Share this article on:
The HIPAA Security Rule defines encryption as the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR 164.304. Covered entities must ensure that the strength of the encryption software is appropriate. Not all encryption software protects data to the same degree. In fact, some methods of encryption are better referred to as data camouflage rather than data encryption.
The Department of Health and Human Services’ Office for Civil Rights recommends using robust encryption that conforms to a nationally recognized standard such as the Advanced Encryption Standard (AES), recommended by the National Institute of Standards and Technology (NIST).
Henry Schein Practice Solutions, Inc., a vendor of software solutions for dental practices, chose a different encryption standard for its Dentrix G5 software solution. The software allows dentists to enter and store patient data, process claims and payments, and send appointment reminders.
Dentists are covered under HIPAA and must therefore implement a number of administrative, technical and physical safeguards to keep patient data secure. Henry Schein was aware that the AES standard for encryption was recommended by HHS, and also of the requirements of HIPAA-covered entities to use the HHS safe harbor for encrypted data.
Henry Schein marketed its software to dentists suggesting the encryption its Dentrix G5 software solution used would help dentists comply with HIPAA regulations. However, Dentrix G5 did not use AES encryption, instead the company used a proprietary algorithm that did not provide the level of security required by HIPAA.
Its encryption was far less robust than AES. So much so that the United States Computer Emergency Readiness Team (US-CERT) issued a Vulnerability Note and Alert back in 2013, informing Henry Schein that it must change its marketing and branding to avoid any confusion with AES encryption. US-CERT said its data encryption should be referred to as data camouflage.
Even with that warning Henry Schein continued to market its database software as incorporating data encryption until January 2014. Once the change had been made, Henry Schein failed to inform previous purchasers of Dentrix G5 that its encryption was not up to the same standard as AES, as recommended by the HHS. Dentists using Dentrix G5 were led to believe that they had protected data to the requirements demanded by HIPAA when they had done nothing of the sort.
The FTC recently ruled that Henry Schein “falsely advertised the level of encryption it provided to protect patient data.” The company has now been ordered to stop making false and misleading claims and must alert its customers about the lower standard of encryption used by Dentrix G5. The FTC has also ordered Henry Schein Practice Solutions, Inc., to pay a fine of $250,000, and the company must also comply with a 20-year consent order.