By Mark Bower
In a classic case of a company making headlines for bad security practices, dental service software provider Henry Schein Practice Solutions recently was slapped with a $250,000 fine for misleading its clients about how well its technology protected sensitive data.
Henry Schein agreed to pay the quarter-million dollars as part of settling Federal Trade Commission charges that it falsely advertised the level of encryption it used to safeguard patient data.
According to the FTC, Schein falsely claimed its Dentrix G5 software used industry-standard encryption, assuring users that the product would protect patient data in line with the Health Insurance Portability and Accountability Act
Upcoming webinar: Outsourcing your cybersecurity program—managing vendor relationships
As part of the settlement, Henry Schein will be prohibited from making such false claims about its data security, and will notify all customers who purchased the software in question.
There is a lesson here for other organizations. Even the best-intentioned enterprises can find themselves in regulatory hot water if data security approaches don’t meet industry best practices.
The action taken by the FTC sends a clear message that organizations need to take data security very seriously—it cannot be made up on the fly, and it can’t be just a case of “trust the vendor.”
It is incumbent upon companies to make certain that they are employing strong encryption technology that’s backed by organizations like the National Institute of Standards and Technology and validated by the world’s top cryptographers. There are right ways to protect data, and a myriad of wrong ways that don’t stand up to scrutiny or even simple attacks.
Fortunately, even in cases where data needs to be masked and de-identified in more flexible ways than traditional encryption allows, new strong techniques are available, such as Format-Preserving Encryption and Secure Stateless Tokenization. These easy-to-use technologies allow companies to manage data securely, can readily scale, and, above all, provide proven security for almost any platform to secure data.
With these types of technologies readily available to easily and quickly protect sensitive data, there’s simply no excuse today not to follow best practices of encrypting all sensitive personal and financial data at rest, in motion, and in use.
Mark Bower, global director of product management for HPE Security-Data Security, wrote this guest essay, which originally appeared on ThirdCertainty.com.