Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Privacy Software IT

FTC Fines Software Vendor Over False Data Encryption Claims (softpedia.com) 37

An anonymous reader writes: The US Federal Trade Commission (FTC) has fined a software vendor for lying about its product's encryption capabilities, despite being publicly warned by US Computer Emergency Readiness Team (CERT) not to do so. The software vendor is Henry Schein, who deliberately ignored CERT and FTC warnings and continued to sell its CRM for dentists, even if it knew it did not comply with HIPAA rules. The vendor got "only" a $250,000 fine.
This discussion has been archived. No new comments can be posted.

FTC Fines Software Vendor Over False Data Encryption Claims

Comments Filter:
  • by Anonymous Coward

    This is yet another example of why rolling your own encryption is a very bad idea. Not only is it a weak algorithm but it also relies on obscurity. Their literature even says that due to it's proprietary nature that makes it even more secure because it's more difficult to reverse engineer. Good job, morons!

    • Really now, there are very good algorithms out there. Would it have really been that hard to sub out the encryption module of their source code with a vetted encryption algorithm?

      Oh--- right-- Probably not using properly modularized code! Because FIRST TO MARKET or some similarly retarded reason.

    • This is yet another example of why rolling your own encryption is a very bad idea. Not only is it a weak algorithm but it also relies on obscurity. Their literature even says that due to it's proprietary nature that makes it even more secure because it's more difficult to reverse engineer. Good job, morons!

      They were using DES. DES is an encryption algorithm. DES with cypher block chaining is quite secure, given that the information is not financial data. Financial data would be studied to determine the encryption keys, but dental records do not carry financial data.

      Can dental information be monetized? Please explain to me why someone would want to decrypt a dental database? A typical dental practice rarely has more than 10k patients active and perhaps adds 2k patients per year and prunes that many records

  • by Gravis Zero ( 934156 ) on Sunday January 10, 2016 @09:57AM (#51272351)

    yes, they were only fined $250K. Henry Schein is a multibillion dollar multinational company. [wikipedia.org] $250K is "cost of business" expense because they make millions selling their software. this isn't even a slap on the wrist.

    • by budgenator ( 254554 ) on Sunday January 10, 2016 @11:10AM (#51272621) Journal

      You have to read the FTC complaint and have experience dealing with Schein to understand what's really going on. It's my opinion that the use of encryption was not for the purpose of protecting patient information from unauthorized release to ne'er–do–wells, but to make the difficulty of migrating Our data to a new vendor's Dental Practice Management System unnecessarily difficult.

      Schien as a company is like a stereotype of all the worst qualities of Microsoft, Oracle and SAP.; they are my company of last resort.

    • Sounds like it's time to take care of it the "American way." Sue them.

      Henry Schein's Gentrix G5 did not use minimal HIPAA encryption levels, despite saying so in its brochures, online website, newspaper interviews, and newsletters.

      Everyone who bought the software can now sue them for not providing what they claimed to provide. Sue them for the cost of the software plus punitive damages to cover the hassle of having to switch over to some software that does proper encryption.

      • It would get settled for a free upgrade to the most recent version of the software which uses AES encryption.

  • Good. Now maybe the Federal Trade Commission will go after anyone building back doors in their software or hardware for the criminals at the N.S.A.
  • by Dr.Dubious DDQ ( 11968 ) on Sunday January 10, 2016 @11:47AM (#51272771) Homepage
    I've been working for an organization that uses Dentrix. My impression of it is...not very favorable.

    It seems like someone wrote a basic customer-tracking database for Windows that happened to be focussed on dental patients, and then Henry Schein bought them and built the rest by "buying" (or "licensing") connections to a pile of other third-party software. In addition to MS-SQL and Microsoft Office, this seems to include Adobe Flash in places, "integrators" for at least two different third-party imaging software packages, a messaging system, and who knows what else.

    Looking at the CERT notice, I'm guessing they "bought" (/"licensed") their special "proprietary encryption" as a package from Faircom and just bolted it on without any further examination. They were probably happily going along continuing to brag about their encryption because Faircom was, and they figured Faircom could be blamed for it.

    It doesn't help that "Dental-patient record tracking software" isn't a particularly big niche, so there's likely very little competition and any half-assed thing they throw together will continue to generate license fees because Big Multibillion-Dollar Corporation can easily outmarket the very few competitors they may have (and who may not actually be any better). Many years ago, I worked for a proprietary retail inventory-and-point-of-sale software developer. Their product was also a rickety pile of smouldering crap, but it still seemed to be better than most of their few competitors back then. Horrifying, but I suspect Henry Schein is in an analogous situation (compounded by being a massive conglomerate).

    • Most medical administration software I came across is atrocious on any level. It's usually technologically at the very least 10 years behind, has a user interface that makes SAP look intuitive and consistent and contains more security holes than the average HackMe app for teaching people the OWASP Top 10.

      Thinking about it, most of the applications could actually be used as a poster child for teaching the OWASP Top 10. They usually have them all in one way or another.

      Seriously, if you look for the worst writ

  • First they wanted to backdoor all encryption, now they've got a fully-backdoored encryption and it's still not good enough.

  • OMG, I can't believe that FTC did something. This is where people would chime in and point out a list of FTC accomplishments, if people could.
    Ha-ha!

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...