When the ADA is the Source of Infection

HealthcareITNews.com reported on April 29 that some USB drives sent by the ADA to its members were infected with malware.

The USB drives were manufactured in China and the malware was inserted by “a subcontractor of an ADA vendor during the manufacturing process.”

While the overall number thus far is small – reportedly some 10 infected drives out of about 37,000 drives sent by the ADA – the issue highlights the need for increased cybersecurity vigilance in dental practices.

In a statement, the ADA said it began distributing the 2016 CDT dental procedure codes manual beginning in late 2015 and that the USB drives were in a back pocket of the manual.

Upon insertion, the infected drives attempt to open a web page that is notorious for downloading malware. If the CDT codes manual is displayed, the drive is not infected. However, the ADA warns anyone who has not yet inserted the USB drive to discard it.

In its statement, the ADA also said that it had “promptly” informed all potentially affected recipients and worked with its resellers and distributors to ensure their customers were notified. ADA also provided an alternative link to the manual.

Cybersecurity experts warn against allowing any untested and unverified access to a computer system that contains sensitive patient information. That includes inserting USB, or flash, drives; CD-ROMs; and downloading programs from the Internet where the integrity of the program and the download site can’t be verified.

With HIPAA violations potentially costing up to $50 thousand per occurrence, dental practices have to step up their security game. All too many practices don’t regularly update their antivirus and anti-intrusion software, leaving them vulnerable to new attacks. It’s important to note that server cybersecurity software needs to be regularly updated just like the desktop computers your practice uses.

When it comes to the threat of malware, your practice should have an ironclad policy against inserting any unverified electronic device into one of your computers. Alternatively, you can invest in a standalone (non-networked) desktop or laptop computer with updated security software to test drives and CD-ROMs before using them on a networked computer.

But online and malware threats aren’t the only dangers to your practice’s data integrity.

Many healthcare data breaches occur because patient information is loaded onto a portable electronic device and taken out of the practice. That device can be lost, stolen, or surreptitiously duplicated. Paper files are at similar risk.

Healthcare data breaches also occur when staff members, including dentists, are careless with patient records within the practice. Patient financial information as well as clinical information is at risk when protocols aren’t followed.

As devastating as HIPAA fines can be to a dental practice, the hit to your reputation may be even worse. You might be able to shrug off the effects of a single, isolated data breach. Once a second breach by your office hits the news, you’ll almost certainly be losing new and existing dental patients.

And as the ADA’s infected flash drive incident points out, even normally trustworthy industry partners aren’t immune. Be vigilant.