The Federal Trade Commission (FTC) has settled a claim against Henry Schein Practice Solutions Inc (Shein), a provider of office management software for dental practices. The FTC claimed that Shein falsely advertised the level of encryption in software provided to protect patient data.
Shein marketed a database to dental practices with claims that the software was compliant with Advanced Encryption Standard (AES) encryption required to protect patient data under healthcare regulations in the US. However, rather than “encryption”, the software used a less secure algorithm of “data camouflage” which was more vulnerable to attack.
Under the settlement, Shein will be required to notify all customers that the software does not provide industry-standard encryption. Shein will also pay USD$250,000 as disgorgement – a common provision in FTC advertising cases, but the first for marketing claims specifically related to data security.
Link (FCC): FCC press release
A feature by Monte Reel and Jordan Robertson for Bloomberg Business looks at the world of security vulnerabilities in medical devices. The authors look at the findings of a research carried out for the Mayo Clinic on the security of devices used on its premises. The results are sobering:
“For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
‘Every day, it was like every device on the menu got crushed,’ Rios says. ‘It was all bad. Really, really bad.’ The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.
The Mayo Clinic emerged from those sessions with a fresh set of security requirements for its medical device suppliers, requiring that each device be tested to meet standards before purchasing contracts were signed. Rios applauded the clinic, but he knew that only a few hospitals in the world had the resources and influence to pull that off, and he walked away from the job with an unshakable conviction: Sooner or later, hospitals would be hacked, and patients would be hurt. He’d gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve.’
Link: Full article on Bloomberg Business
PenTestPartners has revealed security vulnerabilities in the Smarter iKettle 2.0 which could allow a hacker to steal the owner’s wi-fi network key, potentially compromising all information on the owner’s home network.
Link: New Wi-Fi kettle, same old security issues? Meh.
The EFF has released the results of research on poorly secured automated licence plate recognition (APLR) systems. The research identified more than a hundred APLR cameras left accessible to anyone with a web browser. The EFF release also looks at the response of five agencies operating the APLR cameras, on being warned of the vulnerabilities.
Link (EFF): License Plate Readers Exposed! How Public Safety Agencies Responded to Major Vulnerabilities in Vehicle Surveillance Tech