Doctors or technicians, say, could be logged on to a system and be interrupted by an emergency. They may leave their desks without logging out. All it takes, then, is someone within the facility to slip a USB drive in and record confidential information. Even if such a scenario never actually happens, hospitals have to be able to prove that it didn't. The question is how?
This problem is compounded by the fact that doctors are notoriously opposed to heavy-handed security. They want nothing standing between them and rapid access to patient data. So a blanket lockdown on thumb drives and CDs could result in a backlash from physicians.
This piece is largely a commercial for a company that makes security software for storage devices, but the problem is real.