By: Joel A. Holt, Esq., CIPP/US
Talk about the ever changing world of information security and data privacy. Literally, something new, interesting, or terrible occurs daily.
The latest giant balloon in the “parade of horribles” is the American Dental Association (“ADA”) providing its members with a free, electronic copy of the 2016 Dental Procedure Codes – with one small catch. The handy, searchable PDF was stored on malware-laced USB drives. Woops.
So to recap: one benefit of a paid membership in the ADA is a potential malware infection. According to Krebs on Security, “Mike” (presumably a dentist) was suspicious of the USB drive and took a look at the code. Mike discovered that one of the files on the USB drive tried to open a well-known malware distribution website. Apparently, this website “is used by crooks to infect visitors with malware that lets the attackers gain full control of the infected Windows computer.”
In other words: Ransomware.
On the surface, the ADA’s idea is merely just a bad idea. If one looks deeper, however, there is a next level disconnect about protecting PHI. Think about it. According to the ADA’s instructions, a covered entity is supposed to: (1) “flip out” a USB drive obtained in the mail; (2) “plug [it] into the USB port” on their computer; and (3) “open … the file on your computer.” WHAT? A dental office’s computer contains PHI (and likely other provider specific sensitive information). While “reasonable safeguards” under HIPAA is up for interpretation, I am pretty sure that it does not include plugging random USB drives into computers and networks containing PHI.
Let’s think about this. HIPAA’s Privacy Rule requires “reasonable and appropriate administrative, technical, and physical safeguards.” Covered entities must ensure the confidentiality and integrity of PHI, as well as “identify and protect against reasonably anticipated threats to the security or integrity of the information.” HIPAA’s Security Rule mandates that the information is not made available or disclosed to unauthorized persons. While the Security Rule does not dictate measures, covered entities must consider certain things, most notably: the likelihood and possible impact of potential risks.
It seems that “Mike” considered the “likelihood and possible impact” of inserting an unknown USB drive and opening unknown files. But, I am willing to bet that many or most would not, either from ignorance, inattention, or explicit faith in the ADA. In the current landscape, none of these are acceptable reasons for failing to consider the likelihood and possible impact. Covered entities, and all organizations in general, must build an organizational culture of security where, like “Mike”, a natural suspicion arises when faced with a seemingly harmless, but unknown, situation. Please be like Mike. Trust or do not trust. But always verify.
One more thing. The approximately 37,000 USB drives were “manufactured in China by a subcontractor of an ADA vendor[.]” [Insert forehead slap here]. So, let’s get this straight. The ADA: (1) unknowingly sent malware laced USB drives to its members; (2) provided them specific instructions to potentially infect their computers with ransomware; (3) failed to include in those instructions anything resembling steps to securely access the USB; and (4) obtained those USB drives from a subcontractor of a vendor in China. If you’re keeping score at home, that’s strikes 1, 2, 3 and 4. But the ADA didn’t stop there.
In an email statement, the ADA exacerbated the problem by committing the cardinal sin of incident response: failing to take ownership of the problem and downplaying the threat:
“Upon investigation, the ADA concluded that only a small percentage of the manufactured USB devices were infected … Of note it is speculated that one of several duplicating machines in use at the manufacturer had become infected during a production run for another customer. That infected machine infected our clean image during one of our three production runs. Our random quality assurance testing did not catch any infected devices. Since this incident, the ADA has begun to review whether to continue to use physical media to distribute products …. Your anti-virus software should detect the malware if it is present.”
Seems pretty specific for “speculation.”
In this statement the ADA essentially acted like its mistake was no big deal. Further, it not so subtly transferred responsibility to the members. Did you catch it? “Your anti-virus software should detect the malware if it is present.” Translation: if you have proper cyber security in place our mistake won’t hurt you. If you don’t have proper cyber security in place, our mistake is your fault for not having proper cyber security.
Not only is this a peevish and puerile response to a serious screw-up, it is also not accurate. According to Krebs on Security:
“It’s not clear how the ADA could make a statement that anti-virus should detect the malware, since presently only some of the many antivirus tools out there will flag the malware link as malicious.”
Nice job, ADA [golf clap].
What’s even more curious about the ADA’s post-incident position is that cheap USB drives manufactured in China containing malware are not a new threat. They are, in fact, a very common threat. According to one security consultant, this fact “… is why the ADA’s decision to use them is so disconcerting[.]” The point is, that in 2016, use of untested USB drives should always be suspicious – and therefore, connecting them to information systems should warrant consideration of the “likelihood and possible impact[.]” In fact, according to that same consultant “connecting untested thumb drives to information systems containing sensitive data like personal health information violates the most fundamental rules of InfoSec[.]”
Now, you might be saying … “well, the ADA didn’t violate any rule.” Perhaps this is true. However, the ADA’s dental debacle clearly demonstrates the great divide between where we are and where we should be related to information security. To say that the ADA does not have any culpability is ludicrous. The ADA has a responsibility to its paying members. At the very least the ADA shouldn’t contribute to the immense threats that its members already face.[[i]][[ii]]
ICKES \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.