"Many people have access to patients' Social Security numbers, personal information and diagnoses. So we toyed with banning flash drives and camera phones -- a double threat when the camera phones contain memory cards that can hold data -- but some people have a valid use for them," he explains. "And when we started to lock things down, the users screamed. One doctor said he couldn't give his PowerPoint presentation at another hospital."

McGill's solution was to install Sanctuary, a network monitoring product from SecureWave SA in Luxembourg that can restrict the use of personal storage devices based on a user's identity, individual PC workstations or the type of personal data device being connected to the network. Exceptions can be made for reasonable data- access requests, he says. However, the software can't protect against the use of a camera phone not connected to the network, so the hospital relies on a policy limiting where photos can be taken.

Network Lockdown

A more extreme approach was taken by Fabi Gower, vice president of information systems at Martin, Fletcher & Associates LP. The national health care staffing firm in Irving, Texas, has databases containing proprietary information about job candidates. Gower uses network-control software to limit both the type of content users can view and the time of day they can see it. Her company totally prohibits employees other than managers from copying data by limiting the network's ability to write to portable storage devices.

"I'm a strong proponent of having control over the security of the business, whether you've got two employees or 2,000," Gower says. "The way we've got the network set up, employees can't plug PDAs, smart phones, flash drives or USB hard drives into the network. So I couldn't care less what they carry in, because I know our data is not leaving the building."