FTC Takes Watchdog Stance Over Patient Data Encryption Standards
By Christine Kern, contributing writer
A $250,000 settlement with an IT vendor sends a strong message to vendors to protect data.
The Federal Trade Commission has taken a tough, watchdog stance over the protection of patient data with a $250,000 settlement with an IT vendor over data encryption promises, according to the FTC. This should send a strong message to vendors regarding the seriousness of meeting their security claims.
“Strong encryption is critical for companies dealing with sensitive health information,” Jessica Rich, Director of the FTC’s Bureau of Consumer Protection said in the statement. “If a company promises strong encryption, it should deliver it.”
According to the FTC complaint, Henry Schein Practice Solutions, Inc., an office management software solutions provider for dental practices, marketed its Dentrix G5 software with “deceptive claims that the software provided industry-standard encryption of sensitive patient information,” assuring clients that its software was HIPAA-compliant. In fact, the FTC alleged, the provider used a less complex method of data masking that does not meet the National Institute of Standards and Technology (NIST) guidelines, while touting the product’s “encryption capabilities” for protecting sensitive information and meeting “data protection regulations” in its marketing materials.
As part of the settlement, the company is prohibited from misleading consumers about the extent to which its products ensure regulatory compliance, protect consumers’ PHI, and use industry-standard encryption. The company also is required to notify all customers who purchased Dentrix G5 during the period noted in the complaint and provide the FTC with ongoing reports of the notification program.
According to Health Data Management, the company responded with a statement, noting the settlement is not an admission of wrongdoing, but that, “We made a decision to settle with the FTC to avoid long and costly litigation.”
The statement also asserted, “The security features in Dentrix are part of our evolving product development efforts. Dentrix provides multiple features to help protect patient data especially when used in combination with practice security measures based upon standards, best practices, laws and regulations. We do recommend that offices employ some form of full disc encryption that utilizes AES-level encryption.”
Michael McMillan, CEO of CynergisTek, told Modern Healthcare the FTC move was not unexpected, saying, “They said last year that they were going to be looking at the promises that vendors were making with respect to their products and capabilities — do these products really have up-to-date encryption, real audit features, data integrity. I would like to see them do more of this. It would be very helpful to the industry for them to be a watchdog for false promises.”
The case underscores the seriousness of the federal guidelines for protection of patient data and the repercussions failure to meet them can carry.