In what may be described as an unfortunate but grim reminder of the risks that we run in the Cyber Space, American Dental Association (ADA) appears to have exposed itself to a risk of a hefty fine from the Department of health and Human Resources (HHS) which regulates HIPAA and HITECH Act implementation in USA. (P.S: I thank Mr Avkash Kathariya for bringing the incident to my notice)
The Association recently sent a soft copy of CDT 2016 manual through a flash drive.
It was found that the flashdrive contained a link to a website which is known for distribution of malware. This article in krebsonsecurity.com indicates that the fact that a malware was contained in this official communication was detected by a security professional who checked the flash drive.
In an inevitable “disclosure and Remedial Action”, the Association released an e-mail alert on the incident.
A copy of an e-mail which the center for Informatics and Standards in American Dental Association has sent to their customers recently is reproduced below.
HHS normally imposes hefty fines for potential or real disclosure of PHI by Covered entities and Business Associates. This incident exposes the possibility that a malware could have been injected into the systems of any of the users and has to be recorded as a “Suspected Security Breach Incident” at every one of the users who may be exposed to HIPAA compliance requirement. Whether or not there has been any actual data breach, it would be necessary for these entities to document the incident, conduct an appropriate internal investigation and record (hopefully) “There was no breach of unsecured PHI”.
The incident could have been a major disaster in the health care industry resulting in unprecedented levels of PHI data breach. We should be relieved that it has been detected at the earliest and the security specialist responsible for the detection identified as “Mike”, a member of a forum titled DSL Reports deserves to be given a major bounty by ADA and HHS.
In India, “Distribution of a Computer Contaminant” would invoke action under ITA 2008 both for civil and criminal action. The Computer Abuse act in USA may have similar provisions and action can be taken on ADA for payment of damages and for criminal negligence while HIPAA itself may not be able to impose penalty on ADA.
The incident however is a big lesson to every organization that some times distributes useful data with good intentions loaded onto a CD or Flash drive. The work is often sub contracted to some supplier who may not have any idea of the security issues involved in distributing a malware along with the intended content.
The least that a content provider may do in such circumstances is to take care to digitally sign his file and include a disclaimer and alert that enables the user to scan the data before use for malware.
Naavi