• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • location_onContact
  • (330) 673-9500

Ickes \ Holt LLC

Information Security. Corporate Law. Litigation

  • Home
  • Attorneys
    • James Ickes, Esq., HCISPP, GLEG
    • Joel A. Holt, Esq., CIPP/US
  • Practice Areas
    • INFORMATION SECURITY & PRIVACY
      • A Call to Action
      • Data Breach Lawsuits
    • MEDICAL CANNABIS
    • LITIGATION
    • CORPORATE LAW
    • TRANSACTIONAL LAW
  • Insights
  • Our Philosophy
  • Payment Portal
  • Search

May 18, 2016 Leave a Comment

THE ADA’s Dental Debacle

 

By: Joel A. Holt, Esq., CIPP/US

Talk about the ever changing world of information security and data privacy. Literally, something new, interesting, or terrible occurs daily.

The latest giant balloon in the “parade of horribles” is the American Dental Association (“ADA”) providing its members with a free, electronic copy of the 2016 Dental Procedure Codes – with one small catch.  The handy, searchable PDF was stored on malware-laced USB drives.  Woops.

ADA USB pic
photos: http://krebsonsecurity.com/2016/04/dental-assn-mails-malware-to-members/

So to recap:  one benefit of a paid membership in the ADA is a potential malware infection.  According to Krebs on Security, “Mike” (presumably a dentist) was suspicious of the USB drive and took a look at the code.  Mike discovered that one of the files on the USB drive tried to open a well-known malware distribution website.  Apparently, this website “is used by crooks to infect visitors with malware that lets the attackers gain full control of the infected Windows computer.”

In other words:  Ransomware.

On the surface, the ADA’s idea is merely just a bad idea.  If one looks deeper, however, there is a next level disconnect about protecting PHI.  Think about it.  According to the ADA’s instructions, a covered entity is supposed to: (1) “flip out” a USB drive obtained in the mail; (2) “plug [it] into the USB port” on their computer; and (3) “open … the file on your computer.”  WHAT?   A dental office’s computer contains PHI (and likely other provider specific sensitive information).  While “reasonable safeguards” under HIPAA is up for interpretation, I am pretty sure that it does not include plugging random USB drives into computers and networks containing PHI.

Let’s think about this.  HIPAA’s Privacy Rule requires “reasonable and appropriate administrative, technical, and physical safeguards.”  Covered entities must ensure the confidentiality and integrity of PHI, as well as “identify and protect against reasonably anticipated threats to the security or integrity of the information.”  HIPAA’s Security Rule mandates that the information is not made available or disclosed to unauthorized persons.  While the Security Rule does not dictate measures, covered entities must consider certain things, most notably: the likelihood and possible impact of potential risks.

It seems that “Mike” considered the “likelihood and possible impact” of inserting an unknown USB drive and opening unknown files.  But, I am willing to bet that many or most would not, either from ignorance, inattention, or explicit faith in the ADA.  In the current landscape, none of these are acceptable reasons for failing to consider the likelihood and possible impact.  Covered entities, and all organizations in general, must build an organizational culture of security where, like “Mike”, a natural suspicion arises when faced with a seemingly harmless, but unknown, situation.    Please be like Mike.  Trust or do not trust.  But always verify.

One more thing.  The approximately 37,000 USB drives were “manufactured in China by a subcontractor of an ADA vendor[.]” [Insert forehead slap here].  So, let’s get this straight.  The ADA: (1) unknowingly sent malware laced USB drives to its members; (2) provided them specific instructions to potentially infect their computers with ransomware; (3) failed to include in those instructions anything resembling steps to securely access the USB; and (4) obtained those USB drives from a subcontractor of a vendor in China.  If you’re keeping score at home, that’s strikes 1, 2, 3 and 4.  But the ADA didn’t stop there.

In an email statement, the ADA exacerbated the problem by committing the cardinal sin of incident response:  failing to take ownership of the problem and downplaying the threat:

“Upon investigation, the ADA concluded that only a small percentage of the manufactured USB devices were infected … Of note it is speculated that one of several duplicating machines in use at the manufacturer had become infected during a production run for another customer. That infected machine infected our clean image during one of our three production runs. Our random quality assurance testing did not catch any infected devices. Since this incident, the ADA has begun to review whether to continue to use physical media to distribute products ….  Your anti-virus software should detect the malware if it is present.”

Seems pretty specific for “speculation.”

In this statement the ADA essentially acted like its mistake was no big deal.  Further, it not so subtly transferred responsibility to the members.  Did you catch it?  “Your anti-virus software should detect the malware if it is present.”  Translation:  if you have proper cyber security in place our mistake won’t hurt you.  If you don’t have proper cyber security in place, our mistake is your fault for not having proper cyber security.

Not only is this a peevish and puerile response to a serious screw-up, it is also not accurate.  According to Krebs on Security:

“It’s not clear how the ADA could make a statement that anti-virus should detect the malware, since presently only some of the many antivirus tools out there will flag the malware link as malicious.”

Nice job, ADA [golf clap].

What’s even more curious about the ADA’s post-incident position is that cheap USB drives manufactured in China containing malware are not a new threat.  They are, in fact, a very common threat.  According to one security consultant, this fact “… is why the ADA’s decision to use them is so disconcerting[.]”   The point is, that in 2016, use of untested USB drives should always be suspicious – and therefore, connecting them to information systems should warrant consideration of the “likelihood and possible impact[.]”  In fact, according to that same consultant “connecting untested thumb drives to information systems containing sensitive data like personal health information violates the most fundamental rules of InfoSec[.]”

Now, you might be saying … “well, the ADA didn’t violate any rule.”  Perhaps this is true.  However, the ADA’s dental debacle clearly demonstrates the great divide between where we are and where we should be related to information security.  To say that the ADA does not have any culpability is ludicrous.  The ADA has a responsibility to its paying members.  At the very least the ADA shouldn’t contribute to the immense threats that its members already face.[[i]][[ii]]

ICKES \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

[i]   http://krebsonsecurity.com/2016/04/dental-assn-mails-malware-to-members/;
[ii] http://www.healthcareitnews.com/news/american-dental-association-sends-malware-infected-usb-drives-its-members

Categories: Consumer Privacy/Security, Cybersecurity, Data Security, HIPAA, Information Governance, Information Security, Privacy, Ransomware Tags: breach, Cybercriminals, data security, data security program, Information Security, Information Threats, Malefactor, Northeast Ohio, Patient Records, personal information, Privacy Information, Ransomware Attack, Security Compliance, security policies, security risks, security training

Reader Interactions

Leave a Comment Cancel

Primary Sidebar

Articles & News

Dec 10

Co-Parenting through Covid

Apr 09

TELEHEALTH RESTRICTIONS LIFTED

Mar 24

Guidance from HHS to First Responders Related to COVID-19

Categories

Our Reviews

Dianna Hendrickson
Dianna Hendrickson

5 out of 5 stars

posted 3 months ago

We were very happy with the service provided us. Joel was keen on details and doing things right the first time. We truly appreciated his looking out for us on what some lawyers might have passed off as an insignificant matter.

Heather Richmond
Heather Richmond

5 out of 5 stars

posted 5 months ago

I have been working with Jim Ickes at Ickes & Holt for the last three years. He has literally helped me to navigate my business legally and strategically. Even in California were I have resided I avoided going with the firms out here in Los Angeles. With Jim and his team I appreciated there midwest values and there approach to working with clients. Not only would I recommend him and his firm to everyone I work with I will continue to seek this wise counsel and the work the really do care about. I really feel he has sincerely cared about helping my business grow, Thank you Jim and Ickes and Holt!!

Danielle Kuestner
Danielle Kuestner

5 out of 5 stars

posted 1 week ago

I'm a college kid who Mr. Holt assisted. I also have a lot of anxiety and Mr. Holt helped ease the process of what I was going through legally, always reached out, and communicated with me about my case and the progress of it.

Read All 44 Reviews

Footer

Let’s Talk

Recent News

REGARDING PRIVACY OHIO SETS A HIGH BAR FOR MEDICAL MARIJUANA

Over the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design.  The idea behind privacy-by-design ... Read More

NFL and Players May Join Forces on Medical Marijuana

The National Football League generated $13 billion in revenue in 2016.[i]  The next closest professional sports league was Major League Baseball at $9.5 billion.  In comparison, the Premier League and ... Read More

Social Media

FacebookLinkedin

4301 Darrow Road, Suite 1100 | Stow, OH 44224
(330) 673-9500 p

© 2021 Ickes Holt | a full-service law firm