Hefty Fine Over False Encryption Claims

Uploaded on 2016-01-20 in BUSINESS-Services-Health & Welfare, FREE TO VIEW, NEWS-Cybersecurity News

Dental software provider Henry Schein Practice Solutions has agreed to settle with the U.S Federal Trade Commission (FTC) over charges it misled customers on the level of encryption its software provided to protect sensitive patient data.

According to the FTC, Schein allegedly falsely claimed its Dentrix G5 software used industry-standard encryption and ensured that users of the product would protect patient data in line with the Health Insurance Portability and Accountability Act.

"Strong encryption is critical for companies dealing with sensitive health information," said FTC Consumer Protection Bureau Director Jessica Rich, in the FTC advisory. "If a company promises strong encryption, it should deliver it."

As part of the settlement, Schein has agreed to pay $250,000, will be prohibited from making such false claims about its data security, and will notify all customers who purchased the software in question.

“This is a classic case of a business making headlines for bad security practices,” said Mark Bower, global director product management for HPE Security—Data Security, via email. “In this case, the FTC specifically cited the business in the areas of data masking and encryption, pointing out an overall poor and non-secure approach to data de-identification. Even the best intentioned enterprises can find themselves in regulatory hot water if data security approaches don’t meet industry best practices. This is a lesson to any firm today looking to encrypt, tokenize or mask data with proprietary and unproven technology or products who could face similar scrutiny.”

In its complaint, the FTC alleges that Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA. Nevertheless, for two years, Schein touted the product’s “encryption capabilities” for protecting patient information and meeting “data protection regulations” in multiple marketing materials, including newsletters and brochures targeted at dentists.

“While a very unfortunate situation for all involved, other organizations can learn from this case,” Bower said. “The action taken by the FTC sends a clear message that organizations need to take data security very seriously—it cannot be made up on the fly, and it can’t be just a case of ‘trust the vendor’ either. While on the surface it might seem simple for a developer to come up with some way to mask, tokenize or use home grown encryption, this will inevitably lead to data exposure and huge risks—and fines. Enterprises need to make sure they are employing strong encryption technology that’s backed by organizations like NIST, and validated by the world’s top cryptographers.”

Bower added that even in cases where data needs to be masked and de-identified in more flexible ways than traditional encryption allows, new strong techniques are available, such as Format-Preserving Encryption and Secure Stateless Tokenization, which provide companies with easy to use and manage data security at scale, and above all proven security for almost any platform to secure data.

“With these types of technologies readily available to easily and quickly protect sensitive data, there’s simply no excuse today not to follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion,” Bower said. “The ability to render data useless if lost or stolen, through strong, data-centric encryption, is an essential benefit to ensure data remains secure.”

InfoSecurity: http://bit.ly/1Jc7hXC

« Anonymous Want Revenge For Saudi Executions
Mentoring Startups: Technology Solving Education Problems »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Guardtime

Guardtime

Guardtime's Black Lantern platform provides real-time cybersecurity and data-centric asset protection.

CodeOne

CodeOne

CodeOne provides solutions for website and web app security.

DataSunrise

DataSunrise

DataSunrise Data-Centric high-performance security software protects the sensitive data in real-time in cloud or on premises, and helps organizations to stay compliant.

e2e-assure

e2e-assure

e2e Protective Monitoring and Security Operations Centre (SOC) Service is a complete cyber defence service to protect your critical assets from cyber attacks and GDPR breaches.

MBL Technologies

MBL Technologies

MBL Technologies specializes in information assurance, enterprise security, privacy, and program/project management.

Cynamics

Cynamics

Cynamics is the only network monitoring solution built specifically for Smart City, Public Safety and Critical Infrastructure networks.

Ergo

Ergo

Ergo is a world-class IT Partner of choice, leveraging the latest technology available in cloud, mobility, big data, analytics, and social media.

Snowflake

Snowflake

Empower your cybersecurity and compliance teams with Snowflake. Gain full visibility into security logs, at massive scale, while reducing costs of Security Information and Event Management systems.

Flat6Labs

Flat6Labs

Flat6Labs is the MENA region’s leading seed and early stage venture capital firm, currently running the most renowned startup programs in the region.

Nextgen Group

Nextgen Group

Nextgen Group is a pioneering technology services group with innovative and unique services across enterprise software, cloud, data management, and cybersecurity solutions.

Aunalytics

Aunalytics

Aunalytics is a data platform company that delivers insights as a service to answer your most important IT and business questions.

Infinavate

Infinavate

Infinavate Fort CyberVault offers end-to-end services that comprehensively responds to the organization’s information security and privacy needs.

Positiwise Software Pvt Ltd

Positiwise Software Pvt Ltd

Positiwise Software offers end-to-end software development solutions to accelerate the digital growth of businesses.

Cool Waters Cyber

Cool Waters Cyber

Cool Waters Cyber manage cyber security governance, risk and compliance.

CyTwist

CyTwist

CyTwist is an early warning attack detection platform that complement your existing security suite and provides your security teams with unique detection capabilities of stealth targeted attacks.

CyRiSo

CyRiSo

CyRiSo is a cyber security consulting company with a focus on 'as-a-service' services for the most pressing challenges of cyber security.

Gcore

Gcore

Gcore is an international leader in public cloud and edge computing, content delivery, hosting, and security solutions.