The database software says it is “encrypted”... but is it?
Your company relies upon its database or office management software to encrypt internal documents and customer data from hackers. Is it possible that your software claims to provide encryption, but actually does not? After the Snowden disclosures and the Target holiday hack, it would seem ludicrous that a product that offers “encryption” would not truly secure your data. But it recently happened.
In January 2016, the Federal Trade Commission (FTC) fined a Fortune 500 company on charges that it “misled customers about encryption of patient data.” A large distributor of medical supplies marketed its Dentrix G5 software, which the FTC described as the “leading office management software for dental practices.” Specially, Dentrix G5 enabled clerical staff in dentists’ office to enter patient data, process payment, submit insurance claims, and record progress notes, treatment plans, and diagnostic information. In short, Dentrix G5 housed all of the records for patients’ personal, medical, and financial records. If hacked, a dental office would be handing over a treasure trove of data, which could be both costly and embarrassing.
In early 2012, the company claimed that Dentrix G5 had a new “database engine” with “new capabilities” including encryption. The company asserted that “encryption plays a key role in your efforts to stay compliant with HIPAA…” and that, “[w]ith ever-increasing data protection regulations, Dentrix G5 provides an important line of defense…” But there was a problem.
Nearly two years earlier, in 2010, the database engine vendor informed the company that its algorithm had not been tested publicly and was more vulnerable than the industry standard encryption algorithm. The company nonetheless continued to market Dentrix G5 as “encrypted.” Worse, the FTC alleged that the company knew that its customers (dental groups) were required to use industry-standard encryption in order to receive “safe harbor” protections and to meet HIPAA standards. Problems deepened when the United States Computer Emergency Readiness Team (CERT) issued a Vulnerability Alert in 2013, which named Dentrix G5 and decreed that it did not even meet the definition of “encryption” but, instead, provided a “weak obfuscation algorithm.” The company persisted with its marketing plan for several more months and failed to warn previous purchasers. The FTC filed suit, alleging “deceptive claims of encryption.” In January 2016, the parties settled resulting in a $250,000 FTC fine; notification to all customers; and a prohibition against misleading advertising.
Is your software compliant?
How can you ensure that your company’s software is compliant with industry standards or government regulations? Fortunately, there is a one method of encryption which meets or exceeds both industry and government standards: Advanced Encryption Standard (AES) encryption. AES meets National Institute of Standards and Technology (NIST) standards and is the encryption standard which the FTC used to determine that Dentrix G5 was deficient. As an illustration of AES’ reliability, the NSA uses AES to secure its data.
Steps you can take to ensure your company's software is compliant include:
-
Check the name and version number of your database or management software.
-
Perform a Google search using the name, version, and “AES” to determine whether your current software provides sufficient protection.
-
Going forward, ensure that your IT department stays current with software upgrades and industry news about data intrusion.