Henry Schein is one of the largest names in the dental industry. The company says that more than 35,000 dental practices rely on their flagship product – Dentrix – to cover both the clinical and business side of day-to-day operations.
The downside to this large market share, according to researcher Justin Shafer, is that Dentrix customers have been unknowingly exposed to risk and regulatory action after the latest version of the software shipped with a flaw that was supposed to have been patched two years ago.
Another troubling aspect to this story is the silence from CERT on the matter. The vulnerability was disclosed CERT last year, but nothing's happened since. Considering patient data is being placed at risk from both network-based and physical attacks; the situation is one where responsible (coordinated) disclosure has failed. That's unfortunate, because the researcher did everything right, but the problem remains.
In 2013, Justin Shafer, an IT professional working in the dental industry, reported a vulnerability to CERT concerning hard-coded credentials in Dentrix that are shared across multiple installation sites. The credentials are used to access the Dentrix database back end and administrators cannot change them.
The nightmare scenario would be an attacker obtaining credentials from one site and using them to access patient records at other dental offices. At the time, Henry Schein was supporting Dentrix version G5 and in order to address the problem released version G5.1 Hotfix 1 in February of 2013.
Later that year, a computer was stolen from a dentist's office in Rocklin, California, turning the nightmare scenario into reality. Dr. Rob Meaglia, another Dentrix customer, told patients in a notification letter that the data stored in the database was encrypted.
He made those claims based on his belief in the marketing statements from Henry Schein that the Faircom standard encryption (used by Dentrix G5) was protecting information. But it wasn't.
The Faircom standard encryption at the time didn't ensure that a decryption key was needed for accessing database contents. When called on this fact, Faircom started using the term Data Camouflage, in order to avoid confusion with standard encryption algorithms.
In March of 2014, Shafer provided details and proof-of-concept code to CERT proving that Dentrix G5.1 Hotfix 1 was still vulnerable due to hard-coded credentials. According to his notes on the disclosure, all of the passwords for the DTXUSER account start with 'S876' and five additional characters. He was able to brute force the rest of the password with a Perl script.
Convinced that this was a problem, CERT assigned VU #176231 to him, and added that they'd contact Henry Schein directly. According to emails from CERT, a fix would be available in June, but not released until November.
In August of 2014, Shafer tested his research against Dentrix G6 Beta and discovered that it too had hard-coded credentials. Using the previously assigned VU number, he reported his findings to CERT.
It's also worth mentioning that in March of 2014, PHIprivacy.net filed an FTC complaint against Henry Schein alleging that the company, and their Dentrix software, violated the FTC Act by deceiving customers as to the security of its product, including the fact that hard-coded credentials "have put and continue to put patient databases at risk..."
Earlier this month, Shafer contacted Salted Hash because it has been more than a year since he has heard from CERT about his vulnerability report. Again, his report isn't new, as it addresses a previously disclosed issue in Dentrix that has existed in several software versions for two years.
Attempts by Salted Hash to reach CERT on the matter have been met with silence, which is frustrating given the fact that there are at least 35,000 dental practices using the software.
Reached by email, Henry Schein said they've dealt with "security issues by promptly releasing a proactive and customer-oriented solution and has issued multiple software updates to augment the security features already in the solution."
"We are very committed to helping our customers meet their obligations to protect patient information. Of course, the best prevention for protecting against data breach is for a practice to implement security not only across their technology assets (e.g., securing networks and computers, implementing firewalls) but also best practices for office physical security, administrative, and organizational security. Ensuring these four tenets of practice security will create safeguards that greatly reduce security risks and increase security coverage that no one vendor can provide."
The company also says they are attempting to increase customer awareness of the need to take proper precautions, and work with them on applying security features in Dentrix. An example of this awareness training, the statement added, can be seen in four of the last five Dentrix magazine editions where articles on security are published.
The only article Salted Hash was able to locate related to awareness training is from April 30, 2015. In it, Henry Schein advises customers to have security assessment performed, while at the same time promoting the assessment services of a business partner in order to make things easier.
When asked about the magazine, Shafer said that most of his clients ignore it, but he didn't offer any specifics as to why.
"Henry Schein is committed to security and continues to work to resolve any new security concerns, as it is the industry norm to continuously update and improve software. Our current Dentrix roadmap includes additional security enhancements to assist our customers in securing their data," added the company's statement.