Back in June of 2013, the United States Computer Emergency Readiness Team [“USCERT”] came out saying the Dentrix G5 software was something short of encrypted. Dentrix G5 should not be described as encryption software. As part of the vulnerability note from USCERT, Dentrix G5 was re-branded as Data Camouflaging – NOT ENCRYPTED.
#HIPAA Pop Quiz: Is the use of encryption mandatory under the HIPAA Security Rule? Click here or go to http://wp.me/p4bsis-1lK to take the quiz!
USCERT is part of United States Department of Homeland Security that, per its website, leads efforts to improve the Nation’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans.
The re-branding of the Dentrix G5 came after the software had been marketed as encrypted software. The Federal Trade Commission [FTC] alleged that the makers of the Dentrix G5, Henry Schein Practice Solution, Inc. had not publically tested its software and they knew that its software was not encrypted. Even knowing that their software was not encrypted Henry Schein Practice Solution marketed Dentrix as the encrypted database engine for dentistry. To make matters worse, Dentrix G5 was released as the ‘encrypted database engine’ just when HHS directed providers to follow NIST guidelines that recommended AES encryption.
Dentrix G5 encryptions went on for two years. Per FTC complaint, Dentrix’s assertions included:
Misleading claims about Dentrix G5 appeared in product brochures and nationally respected publications.
Currently, Dentrix, on its website, describes its software as:
Dentrix G5 Helps You Improve Security
In addition to your work required to ensure security, Henry Schein introduced cryptographic technology in Dentrix version G5 to supplement a practice’s employee policies, physical safeguards and data security. Available only in Dentrix G5, we previously referred to this feature as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate. Regardless of what you call it, this is a proactive step which Henry Schein has taken to augment, not replace, your security systems. http://dentrix.com/articles/content/id/529
What is data camouflage and why is it less secure than encryption? Data camouflage, according to the USCERT note, means the data is unobfuscated [in a code that is hard for humans to understand]. The problem is attackers can take obfuscate difficult to read coded data stored on Dentrix, moving it, changing the software code and the attacker can then read the data. Encryption, on the other hand, is not readable by simply changing the data code.
Get 10 Tips from the FTC for Healthcare Security. Click here or go to: http://wp.me/p4bsis-1jF
Even after re-branding as camouflaged, Dentrix G5 was culpable for years for the misleading encryption assertions. How culpable? Dentrix G5 has agreed to pay 250,000 dollars.
What does this mean for providers who use Dentrix?
Your patient database is not in compliance with NIST guidelines.
If data stored on Dentrix is improperly accessed, lost, stolen, or hacked a HIPAA breach has occurred- The HIPAA Safe Harbor is not applicable!