American Dental Association sends malware-infected USB drives to its members

While fewer than 10 incidents have been reported thus far, the event sheds light on security awareness in the healthcare industry.
By Jessica Davis
10:58 AM
Share

An example of the USB drive sent by ADA to its members. (Photo: Krebs on Security)

The American Dental Association unwittingly sent malware-infected USB thumb drives to dental offices nationwide, the ADA confirmed today in a statement.

In a statement supplied to Healthcare IT News, the ADA, which represents more than 159,000 members, said it began distributing its 2016 manual of CDT dental procedure codes, "which included flash drives in the back pocket," in late 2015.

A "small percentage" of those drives "were found to contain malware, which was transferred to the flash drives from a subcontractor of an ADA vendor during the manufacturing process," according to the association.

"Upon learning that some flash drives contained malware, the ADA promptly informed all customers via email or letter of the potential problem. The ADA also worked with our resellers and distributors to make sure their customers were notified."

ADA officials told customers that "anti-virus software should detect the malware if it was present," but that "customers who had not used the flash drive should discard it."

If the flash drive had already been used and it "worked as expected (that is, it displayed a menu linking to chapters of the 2016 CDT manual), the flash drive was not infected," according to the statement.

The USB media were reportedly manufactured in China and some 37,000 of them have been distributed, according to Krebs on Security.

DSL Reports Security Forum first discovered the issue when "Mike" from Pittsburgh, a forum member, decided to test the integrity of the ADA USB drive. Upon inserting it into his computer, he discovered a code inside of one of the files that attempts to open a webpage notorious for malware distribution.

"D'oh... haven't watched the Simpsons in a while, when did Homer leave Springfield nuclear power and go to the ADA?" wrote another forum member in response.

Of course, malware-infected USB drives are nothing new – "which is why the ADA's decision to use them is so disconcerting," said Bob Ertl, senior director of product management at Accellion, a provider of private cloud security tools, in a statement sent to Healthcare IT News.

"Like sharing passwords, connecting untested thumb drives to information systems containing sensitive data like personal health information violates the most fundamental rules of InfoSec," he added. "The healthcare industry – which includes dentistry – is fraught with data breaches."

With secure cloud technologies now commonplace, he said, "organizations should abandon the USB drive once and for all."

All ADA customers were provided with an alternative link to the 2016 CDT manual to replace the USB drive. According to the ADA, only 10 people have reported an infected flash drive to the organization.