FTC Sends Strong Message to Health IT Vendors
Health IT vendors are under incredible pressure to represent to customers that their hardware and software solutions are impervious to cyber threats. Pick any major trade show and the first line you'll hear from exhibitors is that their solution is HIPAA-compatible, and, even more misleading, HIPAA-compliant. It's important that vendors understand overstating security protocols and capabilities can have major legal and financial implications.
For some time, the FTC has expressed its intention to hold vendors accountable for the promises made to consumers regarding the security of their products. On January 5, 2016, the FTC announced it had settled with Henry Schein Practice Solutions for $250,000 to the FTC amid allegations it deceptively advertised its level of encryption, misleading customers about its ability to secure patient data. Shein represented, as part of its major marketing campaign, that it used "industry-standard" encryption in its Dentrix G5 dental practice management software, and that the software complied with federal security regulations.
The FTC complaint states that Shein knew that their product did not meet industry standards, but chose to purposefully mislead customers. For this reason, in addition to the settlement, Shein must inform all customers who purchased its software during the period the company used the misleading marketing that it does not, in fact, offer industry standard encryption, as promised. Not the kind of notification any company wants to make. Health IT vendors should expect further scrutiny by both FTC and OCR, as they team up to take on cybersecurity in the healthcare industry.
The consequences of this kind of federal action can be the death knell for a company that handles sensitive data, including protected health information (PHI). Multiple resources exist to assist vendors in making good on claims that they're in compliance with relevant security protocols. An investment in these resources may help quell the specter of federal scrutiny, and has the added benefit of increasing protection of consumer data.
A quick note for Health IT purchasers: This is yet another reminder that it is your responsibility to adequately evaluate vendors with which you plan to contract for services involving your PHI. Before you sign on the dotted line, subject the vendor to a review of their security protocols and ask them to back up their security claims until you're confident in their quality.
Read the FTC complaint here.