Hardware-Encrypted USB Flash Drives

Portable storage solutions like USB thumb drives, data sticks, pen drives, memory units, key and chain drives (i.e., USB Flash Drive) provide BSD staff, student or faculty a convenient method of transporting and storing large amounts of data due to the device’s size, portability, and reliability. The device’s portability can also lead to it being lost or stolen along with potential confidential data stored on the device.

Hardware-Encrypted USB Flash Drives provide the best protection in the event the drive is lost or stolen. Once data is encrypted, it becomes undecipherable in the background, and a malicious user will not be able to access the data unless providing the private password.

Alternatively, BSD faculty and staff may use UChicago Box to store and access files remotely without the need for USB Flash Drives.

Background:

In 2017, Internal Audit completed an assessment of encryption within the BSD.  The audit resulted in notable findings that are being addressed systematically by BSD IT and the BSD Information Security Office ISO.  Phase II of this initiative requires the implementation of safeguards to protect the confidential information from being stored on insecure USB Flash Drives.  These safeguards will restrict select desktops and laptops from saving data to USB Flash Drives unless the drive is secure.

Regulations and government contracts require encryption to safeguard research data and to protect the privacy of patients, employees, and students. Hardware-Encrypted USB Flash Drives are critical to safeguarding not only patient health information but also other forms of confidential information including draft manuscripts with critical data, budgets for grant applications that contain confidential salary information, and student performance data.

CBIS implemented the same safeguards through the UCM Data Guardian program on 10,000+ devices using similar technology in February 2017 on UCM and BSD devices supported by CBIS.

BSD Business Unit Type:

Each non-CBIS supported BSD Department is categorized by Business Unit Type.  A BSD Department’s Business Type determines the type of USB Flash Drive enforcement requirements a department must adhere to as defined in this table:

Business Unit Type Encrypted USB Flash Drive Enforcement Requirements
Clinical All organizational desktops and laptops.
Clinical Research All organizational desktops and laptops.
Translational Research All organizational desktops and laptops.
Basic Sciences Organizational desktops and laptops that store, process or transmit PHI or other confidential information.
BSD IT All organizational desktops and laptops.

Click this page to determine what Business Unit Type your department is defined as. If not listed, please contact security@bsd.uchicago.edu.

About the Safeguards:

USB Flash Drive safeguards will be applied to organizationally owned Windows devices not managed by CBIS in select departments using the University of Chicago’s antivirus solution (Symantec Endpoint Protection or SEP) which is already installed on laptops and desktops. The safeguard will allow the download or read of data from a non-secure USB Flash Drive, but will not allow upload or write of data unless the USB Flash Drive is secure.

Frequently Asked Questions:

Q1.  What’s considered confidential data?

A1. There are various types of confidential information. For details on what is considered confidential information please review University of Chicago policy, HR601 – Treatment of Confidential Information.

Q2. What Hardware-Encrypted USB Flash Drives are permitted for use?

A2. The following Hardware-Encrypted USB Flash Drives models are permitted for the storage of confidential information:

  • Apricorn Aegis – All models
  • Kingston USB Storage – DataTraveler models
  • IronKey – D300 or S1000 models

Q3. If I’m in Basic Sciences department and do not have confidential information, do I need to purchase a Hardware-Encrypted USB Flash Drive?

A3. No, you do not need to purchase a hardware-encrypted USB Flash Drive unless you are storing confidential information on an insecure USB Flash Drive.

Q4. If I’m in a Clinical department and utilize USB Flash Drives, but do not have confidential information, do I need to purchase Hardware-Encrypted USB Flash Drives?

A4.  Yes, Enforcement of secure hardware-encrypted USB Flash drives for Clinical departments will begin on 3/31/2018 and  non-secure USB Flash Drives will no longer be permitted for use.

Q5.  I don’t know what type of department I’m in.  Should I get a hardware-encrypted USB Flash Drive?

A5.  As a general rule of thumb, if you work with or might potentially receive confidential or confidential data, then please use a hardware-encrypted USB Flash Drive.  If you don’t know, please refer to your department’s IT Custodian.

Q6.  If I don’t get a drive through the Secure USB Flash Drive Exchange how do I purchase one?

A6.  A better way to store your data is on UChicago Box which can be used to store and access files remotely without the need for USB Flash Drives. All USB Flash Drives must be purchased through Buysite.

Q7.  I have a number of USB Flash Drives.  Should I replace them all?

A7.  Yes.  All your USB Flash Drives should be replaced.  Non-compliant USB Flash Drives will no longer work after 03/31/2018.

Q8.  Someone gave me a non-compliant USB Flash Drive.  Will I be able to download data from that drive?

A8.  Yes.  You will be able to download data from non-compliant USB Flash Drives.  However, you will not be able to write/upload to non-compliant USB Flash Drives after 03/31/2018.

If you have any additional questions, please reach out to your local departmental IT for support.