Hefty Fine Over False Encryption Claims

Uploaded on 2016-01-20 in BUSINESS-Services-Health & Welfare, FREE TO VIEW, NEWS-Cybersecurity News

Dental software provider Henry Schein Practice Solutions has agreed to settle with the U.S Federal Trade Commission (FTC) over charges it misled customers on the level of encryption its software provided to protect sensitive patient data.

According to the FTC, Schein allegedly falsely claimed its Dentrix G5 software used industry-standard encryption and ensured that users of the product would protect patient data in line with the Health Insurance Portability and Accountability Act.

"Strong encryption is critical for companies dealing with sensitive health information," said FTC Consumer Protection Bureau Director Jessica Rich, in the FTC advisory. "If a company promises strong encryption, it should deliver it."

As part of the settlement, Schein has agreed to pay $250,000, will be prohibited from making such false claims about its data security, and will notify all customers who purchased the software in question.

“This is a classic case of a business making headlines for bad security practices,” said Mark Bower, global director product management for HPE Security—Data Security, via email. “In this case, the FTC specifically cited the business in the areas of data masking and encryption, pointing out an overall poor and non-secure approach to data de-identification. Even the best intentioned enterprises can find themselves in regulatory hot water if data security approaches don’t meet industry best practices. This is a lesson to any firm today looking to encrypt, tokenize or mask data with proprietary and unproven technology or products who could face similar scrutiny.”

In its complaint, the FTC alleges that Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA. Nevertheless, for two years, Schein touted the product’s “encryption capabilities” for protecting patient information and meeting “data protection regulations” in multiple marketing materials, including newsletters and brochures targeted at dentists.

“While a very unfortunate situation for all involved, other organizations can learn from this case,” Bower said. “The action taken by the FTC sends a clear message that organizations need to take data security very seriously—it cannot be made up on the fly, and it can’t be just a case of ‘trust the vendor’ either. While on the surface it might seem simple for a developer to come up with some way to mask, tokenize or use home grown encryption, this will inevitably lead to data exposure and huge risks—and fines. Enterprises need to make sure they are employing strong encryption technology that’s backed by organizations like NIST, and validated by the world’s top cryptographers.”

Bower added that even in cases where data needs to be masked and de-identified in more flexible ways than traditional encryption allows, new strong techniques are available, such as Format-Preserving Encryption and Secure Stateless Tokenization, which provide companies with easy to use and manage data security at scale, and above all proven security for almost any platform to secure data.

“With these types of technologies readily available to easily and quickly protect sensitive data, there’s simply no excuse today not to follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion,” Bower said. “The ability to render data useless if lost or stolen, through strong, data-centric encryption, is an essential benefit to ensure data remains secure.”

InfoSecurity: http://bit.ly/1Jc7hXC

« Anonymous Want Revenge For Saudi Executions
Mentoring Startups: Technology Solving Education Problems »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Verimuchme

Verimuchme

Verimuchme is a digital wallet and exchange platform to secure, verify and re-use personal information.

ComTrue Technologies

ComTrue Technologies

ComTrue Technologies provides artificial intelligence solutions and information security solutions.

Cyberia Group

Cyberia Group

Cyberia is a leading Internet and Security services provider with operations in Saudi Arabia, Lebanon and Jordan.

Ideagen

Ideagen

Ideagen provides information management, safety, risk and compliance software solutions that allow organisations to achieve operational excellence, regulatory compliance and reduce risk.

VerifyMe

VerifyMe

VerifyMe is a global technology solutions company delivering brand protection offerings to mitigate counterfeiting, product diversion, and illicit trade.

CERT NZ

CERT NZ

CERT NZ supports businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice.

Silensec

Silensec

Silensec is a management consulting, technology services and training company specialized in information security.

Me Learning

Me Learning

Me Learning provides engaging, informative and clearly explained learning materials for complex and challenging professional environments in areas including GDPR and Information Governance.

Sayata Labs

Sayata Labs

Sayata delivers a streamlined solution for processing cyber policies. Increase profitability with an easy and intuitive platform.

CyberCube

CyberCube

CyberCube provide world-leading cyber risk analytics for the cyber insurance market.

Portshift

Portshift

Portshift leverages the power of Kubernetes and Service-Mesh to deliver a single source of truth for containers and cloud-native applications security.

Hassans International Law Firm

Hassans International Law Firm

Hassans is the largest law firm in Gibraltar, providing a full range of legal services across corporate and commercial law including Data Protection and GDPR compliance.

Bleckwen

Bleckwen

Bleckwen is a proven fraud detection system that helps financial institutions build trust with customers.

Digital Craftsmen Ltd

Digital Craftsmen Ltd

We're ISO27001 & Cyber Essentials Cybersecurity experts, delivering full cloud security and managed services. We take a bespoke approach for each client from hosting, optimising & securing them online

Horizon3.ai

Horizon3.ai

Horizon3.ai is a leader in security assessment and validation enabling continuous security overwatch from an attacker’s perspective through our NodeZero SaaS solution.

Phished

Phished

Phished is an AI-driven platform that focuses on the human side of cybersecurity. By combining fully automated training software with personalised, realistic simulations of cyberattacks.