This month, the FTC has levied a fine against Henry Schein, Inc, for misleading claims about Dentrix G5 encryption.
The issue cited by the FTC involved marketing on the Dentrix G5 brochure, claiming that HIPAA and NIST compliant encryption was in place on the Dentrix G5 database. However, this turned out not to be the case. The FTC has published all pertinent documents, as well as a press release, of the problem facing Henry Schein regarding Dentrix G5 encryption.
The actual complaint is filed on the FTC website, and can be read here: https://www.ftc.gov/system/files/documents/cases/160105scheincmpt.pdf
The press release from the FTC has been published on their website, and can be found here: https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misled
Finally, the settlement noting the $250,000 fine can be found here: https://www.ftc.gov/system/files/documents/cases/160105scheinagreeorder.pdf
What Does this Mean for You?
Possibly, nothing. If you have taken steps to encrypt your server, then the software-based encryption employed on Dentrix G5 is a non-issue. However, if you have been relying on Dentrix G5 encryption protocols for your compliance, then you’ll need to take some action.
What Steps Should I Take?
HIPAA demands that data in transit must be encrypted, but does not specifically mention encryption for data at rest. However, encryption for data at rest comes with a very high recommendation, from IT providers as well as from the Office of Civil Rights, the enforcement arm of HIPAA, itself.
For dentists, the most common data breach arises from physical theft of non-encrypted data. Encrypting your server is easy, effective, and affordable.
“TPM Chips” enable full-drive encryption on Windows Server, and run less than $60 as an add-on to most existing servers. $60 is a very small price to pay to encrypt your entire data stores, and removes any risk pertaining to Dentrix G5 encryption issue.
But – What Should I Do Today?
The most important thing you can do today is update your risk assessment if you are running Dentrix G5. Place the FTC article in your binder, and determine a course of action that you deem appropriate. Remember, you can’t go wrong with a TPM Chip installed on your Windows Server, and that simple device will alleviate any risk due to poor encryption of the Dentrix G5 database.
Period of Public Comment on this Case is Active
If you’d like to participate in the public comment period on this case, you can do so here, on the FTC site: https://ftcpublic.commentworks.com/ftc/henryscheinconsent/
It’s important to take steps to encrypt your data, whether or not your software company does it for you. Encrypting your entire server is an affordable, easy, and full-proof way to make sure eveyrthing is locked down at all times. If you have any questions, contact us via phone or email to discuss ways to increase your security and encryption.
Here is another very nice writeup from one who knows the problem well – Justin Shafer was integral in bringing this problem to light.