosophical slippery slope. I'm still in favor of the legal writ saying you cannot use this information in any way unless directed so by the corp. Then that employee is personally responsible and really can't make an argument of negligence or stupidity.

 

[monkeylizard]

Not so. Having someone sign a slip of paper does not excuse the company from negligence if there is indeed negligence. The copmpany is charged with securing confidential information. If it does not take reasonable steps to do so, it can be called negligent.

The real catch is "reasonable steps." That would likely have to play out in a jury trial for a negligence suit. Would the jurors consider allowing thumb drives, Internet storage site uploads, portable HDDs, etc to be a reasonable action by a company charged with securing their private information? Not likely IMO, though I'm not a lawyer and am unfamiliar with any specific case-law related to this issue. If I was a juror and a HIPAA-type organization was on trial, it would be hard to convince me they weren't negligent given technological security controls available today. At no point in time should an employee's perceived "right" to play music and have a fluffy bunny wallpaper endanger the security of the corporate data.

BTW, a signed agreement for employee policy is not a writ.

Monkeylizard
Sometimes just a few hours of trial and error debugging can save minutes of reading manuals.

 

[Demonpiggies]

First I believe some may have not understood what I meant.
I did not mean 'writ' as to say a supeona but my boss does have "administrative jurisdiction" over me and can LEGALLY have me fired, removed and banned from this site without a lawyer (but will have one to cover all legal bases).

"In law, a writ is a formal written order issued by a body with administrative or judicial jurisdiction." - Wiki.

Please don't take this out of context I meant writ as to say a formal agreement where both parties understand the compulsory legal response from the administration, HR and the legal party.

"At no point in time should an employee's perceived "right" to play music and have a fluffy bunny wallpaper endanger the security of the corporate data."

I never said that it was a right and that is the key idea: if you allow your employee the ability to use such devices/sites/luxuries then you HAVE to make certain rules against their limit of interaction/exposure with said information either forcefully or legally. I was trying to make the point that if employee "A" wants case "B"'s information what is stopping "A" from doing so? If "A" has read and signed a legal agreement saying "A" will NOT download/upload/publicize/make a personal profit from any of HIIPPA's cases then "A" is responsible. The corp. will feel the backlash but that will always be. If I go on site to fix something and I decide to whip it out and urinate on the floor, OF COURSE the site will be angry at me but they will be even angrier at the corp. for hiring and sending me even though all responsibility should fall squarely on me.
hopefully I've made my case clear: You can't have one (free use of mp3/thumb/portable drives) without the other (some written form limiting their use/access).

 

[monkeylizard]

And what I'm saying is that no written, signed slip of paper holds any weight with me if I'm a juror if the company did not also take actual precautions to prevent unauthorized data access/transfer.

And my writ comment was just being pedantic. Sorry.

Monkeylizard
Sometimes just a few hours of trial and error debugging can save minutes of reading manuals.

 

[Demonpiggies]

That's cool I thought maybe I needed to explain myself little clearer than before. See whether you believe in a signed piece of paper is kind of negligible mainly because you would be deciding if the employee (Not the corp.) was in violation of any Trade Secret Acts.

people who sign nondisclosure agreements (also known as "confidentiality agreements") promising not to disclose trade secrets without authorization from the owner. This may be the best way for a trade secret owner to establish a duty of confidentiality. Even though employees are bound under an implied duty not to disclose sensitive information...because such agreements make it clear to the employee that the company's trade secrets must be kept confidential...

Truthfully I'm all about taking personal responsibility. Everyone who has ever been hired for a job (90% of all jobs anyway) have signed a nondiscolsure form. So even if you were still saying "not guilty" on a jury case most likely your other peers may not see it the same. I mean a company can only go so far before the start Big Brother procedures right? And seeing as how there is a HUGE conservative movement, they may see it as it really is: theft of property. And stealing is stealing.

More on nondisclosure agreements (rights and law)

http://www.nolo.com/article.cfm/cat...F62E6-B334-4E83-9A94FA20A3FAFD38/310/119/ART/

 

[strongm]

> no written, signed slip of paper holds any weight with me if I'm a juror if the company did not also take actual precautions to prevent unauthorized data access/transfer

In the UK, you just might find yourself being directed by the judge on this; UK jurors are not allowed to make up the law to suit their views.

 

[harebrain]

It boils down to negligence. Don't you have that concept in the UK?

 

[strongm]

You will note I (very specifically) did not say what the direction from the judge might be. That wasn't my point.