Home  >  Engagement   >   USB Thumb-drives: Just a Bad Idea for PHRs

USB Thumb-drives: Just a Bad Idea for PHRs

by John Moore | August 26, 2008

In performing the research that led up to the publishing of our iPHR Market Report in May, one step we took was to look at ll the multitudes of PHR solutions in the market and on which form factor were they offered (i.e., desktop solutions, USB-centric solutions or native Internet apps provided as a service SaaS model).  We came to the conclusion that Internet-based apps would be the preferred modality in the future and see the greatest adoption.

Our justification went something like this:

Desktop solutions are not “connected” making them too burdensome for most consumers as they must self-enter health information.  They are also not very portable.  To achieve portablity, many desktop solutions are combined with a USB thumb-drive that the consumer can take with them on travel.  Also, hospitals have often given patients a copy of their records and discharge summaries on such USBs, which some PHR vendors claim as a user – sure they are…  (One of the self-proclaimed “market leaders” is notorious for making this claim. ) There are still quite a few USB-based PHR product offerings in the market today, but they will fade in time.

They will fade for the simple reason that they pose a serious security risk. I can’t imagine any IT admin allowing a consumer’s USB to get anywhere near a system’s computer/network – there are simply too many security risks.  Back in early 2007, two researchers at Oregon University showed just how vulnerable PHR-based USBs were to a malicious hack.  Today, I read another good article on security risks that goes beyond risks from just USBs, but risks from about anything you might plug into your computer, referred to as supply chain risks.  These supply chain risks take security threats to a whole new level.  How IT departments respond to this relatively new risk is something that bears close scrutiny.

2 responses to “USB Thumb-drives: Just a Bad Idea for PHRs”

  1. misstrade says:

    However Biometric Proximity Based Technologies make total sense. Coming very soon to a PHR near you!

    Write me if you would like to talk


  2. michael says:

    The problem identified in the report is not USB devices per-se, but that fact that the use of the particular devices examined *requires* running software included on the device to view the data stored on the device.

    Thus, the vulnerability is due to running potentially untrustworthy software. If. instead.

    Such a vulnerability should not exist if the USB device is merely a thumb drive used for transferring data from one system to another. (Assuming of course that these systems take the essential security steps of disabling auto-run.)

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay up to the minute.