At last – Feds crack down on crummy encryption … starting with your dentist
Uncle Sam finally gets his teeth into terrible technology
The US Federal Trade Commission (FTC) has struck a $250,000 settlement package in its case accusing a medical software developer of lying about its data encryption capabilities.
The makers of Dentrix G5, an office and records tool for dentists, had been accused of lying to customers about the encryption capabilities of the software, which in the process expose customer medical records and personal information.
The FTC said in its complaint [PDF] that Dentrix developers Henry Schein Practice Solutions told customers that the Dentrix Suite included security protections that would encrypt stored patient data and offer security protections in compliance with HIPAA rules.
In reality, the FTC claimed, the encryption tools used by the software were insufficient and did not meet their advertised capabilities. The proprietary encryption tools were in 2013 described by Cert.org as "a weak obfuscation algorithm that may be unobfuscated without knowledge of a key or password."
Even after the company was notified of its weak encryption, the FTC charged, it continued to market Dentrix G5 with claims that the software provided strong encryption for patient records.
The FTC said in its complaint that by using the weak encryption methods, Dentrix not only misled customers about the capabilities of the product, but exposed patients to possible identity theft and data disclosure.
"An attacker who unmasks patients' sensitive personal information could subject patients to the unanticipated disclosure of personal information or use that information to commit identity theft, medical identity theft, or other harms," the FTC said in its complaint.
"If dentists were aware that Dentrix G5 used a form of data protection that was more vulnerable than widely-used, industry-standard encryption algorithms, they may have chosen to purchase another product."
Under the terms of the settlement [PDF], Henry Schein Practice Solutions will pay $250,000 to the FTC, who will then use the cash to refund customers. The software developer will also be required to notify all offices who purchased the Dentrix G5 prior to January 2014, and submit to the FTC reviews of its financial records, advertising copy, and security research for the next five years.
"Strong encryption is critical for companies dealing with sensitive health information," FTC consumer protection bureau director Jessica Rich said of the settlement deal.
"If a company promises strong encryption, it should deliver it." ®