FTC Fines Software Vendor Over False Data Encryption Claims (softpedia.com)

← Back to Stories (view on slashdot.org)

FTC Fines Software Vendor Over False Data Encryption Claims (softpedia.com)

Posted by timothy on Sunday January 10, 2016 @02:24AM from the could-have-been-golf-ball-detectors dept.

An anonymous reader writes: The US Federal Trade Commission (FTC) has fined a software vendor for lying about its product's encryption capabilities, despite being publicly warned by US Computer Emergency Readiness Team (CERT) not to do so. The software vendor is Henry Schein, who deliberately ignored CERT and FTC warnings and continued to sell its CRM for dentists, even if it knew it did not comply with HIPAA rules. The vendor got "only" a $250,000 fine.

20 of 37 comments (clear)

Min score:

Reason:

Sort:

Yet another proprietary fail by Anonymous Coward · 2016-01-10 02:36 · Score: 1

This is yet another example of why rolling your own encryption is a very bad idea. Not only is it a weak algorithm but it also relies on obscurity. Their literature even says that due to it's proprietary nature that makes it even more secure because it's more difficult to reverse engineer. Good job, morons!
1. Re:Yet another proprietary fail by wierd_w · 2016-01-10 02:49 · Score: 2
  
  Really now, there are very good algorithms out there. Would it have really been that hard to sub out the encryption module of their source code with a vetted encryption algorithm?
  Oh--- right-- Probably not using properly modularized code! Because FIRST TO MARKET or some similarly retarded reason.
2. Re:Yet another proprietary fail by lsatenstein · 2016-01-11 13:03 · Score: 1
  
  This is yet another example of why rolling your own encryption is a very bad idea. Not only is it a weak algorithm but it also relies on obscurity. Their literature even says that due to it's proprietary nature that makes it even more secure because it's more difficult to reverse engineer. Good job, morons!
  They were using DES. DES is an encryption algorithm. DES with cypher block chaining is quite secure, given that the information is not financial data. Financial data would be studied to determine the encryption keys, but dental records do not carry financial data.
  Can dental information be monetized? Please explain to me why someone would want to decrypt a dental database? A typical dental practice rarely has more than 10k patients active and perhaps adds 2k patients per year and prunes that many records that are past the legal limit of retentions.
  
  --
  Leslie Satenstein Montreal Quebec Canada
not scarequotes needed by Gravis+Zero · 2016-01-10 02:57 · Score: 5, Informative

yes, they were only fined $250K. Henry Schein is a multibillion dollar multinational company. $250K is "cost of business" expense because they make millions selling their software. this isn't even a slap on the wrist.

--
Anons need not reply. Questions end with a question mark.
1. Re:not scarequotes needed by l0n3s0m3phr34k · 2016-01-10 03:47 · Score: 3, Informative
  
  And yet they won't; per HIPAA encryption is "Addressable" and not "Required". 45 CFR 164.312 is actually really short and is completely tech agnostic.
2. Re:not scarequotes needed by budgenator · 2016-01-10 04:10 · Score: 3, Informative
  
  You have to read the FTC complaint and have experience dealing with Schein to understand what's really going on. It's my opinion that the use of encryption was not for the purpose of protecting patient information from unauthorized release to ne'er–do–wells, but to make the difficulty of migrating Our data to a new vendor's Dental Practice Management System unnecessarily difficult.
  Schien as a company is like a stereotype of all the worst qualities of Microsoft, Oracle and SAP.; they are my company of last resort.
  
  --
  Apocalypse Cancelled, Sorry, No Ticket Refunds
3. Re:not scarequotes needed by CanadianRealist · 2016-01-10 05:29 · Score: 2
  
  Sounds like it's time to take care of it the "American way." Sue them.
  
  Henry Schein's Gentrix G5 did not use minimal HIPAA encryption levels, despite saying so in its brochures, online website, newspaper interviews, and newsletters.
  Everyone who bought the software can now sue them for not providing what they claimed to provide. Sue them for the cost of the software plus punitive damages to cover the hassle of having to switch over to some software that does proper encryption.
4. Re:not scarequotes needed by niftymitch · 2016-01-10 08:03 · Score: 1
  
  And yet they won't; per HIPAA encryption is "Addressable" and not "Required". 45 CFR 164.312 is actually really short and is completely tech agnostic.
  N.B. the application in question is only supported today on Windows 8.n.
  We could go down the rat hole that WindowZ is the weaker link.
  Encryption is only an issue for data should it be lost. i.e. if computer hardware is
  stolen or recycled badly.
  The nature of the HIPAA procedures place a lot of responsibility on the dentist
  not the application vendor beyond requiring logging in by name and managing the
  administrator password.
  The single dentist office installation is small and there is little risk of a wide
  class action litigation. Perhaps the dentists against the software company
  but that is multiple orders of magnitude different.
  The interesting bits get exposed when the dentist connects to an insurance
  provider via modem or the internet to transact payment. That asymmetry
  puts a lot of pressure on the insurance side more than the dentist side.
  There may be some patient history in the dentist records of interest to privacy
  folk. Dentistry is a blood sport so they care about AIDS/HIV. Some drugs are
  prescribed for pain or infection so these and allergies may matter. But
  a dentist records are less interesting than those of the STD, OBGYN or mental
  health services.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
5. Re:not scarequotes needed by Coren22 · 2016-01-11 03:22 · Score: 1
  
  It would get settled for a free upgrade to the most recent version of the software which uses AES encryption.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Re:Does Rust ensure HIPAA-compliant software? by l0n3s0m3phr34k · 2016-01-10 03:45 · Score: 3, Informative

No, because HIPAA is totally tech agnostic. The security protocols in HIPAA are only a few pages; encryption is "Addressable" yet not "Required" unlike "Unique User Identification". They are designed so a normal "office manager" can do a checklist; they are in no way "security protocols" like an actual IT compsec person would design.

"Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information."
"Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."

That's pretty much the tech level of the entire document, there are no actual technologies referenced in it. Technically you could indeed use Pig Latin as your "encryption", but actually don't need to have any encryption at all.
Good by frovingslosh · 2016-01-10 04:26 · Score: 1

Good. Now maybe the Federal Trade Commission will go after anyone building back doors in their software or hardware for the criminals at the N.S.A.

--
I'm an American. I love this country and the freedoms that we used to have.
Rickety pile of smouldering crap by Dr.Dubious+DDQ · 2016-01-10 04:47 · Score: 3, Informative

I've been working for an organization that uses Dentrix. My impression of it is...not very favorable.
It seems like someone wrote a basic customer-tracking database for Windows that happened to be focussed on dental patients, and then Henry Schein bought them and built the rest by "buying" (or "licensing") connections to a pile of other third-party software. In addition to MS-SQL and Microsoft Office, this seems to include Adobe Flash in places, "integrators" for at least two different third-party imaging software packages, a messaging system, and who knows what else.
Looking at the CERT notice, I'm guessing they "bought" (/"licensed") their special "proprietary encryption" as a package from Faircom and just bolted it on without any further examination. They were probably happily going along continuing to brag about their encryption because Faircom was, and they figured Faircom could be blamed for it.
It doesn't help that "Dental-patient record tracking software" isn't a particularly big niche, so there's likely very little competition and any half-assed thing they throw together will continue to generate license fees because Big Multibillion-Dollar Corporation can easily outmarket the very few competitors they may have (and who may not actually be any better). Many years ago, I worked for a proprietary retail inventory-and-point-of-sale software developer. Their product was also a rickety pile of smouldering crap, but it still seemed to be better than most of their few competitors back then. Horrifying, but I suspect Henry Schein is in an analogous situation (compounded by being a massive conglomerate).

--
Hacker Public Radio is our Friend
1. Re:Rickety pile of smouldering crap by Opportunist · 2016-01-10 05:53 · Score: 1
  
  Most medical administration software I came across is atrocious on any level. It's usually technologically at the very least 10 years behind, has a user interface that makes SAP look intuitive and consistent and contains more security holes than the average HackMe app for teaching people the OWASP Top 10.
  Thinking about it, most of the applications could actually be used as a poster child for teaching the OWASP Top 10. They usually have them all in one way or another.
  Seriously, if you look for the worst written software in existence, look no further than medical administration.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:It's not like the "experts" are any better. by Opportunist · 2016-01-10 05:48 · Score: 2

The flaws you are referring to are in the implementation of the crypto algo, not the algo itself.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They're never satisfied. by mwvdlee · 2016-01-10 07:08 · Score: 1

First they wanted to backdoor all encryption, now they've got a fully-backdoored encryption and it's still not good enough.

--
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Re:It's not like the "experts" are any better. by jonwil · 2016-01-10 09:01 · Score: 1

How many of the bugs in OpenSSL or LibreSSL or GnuTLS are bugs in the actual implementation of the encryption algorithm and how many are bugs in higher level protocols (SSL, TLS etc)?
Wait! Has the FTC Done Something?!! by BrendaEM · 2016-01-10 12:23 · Score: 1

OMG, I can't believe that FTC did something. This is where people would chime in and point out a list of FTC accomplishments, if people could.
Ha-ha!

--
https://www.youtube.com/c/BrendaEM
Re:Pig Latin? by chipschap · 2016-01-10 13:48 · Score: 1

oops :)
Re:It's not like the "experts" are any better. by Coren22 · 2016-01-11 03:14 · Score: 2

Also, how many go completely unpatched by the vendor because they don't understand encryption?
At least with OpenSSL etc, the problems are fixed quickly.

--
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Re:Does Rust ensure HIPAA-compliant software? by Anonymous Coward · 2016-01-11 03:39 · Score: 1

Not exactly. HIPPA has provisions for both PHI and e-PHI. If your business works with another by passing either PHI or e-PHI, you either have to be compliant or you don't do business with them. In practical terms, this means that if you're a dentist and you want to be reimbursed by insurance, it doesn't matter if you're submitting paper or pixels - you have to be HIPPA compliant. If you want to do a cash-only business and you don't need to work with any other HIPPA-compliant business, you can roll HIPPA up in a ball and trash it. Regardless of whether your records are paper or pixels.