Most working professionals have an association they can call their own. Dentists have the American Dental Association. The ADA represents 159,000 dentists across the USA and most received a "gift" recently in the form of a USB key with new dental codes.
It turns out of of the recipients is also technically competent and he decided to take a closer look at this "gift" (check out Mike's post on DSLReports.) Re-read that HIPAA description at the top of this post, it applied here.
He checked out the contents of this magical key and realized one of the files tries to open a bad bad webpage known for hosting malware (don't go here : http://ntkrnlpa.cn). Virustotal flags the site as bad. 12/67 detected it as badware day 1. When I asked VirusTotal to rescan the site for malware today, 13/67 detect it as bad. Symantec says the site contains threats. ScanURL recommends you not visit this site. So overall it is pretty safe (no pun intended) to assume this is a bad place and you shouldn't be wondering its streets alone.
The ADA says "some drives" contain malware and believes your antivirus should catch anything nasty on it or linked by it. Anyone involved in cybersecurity knows not to trust antivirus with their safety. Remember that out of 67 major antivirus vendors, only 13 today detect the site as malicious when it is known to be very bad. Antivirus is not a good replacement for good security hygiene. Obviously the ADA says if you haven't use this key, don't.
I don't want to be too harsh on the ADA. This isn't the first time "things" manufactured in China have been loaded as malware. In 2009, we had an outbreak of picture frames loaded with malware.
Every time you add another step to a digital process, you add additional attack vectors and increase your risks. Instead of sending out USB keys, the ADA should have made the files available for download. By removing the USB key process:
- sending files to the Chinese manufacturer
- Infection is possible by the manufacturer of the USB keys
- infection is possible by the company that turns the keys into promotional cards
- infection is possible by the company that loads the content onto the keys using a duplication machines (which is likely how the ADA mailer was infected)
By making the files available for download, they reduce (but don't eliminate) the possible attack vectors. Additionally companies need to add much more stringent security controls around their digital product production process. I would also recommend that the ADA periodically sensitive its members on HIPAA, their obligations under HIPAA and provide guidance on good security hygiene.