FTC Fines Software Vendor Over Encryption ClaimsHenry Schein Faces $250,000 Penalty for Misleading Marketing of Software
The Federal Trade Commission's latest cybersecurity-related enforcement action points to the need to carefully scrutinize the claims software companies make about the security functions of their products.
See Also: HIPAA Audits: A Revised Game Plan
The FTC on Jan. 5 announced a $250,000 settlement with Henry Schein Practice Solutions, a New York-based provider of practice management software for dental practices, stemming from the company's false advertising about encryption capabilities.
The FTC launched an investigation in 2014 after receiving complaints about the company's encryption claims. The FTC alleges in its complaint that it found that the vendor had been marketing its Dentrix G5 software to dental practices around the country for two years with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so, ensured that practices using its software would protect patient data as required by HIPAA. Instead, however, the company was offering a less robust "data masking technique using cryptographic technology," the FTC says.
"Strong encryption is critical for companies dealing with sensitive health information," said Jessica Rich, director of the FTC's Bureau of Consumer Protection in the statement. "If a company promises strong encryption, it should deliver it."
The FTC's latest move comes after the commission announced several security-related enforcement actions in December. That includes:
- A settlement with Oracle stemming from charges that the company had been making deceptive security claims about Java;
- A $100 million settlement with LifeLock related to deceptive claims the identity protection company made about its offerings;
- A settlement requiring the hotel chain Wyndham Worldwide Corp. to maintain a comprehensive security program in the wake of three breaches.
Meanwhile, the FTC is appealing a recent ruling by the FTC's chief administrative law judge that tossed out a data security case against cancer testing laboratory LabMD.
Heidi Wachs of the law firm Jenner & Block LLP says the recent FTC rulings point out that "vendors, or really any service providers ... must follow the golden rule of privacy: Say what you do and do what you say. The FTC, Department of Health and Human Services and the Federal Communications Commission have all made it clear through recent consent orders and enforcement actions that it is unacceptable for companies to misrepresent how they collect, use, store, protect, or share data."
The FTC action against Henry Schein hammers home the "buyer beware" message for organizations acquiring any software that's used to store sensitive personal information, says privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek. "Healthcare organizations should take care to carefully examine the technical specifications of any vendor service or technology that claims to meet an objective standard to ensure that it meets or exceeds any industry or government requirement."
In its complaint, the FTC alleges that Henry Schein was aware that its Dentrix G5 software used a less complex method of data masking to protect patient data than the Advanced Encryption Standard, which is recommended by the National Institute of Standards and Technology and provides the appropriate protection to meet certain regulatory "safe harbors." Under HIPAA, for example, a covered entity that has a security incident - such as the theft or loss of a laptop computer - does not have to report it if the data on the device was appropriately encrypted.
In a blog posted on its website, the FTC writes that if dentists using Henry Schein's software had a clearer picture of its data security functions, "they may have taken additional steps to secure patient data." In addition, the statement notes, "the company's statements could have led dentists to mistakenly think they qualified for the Department of Health and Human Services' safe harbor in the event of a data breach."
The FTC says that for two years, Henry Schein touted its product's "encryption capabilities" for protecting patient information and meeting "data protection regulations" in marketing materials. In reality, the Dentrix G5 used "a less secure and more vulnerable proprietary algorithm," the FTC contends
Henry Schein continued through January 2014 to market the Dentrix G5 as "encrypting patient data" despite a June 2013 alert from the U.S. Computer Emergency Readiness Team publicly stating that the vendor of the less secure algorithm used by Henry Schein had agreed to rebrand its method as "data camouflage" so it wouldn't be confused with encryption algorithms, such as AES.
In addition to the financial penalty, the Henry Schein settlement prohibits the firm from misleading customers about the extent to which its products use industry-standard encryption or the extent to which its products help ensure regulatory compliance or protect consumers' personal information, the FTC says.
Also, Henry Schein will be required to notify customers who purchased Dentrix G5 during the period when the company made the misleading statements that the product does not provide industry-standard encryption and provide the FTC with ongoing reports on the notification program.
In a statement to Information Security Media Group, Henry Schein says: "The settlement with the FTC does not represent an admission of wrongdoing regarding the Dentrix product. We made a decision to settle with the FTC to avoid long and costly litigation. We would much prefer to invest our resources into products and services that help our customers operate successful practices and provide quality patient care. We value our customers, and as their trusted partner, we make it a priority to help protect the security of their information. To that end, we continuously upgrade and improve our product and service offerings, and advise our customers that they also need to take steps to protect the security of their data.
"Dentrix provides multiple features to help protect patient data, especially when used in combination with practice security measures based upon standards, best practices, laws, and regulations. We do recommend that offices employ some form of full disc encryption that utilizes AES-level encryption."
The FTC's case against Henry Schien spotlights why HIPAA covered entities need to scrutinize the assertions of their software vendors, as well as business associates, about how they're safeguarding patient protected health information, says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"This case is mainly a question of making sure that clients take claims a bit skeptically, especially if they seem too good to be true or make statements that are hard to support," he say.
" Since there isn't a specific encryption standard under HIPAA, and a 'product' can't by itself ever be HIPAA compliant, any vendor that says 'my product is HIPAA compliant,' really isn't making an accurate statement."
Holtzman suggests that software vendors provide sufficient documentation or evidence of independent testing to validate any claim that their technologies or processes meet or exceed any industry or government standards.
Daniel Schroeder, a partner at the consulting firm Habif, Arogeti & Wynne LLP, urges organizations to perform due diligence before choosing suppliers. "This means they get from the vendor appropriate, independent, objective assurance reporting that provides clear disclosure of how services are rendered; an analysis of the risks inherent in those services; description of the controls deployed; and results of testing of those controls," he says.
But the main take-away from the Henry Schein settlement, Nahra says, is this: "People make claims to sell their products. Be a smart consumer with privacy/security products, the same way you would be if you were a consumer buying a used car."
It remains to be seen whether any dentists using the Dentrix G5 software now will be inclined to notify authorities about any breaches that they chose not to report because they thought were covered by HIPAA's safe harbor for encryption, Holtzman says. "The [HHS] Office for Civil Rights could take the position that covered entities using the Dentrix system could have reasonably relied on the claims made by the vendor, but that upon notice of the falsity of the claims, the clock will begin to run for the obligation to provide notice and necessary reporting to OCR under the [HIPAA] breach notification rule."