Henry Schein Practice Solutions, a provider of office management software for dental practices, this week agreed to pay $250,000 to settle Federal Trade Commission charges that it falsely advertised the level of encryption it provided to protect patient data. In addition, the company will be prohibited from misleading customers about the extent to which its products use industry-standard encryption or the extent to which its products help ensure regulatory compliance or protect consumers’ personal information.
The FTC’s complaint alleges that Schein marketed its Dentrix G5 software to dental practices around the country with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so, ensured that practices using its software would protect patient data, as required by the Health Insurance Portability and Accountability Act (HIPAA).
“Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “If a company promises strong encryption, it should deliver it.”
In its complaint, the FTC alleged that Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA. Nevertheless, for two years, Schein touted the product’s “encryption capabilities” for protecting patient information and meeting “data protection regulations” in multiple marketing materials, including newsletters and brochures targeted at dentists.
In addition, Schein will be required to notify all of its customers who purchased Dentrix G5 during the period when the company made the misleading statements that the product does not provide industry-standard encryption and provide the FTC with ongoing reports on the notification program.
The FTC voted 4-0 to issue the administrative complaint and to accept the consent agreement. It will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, continuing through Feb. 4, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically.
“Even the best intentioned enterprises can find themselves in regulatory hot water if data security approaches don’t meet industry best practices," says Mark Bower, global director product management for HPE Security–Data Security. "This is a lesson to any firm today looking to encrypt, tokenize or mask data with proprietary and unproven technology or products who could face similar scrutiny."
The FTC's action "sends a clear message that organizations need to take data security very seriously; it cannot be made up on the fly, and it can’t be just a case of ‘trust the vendor’ either," Bower adds. "Enterprises need to make sure they are employing strong encryption technology that’s backed by organizations like NIST, and validated by the world’s top cryptographers."
Even in cases where data needs to be masked and de-identified in more flexible ways that traditional encryption allows, new techniques are available, such as Format-Preserving Encryption and Secure Stateless Tokenization, which provide companies with easy to use and manage data security at scale, and above all proven security for almost any platform to secure data.
With these types of technologies readily available to easily and quickly protect sensitive data, Bower says, companies have no excuse today not to follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion.