In early 2014, and over on PHIprivacy.net, I published some posts expressing concern about a vulnerability in Dentrix software, Dentrix’s claims at the time that its G5 product incorporated “encryption,” and their subsequent decision that the firm would not individually notify all customers that what the customers had been sold as “encryption” was not encryption.
Following up on the public posts, PHIprivacy.net filed a complaint with the FTC based on this privacy advocate’s opinion that Henry Schein/Dentrix’s marketing had been deceptive or an unfair practice and that the firm should have notified customers individually to ensure that they understood that their patient database was not encrypted. That complaint also pointed out that their product reportedly still had another vulnerability that also put patient data at risk.
In May, 2014, CERT informed the researcher who reported the vulnerability that Henry Schein had told CERT it would have a fix for that vulnerability in June, 2014, although it might not be deployed by the majority of users until November 2014. CERT, which assigned VU #176231 to the vulnerability, asked the researcher to keep his proof quiet for the time being.
The vulnerability is reportedly still not fixed, according to the researcher. Henry Schein rolled out its next generation of Dentrix, G6, and no sooner did they release it in beta version than the researcher reported he was still able to remotely access the patient databases. In September, 2014, he responsibly notified CERT and Dentrix of his findings and offered them helpful recommendations. A copy of his communication to CERT can be found in a blog post he wrote last week.
And then … nothing. Silence.
It is now May, 2015, and if I understand the researcher correctly, this is basically the same issue/concern that he has been reporting to Henry Schein since 2012 and to US-CERT since May, 2013. And as best as I can determine, Henry Schein still has not fully disclosed the problem to those who use Dentrix.
And checking CERT will not help, because VU #176231 does not even appear.
Yesterday, in “Hard-coded credentials placing dental offices at risk,” Steve Ragan reported:
Attempts by Salted Hash to reach US-CERT on the matter have been met with silence, which is frustrating given the fact that there are at least 35,000 dental practices using the software.
Reached by email, Henry Schein said they’ve dealt with “security issues by promptly releasing a proactive and customer-oriented solution and has issued multiple software updates to augment the security features already in the solution.”
Henry Schein’s response to Ragan, which you can read in full in his report, does not seem to acknowledge that they have a vulnerability. Then again, they don’t seem to actually deny it, either.
Ragan quotes Brian Martin of Risk Based Security, who nails it:
“When a medical company opts to ignore a reported vulnerability, especially when the researcher went out of their way to report and work with the vendor citing patient data concerns, it is disturbing and telling.”
“In this case, it is quite troubling that Dentrix is not being responsive to the researcher, not providing a timely solution, and not working with him to further test software patches. Instead, they are relying on their same original flawed process for creating software updates, apparently refusing to implement security testing, and ultimately putting their customers further at risk.
“Even worse, the U.S. government body designed to help coordinate and disclose these vulnerabilities, along with viable solution information, doesn’t appear to be helping at all. Working with vendors and being understanding of their development process is one thing, but allowing customers to be at continued risk for almost four years is unacceptable.”
DataBreaches.net concurs. This is unacceptable. What is CERT doing?
But what did the FTC do about the complaint PHIprivacy.net filed over one year ago asking them to get Henry Schein to fully disclose the vulnerability to its customers by individual notification?
How many dentists who purchased Dentrix G5 still use it? And how many of them still do not know that what they were sold as “encryption” isn’t encryption?
How many dentists who purchased Dentrix G6 are unaware of the vulnerability that could, according to the researcher, allow their entire patient database to be stolen by someone sitting in their parking lot?
If the government is serious about sharing information and cybersecurity, why is it ignoring the risk to hundreds of thousands or millions of dental patients? The researcher has done what he was asked to do and tried to help protect patient data. Does there have to be a massive hacking of dental patients’ data before CERT and/or the FTC do something?
I hope not.
CORRECTION: US-CERT was incorrectly cited. The organization involved in this was CERT. Thanks to Steve Ragan for catching the error both our articles made.