The Universal Serial Bus (USB) as rapidly replacing RS-232 connections on medical devices. As more device vendors adopt general purpose operating systems like Windows CE, it becomes very easy to leverage USB for connectivity.

When faced with complex connectivity requirements, it is very tempting to just push those requirements off on the user by providing a USB port and thumb drive. Besides the fact that reading and writing data to a USB drive only just barely qualifies as "connectivity" (resulting in manual error-prone workflows),USB drives pose a substantial security threat. Standard USB drives have no built in security.

Anyone can bring a widely available USB drive to a device and download or upload data. Also there is no way to tell if the USB has executable code that will push a Trojan horse or other malicious code onto the target device. This is especially worrisome if your device is running a general purpose operating system like Windows - but even Linux would not be immune to this.

All of this came to mind after reading this brief paper by Adam Wright and Dean Sittig, both of OHSU, in the current issue of Annals of Internal Medicine. Their paper describes the security threats posed by USB drive based personal health records. If you don't have a subscription, you can read the PDF file here.

We identified 5 major USB-based personal health records [...and] obtained 3 of these devices, analyzed them to determine their structure, and attempted to modify the software program on each device to perform actions of our choosing. No device was manufactured with protections against this.

We modified the programs on the devices so that, when connected to a computer, they gave the appearance of normal operation but surreptitiously searched for and copied data from the computer to a hidden location on the USB device.

USB drives have become so ubiquitous that there are now many novelty drives such as the shuumai (a steamed wasabi pork dumpling) pictured right.