Dentrix’s newest newsletter contains an article on data security that is significant both for no longer using the term “encryption” to describe their security and for offering customers more resources and help. In light of my previous commentary on Dentrix security and marketing, I would be remiss not to note this progress here. Note that HenryScheinDental/Dentrix did not make me aware of this article. It was sent to PHIprivacy.net by someone who followed my criticism of Dentrix and thought I’d be interested in seeing it. They were right.
In the new Dentrix enewsletter, there’s an article on data security by Rhett Burnham. The article provides a few important resources for dentists, which is something I had suggested to Dentrix both when Burnham and I talked and in my previous blog post. But here is the part that really caught my eye:
Dentrix G5 Helps You Improve Security
In addition to your work required to ensure security, Henry Schein introduced cryptographic technology in Dentrix version G5 to supplement a practice’s employee policies, physical safeguards and data security. Available only in Dentrix G5, we previously referred to this feature as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate. Regardless of what you call it, this is a proactive step which Henry Schein has taken to augment, not replace, your security systems.
With that statement, it seems that Dentrix has incorporated my strong recommendation and the opinion of experts that they should not call their security feature “encryption.” I am delighted that they have taken this important step and commend them for it, as well as their effort to be clear that their feature does not replace required security but (only) augments it. And to the extent that new customers are not as likely to be confused or believe that they are getting encryption as specified by HIPAA, I hope this will encourage more dentists to adopt the stronger security measures that are also needed.
All that said, since not everyone using G5 may read the newsletter, I hope Dentrix also follows up with a letter/mailing to all customers to reinforce their message that data masking using cryptographic technology is not a replacement for strong encryption.
I am also delighted to note their plans to provide more security resources for their clients, as I had also suggested in our conversation and my previous blog post:
Get Informed, Stay Informed
Henry Schein is committed to helping our customers establish required data security and protection for the benefit of the patient and the practice. We will continue to investigate ways to enhance security in the Dentrix product, and in the coming months, you can look for a Security Information Center on the Dentrix website where you and your IT professional can find additional security resources, including recommendations for data protections, systems security and other best practices.
The article also reminds clients where they can get more technical support for their installations from Dentrix:
Need Help Securing your Network? Henry Schein Experts Can Help.
Henry Schein’s TechCentral team of computer and business technology experts provides complete IT solutions including network security, expert support and experienced technicians for thousands of practices nationwide. For more information visit www.HenryScheinTechCentral.com to learn about the TechCentral Protected Practice. To speak with a Henry TechCentral expert today, call 877.483.0382.
The newsletter makes no mention, however, of the existing – and serious – vulnerability that Dentrix is presumably still working with FairCom to address: the hardcoded login problem discussed in my previous blog post. I think that’s an issue where current customers need to be informed so that they are aware of the risk while Dentrix works on a genuine fix. Certainly it makes sense to me to inform customers of the risk and suggest that, if practicable, they not store Social Security numbers in the database, or that they take other steps to de-identify patient records in case the vulnerability is exploited by a bad actor.
Overall, however, I am really very pleased to see this article and look forward to Dentrix continuing to educate practioners while it strengthens the security of its product.