Hefty Fine Over False Encryption Claims

Uploaded on 2016-01-20 in BUSINESS-Services-Health & Welfare, FREE TO VIEW, NEWS-Cybersecurity News

Dental software provider Henry Schein Practice Solutions has agreed to settle with the U.S Federal Trade Commission (FTC) over charges it misled customers on the level of encryption its software provided to protect sensitive patient data.

According to the FTC, Schein allegedly falsely claimed its Dentrix G5 software used industry-standard encryption and ensured that users of the product would protect patient data in line with the Health Insurance Portability and Accountability Act.

"Strong encryption is critical for companies dealing with sensitive health information," said FTC Consumer Protection Bureau Director Jessica Rich, in the FTC advisory. "If a company promises strong encryption, it should deliver it."

As part of the settlement, Schein has agreed to pay $250,000, will be prohibited from making such false claims about its data security, and will notify all customers who purchased the software in question.

“This is a classic case of a business making headlines for bad security practices,” said Mark Bower, global director product management for HPE Security—Data Security, via email. “In this case, the FTC specifically cited the business in the areas of data masking and encryption, pointing out an overall poor and non-secure approach to data de-identification. Even the best intentioned enterprises can find themselves in regulatory hot water if data security approaches don’t meet industry best practices. This is a lesson to any firm today looking to encrypt, tokenize or mask data with proprietary and unproven technology or products who could face similar scrutiny.”

In its complaint, the FTC alleges that Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA. Nevertheless, for two years, Schein touted the product’s “encryption capabilities” for protecting patient information and meeting “data protection regulations” in multiple marketing materials, including newsletters and brochures targeted at dentists.

“While a very unfortunate situation for all involved, other organizations can learn from this case,” Bower said. “The action taken by the FTC sends a clear message that organizations need to take data security very seriously—it cannot be made up on the fly, and it can’t be just a case of ‘trust the vendor’ either. While on the surface it might seem simple for a developer to come up with some way to mask, tokenize or use home grown encryption, this will inevitably lead to data exposure and huge risks—and fines. Enterprises need to make sure they are employing strong encryption technology that’s backed by organizations like NIST, and validated by the world’s top cryptographers.”

Bower added that even in cases where data needs to be masked and de-identified in more flexible ways than traditional encryption allows, new strong techniques are available, such as Format-Preserving Encryption and Secure Stateless Tokenization, which provide companies with easy to use and manage data security at scale, and above all proven security for almost any platform to secure data.

“With these types of technologies readily available to easily and quickly protect sensitive data, there’s simply no excuse today not to follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion,” Bower said. “The ability to render data useless if lost or stolen, through strong, data-centric encryption, is an essential benefit to ensure data remains secure.”

InfoSecurity: http://bit.ly/1Jc7hXC

« Anonymous Want Revenge For Saudi Executions
Mentoring Startups: Technology Solving Education Problems »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Softtek

Softtek

Softtek helps its clients to gain a competitive edge by implementing digital solutions that propel their business strategies.

Competence Center for Applied Security Technology (CAST)

Competence Center for Applied Security Technology (CAST)

CAST offers a range of services in the field of secure modern information technology and a contact point for all questions regarding IT security.

4iQ

4iQ

4iQ fuses surface, social, deep and dark web sources to research and assess risks to people, infrastructure, intellectual property and reputation.

DomainTools

DomainTools

DomainTools is the global leader for internet intelligence and the first place security practitioners go when they need to know.

Malomatia

Malomatia

Malomatia is a leading provider of technology services and solutions in Qatar including information security.

Industry IoT Consortium (IIC)

Industry IoT Consortium (IIC)

The Industry IoT Consortium is the world's leading organization transforming business and society by accelerating the Industrial Internet of Things (IIoT).

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

evolutionQ

evolutionQ

evolutionQ delivers quantum-risk management strategies and robust cybersecurity tools designed to be safe in an era with quantum computing technologies.

Cybaverse

Cybaverse

Cybaverse (formerly North Star Cyber Security) was founded to create the perfect blend of a Managed Security Service Provider (MSSP) and a Cyber Security Consultancy in one.

FourNet

FourNet

FourNet is an award-winning provider of cloud and managed services; we work closely with our clients to enable digital transformation across their organisation.

Regtank Technology

Regtank Technology

Regtank is a one-stop compliance solution for fintechs, navigating compliance, security and risk management.

Xobee Networks

Xobee Networks

Xobee Networks is a Managed Service Provider of innovative, cost-effective, and cutting-edge technology solutions in California.

Sekur Private Data

Sekur Private Data

Sekur Private Data Ltd. is a Cybersecurity and Internet privacy provider of Swiss hosted solutions for secure communications and secure data management.

Gomboc.ai

Gomboc.ai

Gomboc solve cloud infrastructure security policy deviations by providing tailored remediations to the IaC (Infrastructure as Code).

Fingerprints

Fingerprints

Fingerprints is the world-leading biometrics company. Our solutions are found in millions of devices providing safe and convenient identification and authentication with a human touch.

HEAL Security

HEAL Security

HEAL Security is the global authority for cybersecurity data, research and insights across the healthcare sector.