Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Fines Software Vendor Over False Data Encryption Claims (softpedia.com)

Posted by timothy on from the could-have-been-golf-ball-detectors dept.

An anonymous reader writes: The US Federal Trade Commission (FTC) has fined a software vendor for lying about its product's encryption capabilities, despite being publicly warned by US Computer Emergency Readiness Team (CERT) not to do so. The software vendor is Henry Schein, who deliberately ignored CERT and FTC warnings and continued to sell its CRM for dentists, even if it knew it did not comply with HIPAA rules. The vendor got "only" a $250,000 fine.

37 comments

  1. Pig Latin? by Anonymous Coward · · Score: 0

    Is the data encrypted using Pig Latin?

    Irstfa Ostpa!

    1. Re:Pig Latin? by chipschap · · Score: 0

      irstfat ostpay. Get it right :)

    2. Re:Pig Latin? by Anonymous Coward · · Score: 0

      Irony, thy name is Slashdot.

    3. Re:Pig Latin? by chipschap · · Score: 1

      oops :)

  2. Yet another proprietary fail by Anonymous Coward · · Score: 1

    This is yet another example of why rolling your own encryption is a very bad idea. Not only is it a weak algorithm but it also relies on obscurity. Their literature even says that due to it's proprietary nature that makes it even more secure because it's more difficult to reverse engineer. Good job, morons!

    1. Re:Yet another proprietary fail by wierd_w · · Score: 2

      Really now, there are very good algorithms out there. Would it have really been that hard to sub out the encryption module of their source code with a vetted encryption algorithm?

      Oh--- right-- Probably not using properly modularized code! Because FIRST TO MARKET or some similarly retarded reason.

    2. Re:Yet another proprietary fail by lsatenstein · · Score: 1

      This is yet another example of why rolling your own encryption is a very bad idea. Not only is it a weak algorithm but it also relies on obscurity. Their literature even says that due to it's proprietary nature that makes it even more secure because it's more difficult to reverse engineer. Good job, morons!

      They were using DES. DES is an encryption algorithm. DES with cypher block chaining is quite secure, given that the information is not financial data. Financial data would be studied to determine the encryption keys, but dental records do not carry financial data.

      Can dental information be monetized? Please explain to me why someone would want to decrypt a dental database? A typical dental practice rarely has more than 10k patients active and perhaps adds 2k patients per year and prunes that many records that are past the legal limit of retentions.

      --
      Leslie Satenstein Montreal Quebec Canada
  3. Implement? by Anonymous Coward · · Score: 0

    Why didn't he just replace DES by AES. It is almost drop in except for key and block sizes. Surely not more than a week work?

    1. Re: Implement? by Anonymous Coward · · Score: 0

      Because it wasn't DES it was FSE (FairCom Standard Encryption) which is apparently a keyless scrambling of the data with an access token which could be simply forged to allow the data to be read by another database instance (eg another dr's office) without knowing any passwords by using in trial mode (which apparently uses an administrator access token).

      They have newer versions of the software that does keyed AES encryption of the data but it apparently AES wasn't deployed as default but merely gave the option of AES to new installs.

  4. It's not like the "experts" are any better. by Anonymous Coward · · Score: 0

    For all the talk about "never roll your own crypto", we don't exactly see anything better from the self-proclaimed "experts", either!

    Just look at all of the major flaws in the OpenSSL library. We're talking about some really serious problems! Even LibreSSL, the fork maintained by the OpenBSD crew, who are among the best and most security-conscious programmers out there, still has bugs. Other libraries like GnuTLS are affected by serious bugs, too.

    It would be one thing if these so-called "experts" could write flawless or even near-flawless crypto code. But the code they write is often just as shitty as any code written by others.

    1. Re:It's not like the "experts" are any better. by Opportunist · · Score: 2

      The flaws you are referring to are in the implementation of the crypto algo, not the algo itself.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:It's not like the "experts" are any better. by jonwil · · Score: 1

      How many of the bugs in OpenSSL or LibreSSL or GnuTLS are bugs in the actual implementation of the encryption algorithm and how many are bugs in higher level protocols (SSL, TLS etc)?

    3. Re:It's not like the "experts" are any better. by Coren22 · · Score: 2

      Also, how many go completely unpatched by the vendor because they don't understand encryption?

      At least with OpenSSL etc, the problems are fixed quickly.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  5. not scarequotes needed by Gravis+Zero · · Score: 5, Informative

    yes, they were only fined $250K. Henry Schein is a multibillion dollar multinational company. $250K is "cost of business" expense because they make millions selling their software. this isn't even a slap on the wrist.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re: not scarequotes needed by Anonymous Coward · · Score: 0

      I assumed the submitter was misusing quotes for emphasis.

    2. Re:not scarequotes needed by Anonymous Coward · · Score: 0

      yes, they were only fined $250K. Henry Schein is a multibillion dollar multinational company. $250K is "cost of business" expense because they make millions selling their software. this isn't even a slap on the wrist.

      This is a fine levied by the FTC for 'false advertising', and is mostly symbolic. Where they're really going to get fucked is with the HIPPA compliance laws and lawsuits filed by people who bought the software.

    3. Re:not scarequotes needed by l0n3s0m3phr34k · · Score: 3, Informative

      And yet they won't; per HIPAA encryption is "Addressable" and not "Required". 45 CFR 164.312 is actually really short and is completely tech agnostic.

    4. Re:not scarequotes needed by budgenator · · Score: 3, Informative

      You have to read the FTC complaint and have experience dealing with Schein to understand what's really going on. It's my opinion that the use of encryption was not for the purpose of protecting patient information from unauthorized release to ne'er–do–wells, but to make the difficulty of migrating Our data to a new vendor's Dental Practice Management System unnecessarily difficult.

      Schien as a company is like a stereotype of all the worst qualities of Microsoft, Oracle and SAP.; they are my company of last resort.

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
    5. Re:not scarequotes needed by CanadianRealist · · Score: 2

      Sounds like it's time to take care of it the "American way." Sue them.

      Henry Schein's Gentrix G5 did not use minimal HIPAA encryption levels, despite saying so in its brochures, online website, newspaper interviews, and newsletters.

      Everyone who bought the software can now sue them for not providing what they claimed to provide. Sue them for the cost of the software plus punitive damages to cover the hassle of having to switch over to some software that does proper encryption.

    6. Re:not scarequotes needed by niftymitch · · Score: 1

      And yet they won't; per HIPAA encryption is "Addressable" and not "Required". 45 CFR 164.312 is actually really short and is completely tech agnostic.

      N.B. the application in question is only supported today on Windows 8.n.
      We could go down the rat hole that WindowZ is the weaker link.

      Encryption is only an issue for data should it be lost. i.e. if computer hardware is
      stolen or recycled badly.
      The nature of the HIPAA procedures place a lot of responsibility on the dentist
      not the application vendor beyond requiring logging in by name and managing the
      administrator password.

      The single dentist office installation is small and there is little risk of a wide
      class action litigation. Perhaps the dentists against the software company
      but that is multiple orders of magnitude different.

      The interesting bits get exposed when the dentist connects to an insurance
      provider via modem or the internet to transact payment. That asymmetry
      puts a lot of pressure on the insurance side more than the dentist side.
      There may be some patient history in the dentist records of interest to privacy
      folk. Dentistry is a blood sport so they care about AIDS/HIV. Some drugs are
      prescribed for pain or infection so these and allergies may matter. But
      a dentist records are less interesting than those of the STD, OBGYN or mental
      health services.

      --
      Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
    7. Re:not scarequotes needed by Coren22 · · Score: 1

      It would get settled for a free upgrade to the most recent version of the software which uses AES encryption.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    8. Re:not scarequotes needed by Anonymous Coward · · Score: 0

      I can second this. I've had a client for the last 15 years using Dentrix, and keeping you and your data in their system is clearly a priority for them. Other vendors have tools to import your Dentrix data into their product, and Dentrix has a fairly shabby export facility (which isn't cheap), so you're not really locked in. But it sure isn't easy to get out.

  6. Isn't it interesting by Anonymous Coward · · Score: 0

    What I find disturbing is that this is the feds, not a court, convicting them.

  7. Re:Does Rust ensure HIPAA-compliant software? by l0n3s0m3phr34k · · Score: 3, Informative

    No, because HIPAA is totally tech agnostic. The security protocols in HIPAA are only a few pages; encryption is "Addressable" yet not "Required" unlike "Unique User Identification". They are designed so a normal "office manager" can do a checklist; they are in no way "security protocols" like an actual IT compsec person would design.

    "Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information."
    "Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."

    That's pretty much the tech level of the entire document, there are no actual technologies referenced in it. Technically you could indeed use Pig Latin as your "encryption", but actually don't need to have any encryption at all.

  8. Good by frovingslosh · · Score: 1

    Good. Now maybe the Federal Trade Commission will go after anyone building back doors in their software or hardware for the criminals at the N.S.A.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  9. Rickety pile of smouldering crap by Dr.Dubious+DDQ · · Score: 3, Informative
    I've been working for an organization that uses Dentrix. My impression of it is...not very favorable.

    It seems like someone wrote a basic customer-tracking database for Windows that happened to be focussed on dental patients, and then Henry Schein bought them and built the rest by "buying" (or "licensing") connections to a pile of other third-party software. In addition to MS-SQL and Microsoft Office, this seems to include Adobe Flash in places, "integrators" for at least two different third-party imaging software packages, a messaging system, and who knows what else.

    Looking at the CERT notice, I'm guessing they "bought" (/"licensed") their special "proprietary encryption" as a package from Faircom and just bolted it on without any further examination. They were probably happily going along continuing to brag about their encryption because Faircom was, and they figured Faircom could be blamed for it.

    It doesn't help that "Dental-patient record tracking software" isn't a particularly big niche, so there's likely very little competition and any half-assed thing they throw together will continue to generate license fees because Big Multibillion-Dollar Corporation can easily outmarket the very few competitors they may have (and who may not actually be any better). Many years ago, I worked for a proprietary retail inventory-and-point-of-sale software developer. Their product was also a rickety pile of smouldering crap, but it still seemed to be better than most of their few competitors back then. Horrifying, but I suspect Henry Schein is in an analogous situation (compounded by being a massive conglomerate).

    --
    Hacker Public Radio is our Friend
    1. Re:Rickety pile of smouldering crap by Opportunist · · Score: 1

      Most medical administration software I came across is atrocious on any level. It's usually technologically at the very least 10 years behind, has a user interface that makes SAP look intuitive and consistent and contains more security holes than the average HackMe app for teaching people the OWASP Top 10.

      Thinking about it, most of the applications could actually be used as a poster child for teaching the OWASP Top 10. They usually have them all in one way or another.

      Seriously, if you look for the worst written software in existence, look no further than medical administration.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Rickety pile of smouldering crap by Anonymous Coward · · Score: 0

      This doesn't adequately capture the horror. It requires a version of Flash (9) with known vulnerabilities going back years. It requires users to have administrator rights. It's only compatible with TWAIN scanners. One module crashes with a GDI+ error if your monitor resolution is above 1024 x 768. The terrible just never stops.

      Practice management is actually a bigger arena than you might think, though. Their biggest competitor is probably is Eaglesoft, but there are at least a dozen others.

    3. Re:Rickety pile of smouldering crap by Anonymous Coward · · Score: 0

      Don't forget the buttons you can't see if your resolution is too low.

  10. Re:Does Rust ensure HIPAA-compliant software? by Anonymous Coward · · Score: 0

    > No, because HIPAA is totally tech agnostic.

    That kind of depends on your definition of "tech." If your records are on paper, they aren't subject to HIPPA privacy protections.

    And just to segue a bit - this company getting fined is an amazingly rare occurrence. HIPPA enforcement is toothless. What is the point of a privacy law if there are no consequences for breaking it?

  11. They're never satisfied. by mwvdlee · · Score: 1

    First they wanted to backdoor all encryption, now they've got a fully-backdoored encryption and it's still not good enough.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  12. Every corporate crime is a crime against us all. by Anonymous Coward · · Score: 0

    So every fine should be placed in to social security for everyone to recoup their loss.

  13. Re:Does Rust ensure HIPAA-compliant software? by Anonymous Coward · · Score: 0

    You're partially correct. HIPAA does not require encryption. However: if you want Safe Harbor from HITECH obligations to notify patients of breaches, then the kind of "encryption" you use does matter, and the rule points to NIST standards for that.

    And just to clarify an error in the OP wrt: "Henry Schein, who deliberately ignored CERT and FTC warnings:"

    This action by FTC followed from a complaint I filed with FTC after I was unable to convince Henry Schein to individually notify all its customers that what it had sold them as "encryption" wasn't encryption. After my meetings with them and comments from cryptographers that I published, Schein did agree to change their branding and their newsletters, but they still wouldn't notify customers individually. And I was already aware of one case where a dentist had a breach, and reportedly innocently - and wrongly - reassured his patients not to worry because the ePHI were "encrypted."

    But the FTC never warned or cautioned Henry Schein and I am not aware of Schein ignoring any warnings from the FTC.

    As a HIPAA-covered entity myself, I'm glad the FTC acted on my complaint to send a strong message that if you advertise something will help you meet your HIPAA obligations, it should. Calling obfuscation "encryption" gave dentists and their patients a false sense of security.

    And kudos to Justin Shafer who reported the VU to US-CERT and then filed a supplemental complaint to my complaint to the FTC.

    ~~Dissent

  14. Wait! Has the FTC Done Something?!! by BrendaEM · · Score: 1

    OMG, I can't believe that FTC did something. This is where people would chime in and point out a list of FTC accomplishments, if people could.
    Ha-ha!

    --
    https://www.youtube.com/c/BrendaEM
  15. Re:Does Rust ensure HIPAA-compliant software? by Anonymous Coward · · Score: 1

    Not exactly. HIPPA has provisions for both PHI and e-PHI. If your business works with another by passing either PHI or e-PHI, you either have to be compliant or you don't do business with them. In practical terms, this means that if you're a dentist and you want to be reimbursed by insurance, it doesn't matter if you're submitting paper or pixels - you have to be HIPPA compliant. If you want to do a cash-only business and you don't need to work with any other HIPPA-compliant business, you can roll HIPPA up in a ball and trash it. Regardless of whether your records are paper or pixels.