Hefty Fine Over False Encryption Claims

Uploaded on 2016-01-20 in BUSINESS-Services-Health & Welfare, FREE TO VIEW, NEWS-Cybersecurity News

Dental software provider Henry Schein Practice Solutions has agreed to settle with the U.S Federal Trade Commission (FTC) over charges it misled customers on the level of encryption its software provided to protect sensitive patient data.

According to the FTC, Schein allegedly falsely claimed its Dentrix G5 software used industry-standard encryption and ensured that users of the product would protect patient data in line with the Health Insurance Portability and Accountability Act.

"Strong encryption is critical for companies dealing with sensitive health information," said FTC Consumer Protection Bureau Director Jessica Rich, in the FTC advisory. "If a company promises strong encryption, it should deliver it."

As part of the settlement, Schein has agreed to pay $250,000, will be prohibited from making such false claims about its data security, and will notify all customers who purchased the software in question.

“This is a classic case of a business making headlines for bad security practices,” said Mark Bower, global director product management for HPE Security—Data Security, via email. “In this case, the FTC specifically cited the business in the areas of data masking and encryption, pointing out an overall poor and non-secure approach to data de-identification. Even the best intentioned enterprises can find themselves in regulatory hot water if data security approaches don’t meet industry best practices. This is a lesson to any firm today looking to encrypt, tokenize or mask data with proprietary and unproven technology or products who could face similar scrutiny.”

In its complaint, the FTC alleges that Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA. Nevertheless, for two years, Schein touted the product’s “encryption capabilities” for protecting patient information and meeting “data protection regulations” in multiple marketing materials, including newsletters and brochures targeted at dentists.

“While a very unfortunate situation for all involved, other organizations can learn from this case,” Bower said. “The action taken by the FTC sends a clear message that organizations need to take data security very seriously—it cannot be made up on the fly, and it can’t be just a case of ‘trust the vendor’ either. While on the surface it might seem simple for a developer to come up with some way to mask, tokenize or use home grown encryption, this will inevitably lead to data exposure and huge risks—and fines. Enterprises need to make sure they are employing strong encryption technology that’s backed by organizations like NIST, and validated by the world’s top cryptographers.”

Bower added that even in cases where data needs to be masked and de-identified in more flexible ways than traditional encryption allows, new strong techniques are available, such as Format-Preserving Encryption and Secure Stateless Tokenization, which provide companies with easy to use and manage data security at scale, and above all proven security for almost any platform to secure data.

“With these types of technologies readily available to easily and quickly protect sensitive data, there’s simply no excuse today not to follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion,” Bower said. “The ability to render data useless if lost or stolen, through strong, data-centric encryption, is an essential benefit to ensure data remains secure.”

InfoSecurity: http://bit.ly/1Jc7hXC

« Anonymous Want Revenge For Saudi Executions
Mentoring Startups: Technology Solving Education Problems »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

High-Tech Bridge

High-Tech Bridge

High-Tech Bridge SA is a Swiss MSSP provider offering security auditing, source code review and computer forensics.

baramundi software

baramundi software

baramundi software AG provides companies and organizations with efficient, secure, and cross-platform management of workstation environments.

Second Nature Security (2NS)

Second Nature Security (2NS)

2NS provide vulnerability assessment, penetration testing, security audit, application and network security and secure software development processes.

XCure Solutions

XCure Solutions

XCure Solutions are a Finnish company specializing in data security, data protection and data recovery.

HoxHunt

HoxHunt

HoxHunt is an automated cyber training program that transforms the way your employees react and respond to the growing amount of phishing emails.

Greenetics Solutions

Greenetics Solutions

Greenetics Solutions is a company focused on providing solutions for information security.

DeviceAssure

DeviceAssure

DeviceAssure enables organizations to reliably identify counterfeit and non-standard devices with a real-time check on a device's authenticity.

Hunters.AI

Hunters.AI

Hunters is the world's first autonomous hunting solution that leverages top-tier cyber expertise and AI to uncover hidden cyber threats.

Cyberspace Solarium Commission (CSC)

Cyberspace Solarium Commission (CSC)

The Cyberspace Solarium Commission was established to develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.

Brighterion

Brighterion

Brighterion solutions stop payment and acquirer fraud, reduce credit risk and delinquency, fight financial crime, prevent healthcare fraud, waste and abuse, and more.

VeriClouds

VeriClouds

VeriClouds is a password verification service that helps organizations detect compromised passwords and stop account takeover attacks.

Samurai Digital Consulting

Samurai Digital Consulting

Samurai Digital Security are a cyber and Information security services provider, specialising in penetration testing, incident response, user awareness and information governance solutions.

Cubro Network Visibility

Cubro Network Visibility

Cubro network visibility solutions remove network monitoring ‘blind spots’ to provide enhanced visibility and control of all data transiting a company’s network.

SpeQtral

SpeQtral

SpeQtral offers commercial space-based Quantum Key Distribution (QKD) founded on technology developed at the National University of Singapore.

Oivan

Oivan

Oivan harnesses the strengths of the web, mobile, cloud, cybersecurity, and blockchain technologies to help our clients to launch transformative digital services.

Threatsys Technologies

Threatsys Technologies

Threatsys’s Integrated cyber security process helps your organizations to ensure that it’s secure from any fraudulent attacks.