One of my pet peeves in the SaaS industry is when vendors that make false claims about their conformance to security requirements and it was encouraging to read this article where the Federal Trade Commission took some action over false claim.
The article states that the “software vendor was lying through its teeth” about its conformance with the HIPAA (Health Insurance Portability and Accountability Act) security standards. HIPAA states that data should be encrypted with top-grade encryption algorithms like AES (Advanced Encryption Standard) and higher. The company also lost a laptop containing medical information which would be exempted from reporting a data breach incident to law authorities if the medical data was encrypted (with AES and higher).
As US-CERT learned in 2013, Henry Schein’s Gentrix G5 did not use minimal HIPAA encryption levels, despite saying so in its brochures, online website, newspaper interviews, and newsletters. The US-CERT team issued a public vulnerability note in June 2013, warning Henry Schein customers of the lack of proper encryption in its product. The warning also addressed an issue with a similar software product sold by Faircom, another software maker. According to CERT, both companies used DES (Data Encryption Standard) to secure data. DES is an outdated symmetric-key method of data encryption.
Promising to meet security regulations is easy but meeting them is tough – its like an arms race! As one method of data encryption is declared outdated/crackable and new more secure algorithms become available software vendors have to keep replacing core components to keep up.
Assessment software is a prime target for attacks as these systems contain Personal Identifiable Information (PII), valuable content and test results. Questionmark has invested heavily to “keep up” but maintaining security is a constant challenge and requires smart people and constant investments. Let’s hope that government actions help expose the fraudsters so that secure systems and appreciated by those that rely on them.