Connect

At UVA Health, protecting our data — be it patient, research, or operational data — is everyone’s responsibility. To strengthen our cyberdefenses, starting in March, UVA Health will begin blocking the use of USB storage devices (e.g., “thumb” drives and other external storage drives) on all UVA Health personal computers (PCs). 

“Ransomware attacks on healthcare organizations are rising, and USB storage devices are a common access point for bad actors,” said Chris Baker, Chief Information Security Officer, UVA Health. “Blocking USB storage devices is a cybersecurity best practice across industries that handle sensitive data, including healthcare, government, tech, and finance. This work is a key component of our health system-wide IT security strategy.” 

What to Expect 

Once USB blocking is implemented on your UVA Health PC, if you try to connect an external drive you will receive a pop-up message telling you that access to the device is denied.

As an alternative to USB drives, HIT is encouraging all team members to use their OneDrive cloud storage account. All team members are automatically allocated 10GB of storage and more may be requested through ServiceNow. If you are not familiar with or are not using OneDrive, learn more on HIT’s Knowledge Base site.  

This change does not affect USB-connected mice, keyboards, phone chargers, or similar accessories. Note that phones may be charged by plugging it in to a PC, but access to the data on them will be blocked.  

While patient medical records collection has evolved significantly with One Team | United on Access, there will still be occasions when patients arrive with records on USB devices, whether at ambulatory clinics or inpatient/emergent patient transfers. The HIT team is working with clinical leaders to finalize workarounds for these cases and recommendations will be shared prior to go live. 

Clinical Equipment and Other Special Use Cases 

Information Security has been working closely with Clinical Engineering, other HIT teams, and clinical leaders to identify all medical equipment that requires the use of USB devices to transfer data and develop bespoke solutions for these devices. If your department has medical equipment that uses USB devices for data transfer and you are unsure if it has been accounted for in this process, please escalate to your manager, who may contact the HIT ServiceDesk to connect with the appropriate support team.  

Timeline 

The blocking initiative will start with a pilot in inpatient room PCs across all four UVA Health hospitals on Jan. 27. USB devices are used rarely — if ever — on inpatient room PCs, but these machines represent a key risk given their public access. Implementation for the pilot group is expected to take several weeks. From there, blocking will be rolled out in three waves starting in March. Order of implementation is based on impact, with the least impacted areas going first and high-impact areas (e.g., radiology, cardiology, etc.) last. HIT expects to complete the roll out by June 1, 2026, but importantly, this timeline will extend if needed ensure a successful implementation. See below for the wave schedule.  

Read the FAQs below to learn more and watch their emails for updates and reminders about the go-live in your area.  

USB Blocking Initiative Frequently Asked Questions 

Scope 

• What USB devices are blocked? Which are still allowed? 
  • Blocked: all external storage devices (e.g., “thumb” drives, external hard drives, etc.) 
  • Allowed: USB-connected mice, keyboards, phone chargers, or similar accessories. Note that phones may be charged by plugging in to a PC, but access to the data on them will be blocked. 
• Which health system entities are included in this initiative?  
  • All health system entities: School of Medicine, School of Nursing, UVA Community Health, Health Sciences Library, UPG, University Medical Center. 

Impact 

• When will I/my team/my department be impacted?  
  • See proposed rollout timeline below. Reminders will be shared ahead of each implementation wave.

• What should I do if a patient brings their medical records on a USB device?   
  • The HIT team is working with clinical leaders in both inpatient and ambulatory care settings to finalize workarounds for these cases and recommendations will be shared before the first go live in March. 
• What is the process to apply for an exception to this policy?  
  • If you wish to apply for an exception to the USB blocking policy, please apply through ServiceNow. 
• What happens if I accidentally connect a USB storage device? 
  • You will see a pop-up window indicating that the device may not be accessed. If you see this pop-up, disconnect the USB device. 

OneDrive Cloud Storage 

• What is OneDrive?  
  • Microsoft OneDrive is a cloud-based storage platform and the primary cloud storage solution available at UVA Health. It is pre-installed on all UVA Health computers and provides 10GB of storage space, ten times the capacity of the traditional F: Drive. By using OneDrive, you can securely access, sync, and share your files from your PC, web browser, or work phone. To ensure your data is backed up and automatically available whenever you switch computers, it is a best practice to always save documents to your OneDrive folder rather than local locations like "Desktop" or "Documents." 
  • To learn about the many benefits of OneDrive, how to use it, and best practices for use, visit the HIT Knowledge Base site. 
• How do I check my OneDrive storage capacity and request additional capacity? 
  • To learn how to check your current capacity, visit the HIT Knowledge Base site. 
  • To request additional storage space, open a ServiceNow ticket. 
• Can PHI be stored on OneDrive?  
  • While discouraged, OneDrive is secure and approved for the storage of PHI. It is an industry and UVA Health best practice to store as little PHI as possible (ideally, none).  
• How can I share files with partners and vendors outside of UVA Health? 
  • At this time, OneDrive will not allow for sharing outside of UVA Health. For now, the best way to share files with a trusted external partner is Dropbox. 
  • However, Dropbox will eventually be retired and HIT will provide a new solution, which may be OneDrive. 

Contact 

• I am worried about data transfer from a piece of clinical equipment- whom should I contact?  
  • Different teams service different equipment, depending on the type (e.g., Clinical Engineering, HIT, dedicated IT teams for Pharmacy, Lab, Radiology, etc.).  
  • If you are concerned that medical equipment that uses USB devices for data transfer in your department has not been accounted for, please escalate to your manager, who may contact the HIT ServiceDesk to connect with the appropriate support team. 
• I am a researcher concerned about the impact USB blocking will have on my ability to share data with colleagues and collaborators — whom should I contact? 
  • Please escalate to your manager, who may in turn contact the IT leaders for the School of Medicine and School of Nursing as needed.