A radiology tech plugs a USB drive into a workstation to load a study. A vendor engineer plugs in a service device that "just talks to the imaging modality." Some of these are routine. Some are how attackers get in.
USB is the quietest threat surface in a hospital. There are USB ports on radiology workstations, on operating-room consoles, on pharmacy carousels, on the vendor service laptops that come and go with every imaging-modality visit. Some of those USB devices are legitimate. Some are USB attack tools — cheap, easily concealed hardware that pretends to be a keyboard and types its way into a workstation in a few seconds, or pretends to be a thumb drive while running a malicious payload, or pretends to be a network adapter and quietly creates a new device on your network. The HIPAA Security Rule has a specific section for this — §164.310(d)(1) Device and Media Controls — and it has been showing up in OCR resolution agreements with increasing frequency since 2024. We give you a way to actually enforce it.
usb-threat-detected event with the full device descriptor. For the network side: even without the agent, when USB tooling creates a new network device (a rogue USB-Ethernet adapter, say), our standard switch-side identification catches the new device the moment it appears on the wire.
What we mean when we say "USB attack tool."
If you have not worked closely with security tooling, the names below probably sound exotic. They are not. Each one is widely available for under $100 and is regularly used in real attacks and real penetration tests. Here is what they actually do, in plain terms.
Hak5 Rubber Ducky.
Looks like an ordinary USB thumb drive. When inserted into a workstation, it pretends to be a keyboard and types a pre-programmed script at machine speed — opening a command prompt, downloading a payload, installing a remote access tool, all before a human in front of the screen can react. About $80. Sold openly online. Used in actual healthcare breaches in 2023 and 2024.
Flipper Zero.
A small handheld device that does many things, including pretending to be a USB keyboard the way the Rubber Ducky does. Looks like a child's electronic toy. The same script-execution capability, but harder to spot because it does not look like a thumb drive.
O.MG cables.
USB cables — the kind you charge a phone with — that hide the same script-injection capability in the cable itself. Visually indistinguishable from a normal USB cable. Sold by a legitimate security vendor; widely used by real attackers because the legitimacy of "it's just a cable" makes them almost invisible.
BadUSB-class HID-spoofing devices.
"HID" stands for Human Interface Device — keyboards, mice, drawing tablets. "HID-spoofing" means the USB device tells the workstation it is a keyboard even though it is actually a storage device or a network adapter. Modern operating systems trust the device's self-description; that trust is what BadUSB-class hardware exploits.
Rogue USB mass-storage with attack profiles.
An ordinary-looking USB drive that, when inserted, executes a malicious autorun or carries a payload disguised as a routine clinical file. Older than the others on this list, still effective, still found in incident reports.
USB-Ethernet adapters used as covert network access.
A small USB-to-Ethernet adapter, plugged into a workstation, creates a second network connection through which an attacker can establish persistent access. The original workstation is still on the network and looks normal. The new connection is what reaches back to the attacker.
Why hospitals specifically have a USB problem.
USB is part of the clinical workflow.
Radiology techs accept USB drives from outside facilities to load priors. Anesthesia staff use USB memory to capture intraoperative case data. Researchers move imaging studies on USB. The vendor service engineer's USB programmer is part of how the imaging modality gets serviced. You cannot simply block USB at the operating-system level without disrupting the things clinical staff need to do.
The vendor service engineer is a recurring, ungoverned variable.
Field service engineers arrive on-site with USB tooling — software loaders, configuration utilities, firmware updaters. The tooling is legitimate. The behavior is not always: industry incident reports consistently note that vendor service personnel introduce USB devices into clinical environments without IT or InfoSec ever being notified. Most healthcare programs do not have a clean record of which USB devices crossed the perimeter last month.
The cyber-insurance questionnaire is starting to ask about it.
Healthcare cyber-insurance carriers have begun asking about removable-media controls specifically. The questions follow the language of HIPAA §164.310(d)(1) Device and Media Controls. An "we have policies" answer is no longer sufficient at most carriers; underwriters want evidence of actual technical enforcement.
OCR has noticed.
The Office for Civil Rights — the HHS agency that enforces HIPAA — has settled multiple cases in 2024 and 2025 that cite §164.310(d)(1) failures alongside the more common §164.308(a)(1)(ii)(A) risk-analysis findings. The pattern: a USB-borne breach happens, OCR investigates, and the resolution agreement reflects the absence of working removable-media controls.
What CybrIQ actually does about it.
1. A small optional agent on Windows and Linux workstations.
The only place in the entire CybrIQ product where we ever put software on an endpoint. It is optional. It is opt-in per host. You decide which workstations get it — typically the highest-risk ones first: radiology and modality workstations, OR consoles, pharmacy automation terminals, executive endpoints, finance, anything that touches privileged data. The agent enumerates the USB device tree — the list of devices the operating system thinks are plugged in — and compares each one against a curated database of known attack hardware.
2. A usb-threat-detected event when a match lands.
When the agent identifies a Rubber Ducky, a Flipper Zero, an O.MG cable, or a BadUSB-class device, it emits an event to your existing security tools through syslog or the REST API — the same channels every other CybrIQ event uses. The event includes the full USB device descriptor: vendor ID, product ID, device class, serial number; the matched attack-tool class; the workstation that observed it; the user who was logged in at the time. Your SOC or your existing incident-response process picks it up from there.
3. Allow-listing for legitimate hardware.
Some healthcare programs have legitimate uses for the same kinds of devices — clinical engineering test rigs, internal red teams, security researchers. The allow-list supports those without weakening the detection for everything else. Allow-list entries are scoped per host and per user and are logged for auditor visibility.
4. Network-side detection when USB tooling creates a new device on the wire.
Even on workstations without the agent, when a USB-Ethernet adapter or a similar "USB pretends to be a network device" attack tool creates a new device on the network, our standard switch-side identification picks it up. A new manufacturer code appears on a port that previously belonged to a workstation. We surface the new device the moment it appears, with the same change feed your inventory updates flow through.
5. Clean mapping to HIPAA §164.310(d)(1).
The Security Rule section on Device and Media Controls requires covered entities to "implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility." A documented allow-listing process, a continuous USB-device log per workstation, and a real-time detection feed for known attack hardware is the technical-enforcement counterpart to those policies. An auditor will accept it as evidence.
What this does not do.
It does not physically block the USB port. It does not encrypt USB-stored data. It does not replace a data-loss-prevention suite. It does not scan files on a USB drive for malware. What it does is identify the device the moment it is plugged in, and tell your existing tools what the device is — so the response (block at the OS level, disable the port via your endpoint policy, alert the SOC, walk the floor) can be made by the team and the tools you already operate.
A live walk-through, including the workstation-agent flow.
Bring a representative workstation if you can. We can demonstrate the agent and the detection events on a real device.
Book a demo30-day pilot, no fee. BAA available.