Update: Does Dentrix need to send individual notification letters rescinding its "encryption" claim?
As regular readers may recall, I had raised some concerns about Henry Schein Dental claiming its Dentrix G5 product provided “encryption” after NIST had declared in 2013 that it wasn’t encryption but only weak data obfuscation. And I was pleased when Dentrix reconsidered their position after my blog post and decided to re-brand G5 as providing “data masking.”
But have they taken sufficient steps to inform existing customers that the system they bought did not and does not provide encryption? I recently reached out to Henry Schein Dental again, to express my concerns that their newsletter article and website article might not reach all existing customers who should be notified. I also pointed out that although I saw evidence that one old ad had been updated, archived copies of old ads and articles might continue to mislead customers. In my communication, I noted that it might be difficult for the firm to get materials posted on others’ sites deleted or edited. But even if they did, that still doesn’t address my main concern that those currently using G5 may not be aware of the limits of its security features.
In response, I got a detailed explanation from Rhett Burnham, their Director of Product Management, as to how they were addressing the concerns I had raised.
With respect to website materials, he reports that the Dentrix website was reviewed several weeks ago and materials were either updated “to reflect our new product messaging” or removed. The review included archived materials, customer self-help knowledge bases, online resource center, and other Dentrix online properties. As to old press releases or articles published on others’ sites, where I had mentioned specific examples that seemed somewhat problematic, Burnham writes:
As you mention, we will not be able to remove or edit all old press releases or articles. We never produced print or web advertisements touting encryption so no follow up is necessary there; however, we have already reached out to the publishers of the two posts you mention in dentistryiq.com (old press release) and dentalproductshopper.com (article) to determine if the publications will change the copy this long after the release. We continue to scan for other posts and will address them in the best possible manner given we do not own those web publications. As for the Dentaltown article, we identified the need to change the article early in the process and worked very closely with Dentaltown to create and publish the addendum to coincide with the eNewsletter and Website changes. We needed to ensure all changes were coordinated to help minimize confusion.
That seems reasonable to me. As to my recommendation for direct customer notifications, Burnham writes:
We are taking a multipronged approach to communication with our customers. This included writing the eNewsletter feature article on data security which was distributed to an email list of 18,000 subscribers and adding the security article as a top feature story on the Dentrix.com website. We are also placing our data security article in our 1st quarter Dentrix Magazine, a hardcopy magazine that is distributed to 30,000 Dentrix customers. We are including a headline to the article on the magazine cover. The magazine will also be posted to our Website and will be distributed electronically in addition to hardcopy. We have found that this combination of communication channels is the most effective manner for our customer base.
We will continue to communicate our product security message to our customers, and have events in planning to provide additional security information and resources. For example, we have committed to holding a security session at our Dentrix Business of Dentistry User Conference this summer. We will also continue to enhance our online properties with additional security information including best practices for physical, administrative, organizational, and technology security. Moreover, we will continue to investigate ways to enhance security in the Dentrix product, while carefully balancing customer requirements.
While I am genuinely delighted to hear some of their plans and that they will continue to work to educate dentists about the security of patient data, I believe that just as car manufacturers have to send individual recall notices or alerts, this situation calls for an individual notification letter. Despite Dentrix’s efforts to date and their planned steps, there remains a risk that some existing customers will not read their literature or attend their conference and may not realize that they should not be relying on what they believed was “encryption” but isn’t. And as Dr. Meaglia’s letter to his patients demonstrated – if dentists are not aware that the G5 “encryption” was not really encryption, they may misinform their patients about risks in the event of a breach. Or worse, and as one dentist pointed out on Twitter, there may have been breaches involving G5 databases that never got reported or never will get reported to HHS or patients if dentists erroneously believed – or continue to believe – they had or have “safe harbor” under HIPAA because of “encryption.”
What the issue boils down to, I guess, is that if a vendor deceives customers or misrepresents the security of patient data in its product – even if the deception was originally a good-faith error – do they have an obligation to notify consumers by mail? I’m not sure what the Federal Trade Commission would say, but as a privacy advocate, I’d say “yes” in this type of situation.
So while I commend Dentrix for what it is doing and will do, and while I truly appreciate their taking my comments and thoughts seriously and responding to them, I’m going to continue to respectfully disagree with them and encourage them to re-consider individual notification letters about the security concerns. Maybe I’m over-generalizing from my own experiences as a health care professional, but frankly, I don’t have time to read one tenth of what comes across my desk in the way of journals and magazines. And as a solo practitioner, I may not get to all the conferences I’d love to attend. But if I were to get a letter from my supplier or vendor stamped “IMPORTANT SECURITY ALERT CONCERNING PATIENT PRIVACY” in red ink on the envelope, I’d open it and read it. Wouldn’t you?
I don’t know what the cost of a mailing would amount to, and I seriously doubt if Dentrix is declining because of the cost of a mailing, but if individual notification spares one dentist the costs of a data breach or better protects the security of patients’ information, I think it’s worth it. The letter should clearly explain both of the existing/known security risks in G5 and provide practical tips and/or resources for dentists so that they can follow up and harden the security of their system, especially if they had been relying on the representation of “encryption.” At the very least, it will make dentists aware that they need to pass the alert along to their IT consultant or employee.
So I’ll keep trying to convince Henry Schein Dental to re-consider their position on individual notifications by mail, and hope that others who are also concerned about patient privacy and security will also urge them to send individual notifications.