Hardware-encrypted USB Drives

Portable storage solutions like USB thumb drives, data sticks, pen drives, memory units, key and chain drives (i.e., USB flash drive) provide BSD staff, student or faculty a convenient method of transporting and storing large amounts of data due to the device’s size, portability, and reliability. The device’s portability can also lead to it being lost or stolen along with potential confidential data stored on the device.

Hardware-Encrypted USB flash drives provide the best protection in the event the drive is lost or stolen. Once data is encrypted, it becomes undecipherable in the background, and a malicious user will not be able to access the data unless providing the private password.

Alternatively, BSD faculty and staff may use UChicago Box to store and access files remotely without the need for USB flash drives.

Background

In 2017, Internal Audit completed an assessment of encryption within the BSD.  The audit resulted in notable findings that are being addressed systematically by BSD IT and the BSD Information Security Office ISO.  Phase II of this initiative requires the implementation of safeguards to protect the confidential information from being stored on insecure USB flash drives.  These safeguards will restrict select desktops and laptops from saving data to USB flash drives unless the drive is secure.

Regulations and government contracts require encryption to safeguard research data and to protect the privacy of patients, employees, and students. Hardware-Encrypted USB flash drives are critical to safeguarding not only patient health information but also other forms of confidential information including draft manuscripts with critical data, budgets for grant applications that contain confidential salary information, and student performance data.

CBIS implemented the same safeguards through the UCM Data Guardian program on 10,000+ devices using similar technology in February 2017 on CBIS and BSD devices supported by CBIS.

BSD Business Unit Type:

Each non-UCMIT supported BSD Department is categorized by Business Unit Type.  A BSD Department’s Business Type determines the type of USB flash drive enforcement requirements a department must adhere to as defined in this table:

Business Unit Type Encrypted USB Flash Drive Enforcement Requirements
Clinical All organizational desktops and laptops.
Clinical Research All organizational desktops and laptops.
Translational Research All organizational desktops and laptops.
Basic Sciences All organizational desktops and laptops.
BSD IT All organizational desktops and laptops.

Click this page to determine what Business Unit Type your department is defined as. If not listed, please contact security@bsd.uchicago.edu.

About the Safeguards:

USB flash drive safeguards will be applied to organizationally owned Windows devices not managed by UCMIT in select departments using the University of Chicago’s antivirus solution (Symantec Endpoint Protection or SEP) which is already installed on laptops and desktops. The safeguard will allow the download or read of data from a non-secure USB flash drive, but will not allow upload or write of data unless the USB flash drive is secure.

Frequently Asked Questions:

 

What’s considered confidential data?

There are various types of confidential information. For details on what is considered confidential information please review University of Chicago policy, HR601 – Treatment of Confidential Information.

What Hardware-Encrypted USB flash drives are permitted for use?

The following Hardware-Encrypted USB flash drives models are permitted for the storage of confidential information:

  • Apricorn Aegis – All models
  • Kingston USB Storage – DataTraveler models
  • IronKey – All models

If I’m in Basic Sciences department and do not have confidential information, do I need to purchase a Hardware-Encrypted USB flash drive?

Yes, enforcement of the USB encryption policy is required for all BSD departments. Non-compliant USB flash drives will require a USB exemption per device.

If I’m in a Clinical department and utilize USB flash drives, but do not have confidential information, do I need to purchase Hardware-Encrypted USB flash drives?

Yes, enforcement of the USB encryption policy is required for all BSD departments. Non-compliant USB flash drives will require a USB exemption per device.

I would like to purchase a Hardware-Encrypted USB flash drive.

A better way to store your data is on UChicago Box which can be used to store and access files remotely without the need for USB Flash Drives. All USB flash drives must be purchased through Buysite.

I have a number of USB flash drives.  Should I replace them all?

Yes.  All your USB flash drives should be replaced.  Non-compliant USB flash drives will require a USB exemption per device.

Someone gave me a non-compliant USB flash drive.  Will I be able to download data from that drive?

Yes.  You will be able to download data from non-compliant USB flash drives.  However, you will not be able to write/upload to non-compliant USB flash drives. If you have any additional questions, please reach out to your local departmental IT for support.

I have a non-compliant USB flash drive.  How do I get an exemption?

Please email the BSD ISO at security@bsd.uchicago.edu to request a USB exemption.