If you work in a dentist office, pay attention to your mail — last week, the American Dental Association sent 37,000 malware-infected USB drives to its members. The drive arrived in a credit card-shaped form that was intended to contain a digital version of updated dental procedure codes that offices use for billing and insurance.
Don’t Plug That Random USB Drive into Your Computer
As reported by a user who received the USB drive at his office, one of the files on the drive links to a website notorious for delivering malware. But unlike many forms of malware, this virus doubles down by attempting to allow hackers full remote control of a system. And since medical records containing billing information, Social Security numbers, and other personal information are worth up to ten times as much as credit card numbers on the black market, a computer in a dentist’s or doctor’s office represents the Holy Grail for hackers.
Yes, the ADA sent these drives to its members with instructions to plug the drive into a USB port and open and view the file on a computer. They didn’t manufacture them, though — like so many technology components these days, they were made in a Chinese facility. And although investigations are still underway, early reports indicate that the malware wasn’t placed on the drives on purpose — instead, a computer that loaded files onto the drive was probably infected with the malware, automatically placing it on any drive it produced.
The ADA notified its members of the infected USB drives, but their warning wasn’t as strong as it should have been. It informed dentists that anti-virus software should keep their systems safe, even though a single layer of security is never enough to provide 100% protection. The letter also stated that any drive used successfully could be considered OK. But asking offices that rely on HIPAA-protected data to plug in random USB drives and load files on their computers goes against all the best cybersecurity practices.
So what can you do to keep your office safe?
1) If you received a USB drive from the ADA, DON’T USE IT.
Maybe it won’t infect your computer with malware, maybe it will — and maybe if it does your anti-virus will catch it before it infects your computer. But since HIPAA violations can result in serious financial penalties, along with a significant hit to a practice’s reputation, it’s just not worth the risk.
2) Protect your systems physically as well as electronically.
Comprehensive firewall, anti-virus, anti-malware, and anti-spam solutions are critical. But so are physical safeguards like laptop cables, external drive guards, record cabinet locks, and other access restrictions. Basically, don’t discount the basics, especially when it comes to the way patient records are stored. Many of the most high-profile health care breaches have resulted from stolen laptops, lost thumb drives, or careless data storage.
3) Implement proactive IT services that can identify problems before they happen — and fix them quickly when they do.
Especially in the health care field, where a balance must be struck between accessible patient records, anytime connectivity, and heightened security, proactive maintenance and management is a must.
Making sure you and your employees don’t plug a malware-infected USB drive into company computers represents a good first step in any security strategy. But strong proactive monitoring and management, backup and disaster recovery, and comprehensive network security services are critical as well.
Want to keep your systems running 24/7 while also knowing they’re fully protected? Contact CMIT Solutions today.