Recently, the Federal Trade Commission (FTC) announced a $250,000 fine and a Consent Order with Henry Schein over misleading claims about encryption in their software.
If we’re honest, for the average consumer it’s not even a blip on the radar. That changes when we’re talking about a child’s health records. I’ve had those conversations with parents after a data breach and their concern is real.
Who should be listening? Any small business that relies on a software vendor to protect sensitive consumer information, or in this case electronic Protected Health Information (ePHI). That includes any health care provider, but specifically small practices including but not limited to dental offices. It can easily include any practice that bought a software system holding ePHI within servers at their own offices.
To get the specifics out of the way, according to the FTC Henry Schein mislead buyers of their software to believe they used a specific encryption standard (AES). To paraphrase, in the end the software was found to camouflage data, not encrypt it. Had they used that standard, their customers could be protected from risk associated with the loss of data. In a specific type of incident they would not be required to report a breach to the federal government (and potentially 47 individual state Attorneys General).
I’ll rephrase that, this is a “breach” vs. “no breach” reporting situation.
We’re not talking about some Hollywood style cyber conspiracy where clandestine actors buried in mountain top cyber-labs steal state secrets.
We’re talking about a routine, every-day, brick through the front door smash-and-grab that nets the thief a laptop or desktop PC from behind the front counter.
If they had not mislead buyers for over two years, that smash-and-grab would result in a short investigation, the replacement costs associated with the stolen computer and some minor physical repairs. Because they mislead their own customers, that same event could result in six figures of investigation, notification, and legal fees. Customer losses would make the situation worse. This is the outcome, even if a single record was never shown to be mis-used.
While the teams at Henry Schein will certainly be taking steps to correct the technical deficiencies, the marketing and sales organizations will be given new materials, and organizational changes will likely occur, what customers (past and future) of any practice management, EHR or EMR system need are practical steps to protect themselves from these events.
Some have recommended stronger due diligence prior to purchase. While that could have helped a few firms evaluating the software once the issue was being reported, it’s likely the company would have strongly disputed the questions assuring any potential buyer that everything was good. In fact the FTC claim is that Henry Schein knew of the issue for two years and continued to mislead potential buyers.
The more practical solution is to maintain a level of skepticism when accepting any vendor claim. Back up that skepticism with your own risk assessment process using an objective third party that does not sell the application. By the very nature of the reseller relationship, a conflict of interest can occur. In this case, it was great work from an integrator that discovered the issue but I still have to ask if there was a conflict in that business relationship that allowed Henry Schein to ignore or downplay the issue for as long as they did.
In the end, an existing customer of this software that protected themselves would have likely been informed of this potential risk. It’s important to note that risk assessments driven by the same vendor providing the software are neither guaranteed to be complete (covering every aspect of your operation) nor truly skeptical of their own software. HIPAA laws, NIST standards, and Meaningful Use incentives define and require risk assessment for good reasons that don’t include selling software licenses.
As custodians of public data (even low volumes), we must evaluate the software holding that data for known issues. Along with other risks we report and rank these issues so our organizations (and clients) can make informed decisions, file questions directly with vendors, and ultimately demonstrate diligence and care in protecting patient information. Those simple, but easily documented steps can make the difference in fine structures for even a single HIPAA breach.
That could mean the difference between a five-figure, six-figure, or seven-figure breach cost for an organization.