THE ADA’s Dental Debacle

By: Joel A. Holt, Esq., CIPP/US

Talk about the ever changing world of information security and data privacy. Literally, something new, interesting, or terrible occurs daily.

The latest giant balloon in the “parade of horribles” is the American Dental Association (“ADA”) providing its members with a free, electronic copy of the 2016 Dental Procedure Codes – with one small catch. The handy, searchable PDF was stored on malware-laced USB drives. Woops.

ADA USB pic — *photos: http://krebsonsecurity.com/2016/04/dental-assn-mails-malware-to-members/*

So to recap: one benefit of a paid membership in the ADA is a potential malware infection. According to Krebs on Security, “Mike” (presumably a dentist) was suspicious of the USB drive and took a look at the code. Mike discovered that one of the files on the USB drive tried to open a well-known malware distribution website. Apparently, this website “is used by crooks to infect visitors with malware that lets the attackers gain full control of the infected Windows computer.”

In other words: Ransomware.

On the surface, the ADA’s idea is merely just a bad idea. If one looks deeper, however, there is a next level disconnect about protecting PHI. Think about it. According to the ADA’s instructions, a covered entity is supposed to: (1) “flip out” a USB drive obtained in the mail; (2) “plug [it] into the USB port” on their computer; and (3) “open … the file on your computer.” WHAT? A dental office’s computer contains PHI (and likely other provider specific sensitive information). While “reasonable safeguards” under HIPAA is up for interpretation, I am pretty sure that it does not include plugging random USB drives into computers and networks containing PHI.

Let’s think about this. HIPAA’s Privacy Rule requires “reasonable and appropriate administrative, technical, and physical safeguards.” Covered entities must ensure the confidentiality and integrity of PHI, as well as “identify and protect against reasonably anticipated threats to the security or integrity of the information.” HIPAA’s Security Rule mandates that the information is not made available or disclosed to unauthorized persons. While the Security Rule does not dictate measures, covered entities must consider certain things, most notably: the likelihood and possible impact of potential risks.

It seems that “Mike” considered the “likelihood and possible impact” of inserting an unknown USB drive and opening unknown files. But, I am willing to bet that many or most would not, either from ignorance, inattention, or explicit faith in the ADA. In the current landscape, none of these are acceptable reasons for failing to consider the likelihood and possible impact. Covered entities, and all organizations in general, must build an organizational culture of security where, like “Mike”, a natural suspicion arises when faced with a seemingly harmless, but unknown, situation. Please be like Mike. Trust or do not trust. But always verify.

One more thing. The approximately 37,000 USB drives were “manufactured in China by a subcontractor of an ADA vendor[.]” [Insert forehead slap here]. So, let’s get this straight. The ADA: (1) unknowingly sent malware laced USB drives to its members; (2) provided them specific instructions to potentially infect their computers with ransomware; (3) failed to include in those instructions anything resembling steps to securely access the USB; and (4) obtained those USB drives from a subcontractor of a vendor in China. If you’re keeping score at home, that’s strikes 1, 2, 3 and 4. But the ADA didn’t stop there.

In an email statement, the ADA exacerbated the problem by committing the cardinal sin of incident response: failing to take ownership of the problem and downplaying the threat:

“Upon investigation, the ADA concluded that only a small percentage of the manufactured USB devices were infected … Of note it is speculated that one of several duplicating machines in use at the manufacturer had become infected during a production run for another customer. That infected machine infected our clean image during one of our three production runs. Our random quality assurance testing did not catch any infected devices. Since this incident, the ADA has begun to review whether to continue to use physical media to distribute products …. Your anti-virus software should detect the malware if it is present.”

Seems pretty specific for “speculation.”

In this statement the ADA essentially acted like its mistake was no big deal. Further, it not so subtly transferred responsibility to the members. Did you catch it? “Your anti-virus software should detect the malware if it is present.” Translation: if you have proper cyber security in place our mistake won’t hurt you. If you don’t have proper cyber security in place, our mistake is your fault for not having proper cyber security.

Not only is this a peevish and puerile response to a serious screw-up, it is also not accurate. According to Krebs on Security:

“It’s not clear how the ADA could make a statement that anti-virus should detect the malware, since presently only some of the many antivirus tools out there will flag the malware link as malicious.”

Nice job, ADA [golf clap].

What’s even more curious about the ADA’s post-incident position is that cheap USB drives manufactured in China containing malware are not a new threat. They are, in fact, a very common threat. According to one security consultant, this fact “… is why the ADA’s decision to use them is so disconcerting[.]” The point is, that in 2016, use of untested USB drives should always be suspicious – and therefore, connecting them to information systems should warrant consideration of the “likelihood and possible impact[.]” In fact, according to that same consultant “connecting untested thumb drives to information systems containing sensitive data like personal health information violates the most fundamental rules of InfoSec[.]”

Now, you might be saying … “well, the ADA didn’t violate any rule.” Perhaps this is true. However, the ADA’s dental debacle clearly demonstrates the great divide between where we are and where we should be related to information security. To say that the ADA does not have any culpability is ludicrous. The ADA has a responsibility to its paying members. At the very least the ADA shouldn’t contribute to the immense threats that its members already face.^[[i]][[ii]]

ICKES \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

[i] http://krebsonsecurity.com/2016/04/dental-assn-mails-malware-to-members/;

[ii] http://www.healthcareitnews.com/news/american-dental-association-sends-malware-infected-usb-drives-its-members

L Applegarth

5 out of 5 stars

posted 2 months ago

I have gone to Mr. Ickes for several things over the years, and he is always the nicest, most knowledgeable, most professional, and most trustworthy lawyer you could ever hope to meet. Honestly, he is the only attorney I will ever trust. He will help anyone he can, and if he cannot, he will guide you to someone who can. I do not know him on a personal level, but you know by how he treats his clients, that he is just truly a good person, and that is hard to find in the legal world. He gets nothing but five stars from me!

Theresa Christine

posted 1 month ago

Joel Holt is a professional with integrity. He is honest, fair, and extremely knowledgeable. If you are looking for attorney who is responsive and trustworthy, Joel is your guy!

Linda Malek

I am an Attorney in Cuyahoga Falls and I own a 4-unit building. A new commercial tenant came in wanting to open a business and refused to comply with building code and legal licensure, and the lease. Unbeknownst to me, she signed her lease in a fraudulent business name. Commercial Law is not my ‘wheel house’. I called a firm that dealt with commercial law but the subject matter stumped them because I wanted to get her out of my unit without having to go through the eviction process. The firm referred me to Joel Holt, Esq. I have nothing but respect for his knowledge and for him as an attorney. He didn’t know me, but I told him I needed his help immediately. He could sense the urgency and anxiety surrounding this matter for me. He immediately got all the facts from me and drafted a letter to the tenant’s attorney. The letter was one drafted by a man you WANT on your side. It wasn’t a “lets make a deal” letter. It wasn’t rude. It was ridden with the law and facts and was to the point. The tenants lawyer responded with a letter which was sent right before I was to take action. Atty Holt got the opposition’s letter in the evening and handled it with urgency. He didn't wait until morning. He handled like it was his very own matter. And, the next day the tenant was gone. I know it was because of the zealous advocacy of Atty. Holt. Quite frankly, it takes a lot to impress me and my firm. We all were astonished at Atty Holt’s wisdom of the law and the practical application of it in this situation. He will forever be our commercial lawyer and we were so thankful for him!! He is simply a 5-Star Lawyer!!!

Read All 59 Reviews

THE ADA’s Dental Debacle

By: Joel A. Holt, Esq., CIPP/US

[i] http://krebsonsecurity.com/2016/04/dental-assn-mails-malware-to-members/;

[ii] http://www.healthcareitnews.com/news/american-dental-association-sends-malware-infected-usb-drives-its-members

Leave a Comment Cancel

Let’s Talk

By: Joel A. Holt, Esq., CIPP/US

[i] http://krebsonsecurity.com/2016/04/dental-assn-mails-malware-to-members/;

[ii] http://www.healthcareitnews.com/news/american-dental-association-sends-malware-infected-usb-drives-its-members

Reader Interactions

Leave a Comment Cancel

Footer

Let’s Talk