USB drives loaded with malware were mistakenly mailed by the American Dental Association (ADA) to its members earlier this month.
According to investigative reporter Brian Krebs, the issue first came to light after an ADA member posted on a security forum saying that he was suspicious of the integrity of the drive when he first received it. The ADA mailed the credit card-shaped devices in its annual package to members preloaded with updated “dental procedure codes” that offices use for billing and insurance purposes.
Upon investigating the code stored on the USB, it was revealed that one of the files contained a string that would launch a malicious web page used by hackers to infect targeted computers with malware that could “gain full control of the infected Windows computer.”
The ADA was reached for comment, and said that it sent an email to members with instructions to dispose of the device as a preventative measure. The ADA maintains that only “a handful of reports” were made, and that “many of the flash drives do not contain Malware.” The best means of proceeding here is with caution, though, particularly if clients are considering using their USB drives on computers where protected health information (PHI) is stored.
The ADA has also said that “anti-virus software should detect the malware if it is present,” but it’s unclear how accurate that statement is considering that the malware was originally discovered by a client who needed to access the source code himself before realizing that his device was infected. There’s no word yet about how ADA members whose emails are not on file will be notified of this security threat.
A good security policy outlines the safe use of external media in conjunction with appropriate anti-virus and malware-scanning programs. HIPAA regulation requires that organizations implement physical, technical, and administrative safeguards to mitigate circumstances in which PHI can become compromised. Health care professionals of all disciplines should adhere to organizational policies regarding the safe use of physical media devices such as removable USB drives or SD cards.
Threats to information security are going to continue to surface in increasingly unexpected ways. Even trusted medical associations face exposure to threats, which is why maintaining proper security protocols at all times is absolutely essential to protecting sensitive data and PHI.