The American Dental Association Sent Out Infected Flash Drives

by | May 6, 2016 | Security | 0 comments

The American Dental Association sent out virus infected flash drives to dentist offices recently. While well intended, it poses a real risk to patient data security. It also underscores the need for dental offices to take it upon themselves to properly secure their networks and react appropriately to potential threats.

We won’t go over the details here. If you would like the full story, check out the original Krebs article. Aside from delivering a virus, the troubling part of this story is the American Dental Association’s response. It is, in fact, irresponsible. Here is their email to ADA members:

“We have received a handful of reports that malware has been detected on some flash drives included with the 2016 CDT manual,” the ADA said. “The ‘flash drive’ is the credit card sized USB storage device that contains an electronic copy of the CDT 2016 manual. It is located in a pocket on the inside back cover of the manual. Your anti-virus software should detect the malware if it is present. However, if you haven’t used your CDT 2016 flash drive, please throw it away.

To give you access to an electronic version of the 2016 CDT manual, we are offering you the ability to download the PDF version of the 2016 CDT manual that was included on the flash drive.

To download the PDF version of the CDT manual:

1. Click on the link »ebusiness.ada.org/login/ ··· ion.aspx
2. Log in with your ADA.org user ID and password
3. After you log in you will automatically be directed to a page showing CDT 2016 Digital Edition.
4. Click on the “Download” button to save the file to your computer for use.

If you have difficulty accessing or downloading the file, please call 1.800.947.4746 and a Member Service Advisor will be happy to assist you.

Many of the flash drives do not contain the Malware. If you have already used your flash drive and it worked as expected (it displayed a menu linking to chapters of the 2016 CDT manual), you may continue using it.

We apologize if this issue has caused you any inconvenience and thank you for being a valued ADA customer.”

The statement seems to make light of the severity of the situation. The potential infection allows someone to gain control of the infected PC and potentially all of the information within that system. This could place a dental office at considerable risk for a HIPAA violation and associated liability for damages done to a patient via identity theft.

They also advise that “your anti-virus software should detect the virus.” That statement is bad advice. Treat any potential threat as serious. Your patients’ data and your practice are on the line.

Also, “Many of the flash drives do not contain the Malware. If you have already used your flash drive and it worked as expected (it displayed a menu linking to chapters of the 2016 CDT manual), you may continue using it.”

NO NO NO.

Throw it away and contact your IT support team or outside IT consultant.

We have already contacted our clients to advise them of the situation. Fortunately, none of them have received the device. If they had, we would have taken the same steps whether they had experienced something unusual or not. Work under the assumption that they were infected and take the steps necessary to ensure that the patient data is secure. As patients ourselves, we would expect nothing less.

Working under the assumption of a best case, “you are probably not infected” scenario is never the best option. When facing litigation for leaking personal data, I don’t think that “we were told we were probably not infected” would be a sound defense.

 

Discover Great Digital Marketing