USB Storage Access in regulated environments [IT]

In regulated (and particularly in health care environments), access to data may be highly restricted on workstation environments and compute devices that can interfere with access to data.

In regulated environments, USB storage devices may be banned or only permitted by exception in clinical environments to address two IT risks:

1. Inappropriate data or code being introduced to a system which could threaten the data or integrity of the system and network. Examples would include viruses, trojan horses, remote backdoors, and ransomware. When permitted access, malicious code can be introduced from storage devices and so access is often completely blocked. 
2. Inappropriate access to data - Users of systems that process Protected Health Information (PHI) are subject to additional restrictions that prevent a user of that system from copying or saving private or sensitive data to a portable device from that system. 

The OneTouch Verio, Select Plus and Select Plus Flex meters are one configuration that may cause clinics difficulty in certain policy configurations because they present as USB Mass Storage devices and require both READ and WRITE permissions to function correctly.

Under normal configurations, these devices do not pose a problem, but certain conditions may require additional review by IT, Active Directory or Security Administrators for the organization, due to the rights required to modify permissions.

Computer level security controls are used to decrease the risks of portable storage access in a corporate environment, such as a Windows Active Directory domain and device specific permissions or configurations may be needed in either of the following configuration domains.

Windows Group Policy settings may be applied to either a user or compute account

• Policy settings are hierarchical
• • • Local Computer Policy may be configured at a build level
    • Active Directory Domain policy objects can be configured to override local policies

Security Endpoint Agents and software can monitor and control access dynamically. May be rule-based, behavioral, and/or tied to identity.

• Windows Defender, Microsoft InTune and Office365 all provide device control policies.
• Third-party security endpoint agents implement similar controls, and use many of the same settings.

Examples

Windows Computer Group Policy settings to permit a USB storage device when a specific device is mounted

Microsoft InTune Device policies

References

• OneTouch USB ID list
  • https://protocols.glucometers.tech/lifescan/onetouch-verio-2015.html
• Manage USB devices on Windows hosts
  • https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/manage-usb-devices-on-windows-hosts/ba-p/1691477
• Windows Defender Device removable
  • https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection?view=o365-worldwide
• Microsoft InTune Device Templates
  • https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-windows

Please reach out to support@tidepool.org if you have any questions or feedback on this article.