Dive Brief:
- The American Dental Association (ADA) was doing damage control last week after finding it had accidentally mailed malware-infected USB thumb drives to member offices around the U.S. in late 2015.
- The ADA, which serves more than 159,000 members, had circulated the drives as a format to distribute its 2016 manual of CDT dental procedure codes, Healthcare IT News reported.
- The association said a "small percentage" of the USB drives were discovered to have been infected with malware during manufacturing by a subcontractor of an ADA vendor.
Dive Insight:
While the ADA worked to inform its members of the compromised USB drives, security experts suggested they should never have mailed them in the first place.
The security snafu comes at a time when healthcare data privacy and security are omnipresent on executives' minds. While a spat of ransomware incidents occurred earlier in the year, the ADA faux pas comes shortly after a Verizon report stated cybercriminals increasingly exploit human nature in their attack patterns.
USB drives have long been known to pose security risks through malware, "which is why the ADA's decision to use them is so disconcerting," Bob Ertl, senior director of product management at Accellion, told Healthcare IT News. He argued connecting untested thumb drives to systems containing sensitive data "violates the most fundamental rules of InfoSec" and with secure cloud technologies now available, "organizations should abandon the USB drive once and for all."
As an alternative to the drives, the ADA sent its customers a link to the 2016 CDT manual. For those who had used the drive, the ADA said "anti-virus software should detect the malware if it was present."
The Krebs on Security website further criticized this response, arguing, "It’s not clear how the ADA could make a statement that anti-virus should detect the malware, since presently only some of the many antivirus tools out there will flag the malware link as malicious."