Securing Your Desktops – Pod Slurping

Securing your desktop machines is probably one of the most important parts of any HIPAA policy. I have a feeling that this topic will continue to get more and more attention as time goes on and people get caught with desktops not being protected. This could definitely lead to a potential HIPAA Lawsuit that I’m sure you want to avoid.

The Healthcare IT Guy recently posted some good information on what is being called “Pod Slurping” where people with a small iPod can extract large amounts of data from your system. There’s some really great posts out there on what you can do with an iPod. When you add all the different types of USB memory sticks and other small data carrying devices you could get into some real trouble if you’re not careful. Protecting yourself against these types of “attacks” will be essential.

I really see two methods of protecting yourself. First, you could create a policy that these types of devices aren’t not allowed in your environment. While this is difficult to control it is definitely a step in the right direction. The key to this working is enforcement whenever somewhat violates this policy. If it is made clear that there are severe consequences for violating this policy it will give you a layer of protection.

Second, there are some new programs out there that are really gaining momentum and becoming a great(albeit expensive) option for the future. My favorite option is Cisco’s Security Agent. I trained on this product and it is very powerful. Because it is so powerful it is often not practical for the small doctor’s office. However, larger organizations should seriously look at this option. Not only can it protect your EMR from rogue usb and iPod devices, but can also minimizes the need for adWare and Anti-virus programs. There are many other software packages on the market that do this also.

I would suggest using a combination of these two ideas to secure your environment. If your software implementation is good you shouldn’t need to worry about the first method, but it is always a good idea to have it in case the software doesn’t work right. Plus, auditors like to see those type of policies.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Interesting you should mention a policy that forbids USB devices.

    While a simple “don’t use these policy” would be hard to control, especially against an employee aimed at stealing information for profit…

    Technology does allow blocking of USB ports. (Centurian Technologies for one).

  • Is it possible we’re trying to close the barn door after all the horses are already gone? If you extract key identity info into a text file and ZIP it up, you can burn a CD with more information than an identity thief would need to be set for life. Then there’s uploading info to the Web onto, which works over port 80. Bluetooth… infrared… the list goes on, and will go on further.

    There must be some as-yet-unforeseen solution to this problem, but as yet, I can’t foresee it. 😉

  • I like the Centurion Technologies software I’ve seen quite a few of these companies popping up at a recent conference I went to. The biggest problem with them is the technology is so great that they charge a heft price for that kind of security. Also, they often do 10 times more than you really want and need them to do. Which means you are paying for a lot of things you don’t really need.

    A quick search of google for centurian usb security gave me some interesting references to people who have really strapped down their system using group policy. I think that’s worth another post down the road. There seems to be a lot you should/could do with that.

    Hopefully your EMR would have some security restrictions to prevent someone from extracting data also. So, that’s an important layer. I also don’t see burning the data to a cd as a major problem since most of my machines don’t come with it for that reason or they could be restricted similar to a USB key.

    Your idea of uploading info to makes me wonder about that security. I’ll have to think about this more. I think that Cisco Security Agent can restrict this action and that is why it is probably the security model of the future. Bluetooth, infared and other unforseen technologies will continue to plague us I’m sure.

    I learned a philosophy from my hacker friend in college that has stuck with me. He said that you will never be able to make a system so secure that no one can hack into it. The key is to make it hard enough that people will move onto other computers that are easier to get into.

  • GFI has recently released a new whitepaper which discusses the problem with uncontrolled use of iPods, USB sticks and flash drives on companies’ networks. It is entitled “Pod slurping: an easy technique of stealing data”, accesss to this whitepaper is free, and furthermore requires no registration. The whitepaper is found .

  • In our company we’ve faced with a challenge of project data theft with usb sticks. The easiest way was to block all USB’s, but then what do you do about the necessary usb devices (keyboards, mice)?

    We solved this when we turned to Scriplogic’s solution for desktops management – Desktop Authority. This utility has built in USB security option for controlling and blocking unauthorized use of devices and ports.
    We’ve blocked the use of usb sticks at all for a big group of users, allowed only read for other group. We restricted mp3 players, ipods, pda’s and blackberries just for all users.

  • I have just came across one website which provides a wonderful tool to comply with regulatory authority like HIPAA and it also helps in complying with many other regulations also. A crosswalk matrix poster between different regulations, a very useful tool for compliance team and risk management office. This poster is crosswalk between: ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada).

Click here to post a comment