Data security expert Mark Bower commented on yesterday’s announcement by The Federal Trade Commission (FTC) that dental software provider Henry Schein Practice Solutions has agreed to settle with the FTC over charges it misled customers on the level of encryption its software provided to protect sensitive patient data.
Mark Bower, Global Director Product Management for HPE Security – Data Security, explained:
“This is a classic case of a business making headlines for bad security practices. In this case, the FTC specifically cited the business in the areas of data masking and encryption, pointing out an overall poor and non-secure approach to data de-identification. Even the best intentioned enterprises can find themselves in regulatory hot water if data security approaches don’t meet industry best practices. This is a lesson to any firm today looking to encrypt, tokenize or mask data with proprietary and unproven technology or products who could face similar scrutiny.
While a very unfortunate situation for all involved, other organizations can learn from this case. The action taken by the FTC sends a clear message that organizations need to take data security very seriously – it cannot be made up on the fly, and it can’t be just a case of ‘trust the vendor’ either. While on the surface it might seem simple for a developer to come up with some way to mask, tokenize or use home grown encryption, this will inevitably lead to data exposure and huge risks – and fines. Enterprises need to make sure they are employing strong encryption technology that’s backed by organizations like NIST, and validated by the world’s top cryptographers.
There are right ways to protect data, and a myriad of wrong ways which don’t stand up to scrutiny or even simple attacks. Fortunately, even in cases where data needs to be masked and de-identified in more flexible ways that traditional encryption allows, new strong techniques are available, such as Format-Preserving Encryption and Secure Stateless Tokenization which provide companies with easy to use and manage data security at scale, and above all proven security for almost any platform to secure data.
With these types of technologies readily available to easily and quickly protect sensitive data, there’s simply no excuse today not to follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion. The ability to render data useless if lost or stolen, through strong, data-centric encryption, is an essential benefit to ensure data remains secure.”
According to the FTC, Schein falsely claimed its Dentrix G5 software used industry-standard encryption and ensured that users of the product would protect patient data in line with the Health Insurance Portability and Accountability Act. “Strong encryption is critical for companies dealing with sensitive health information,” said FTC Consumer Protection Bureau Director Jessica Rich. “If a company promises strong encryption, it should deliver it.” As part of the settlement, Schein has agreed to pay $250,000, will be prohibited from making such false claims about its data security, and will notify all customers who purchased the software in question.