Share this article on:
Researchers at Microsoft have recently issued a paper questioning the effectiveness of EHR data encryption. A warning has been issued to healthcare providers about security vulnerabilities in some electronic medical record systems, which have been shown to leak information, even when data encryption software is used.
The results of the study are due to be presented at the ACM Conference on Computer and Communications Security next month, although the research paper can be viewed now, ahead of the ACM presentation.
During the study, Microsoft researchers successfully managed to view patient data that included names, race, age, hospital admission information and other data, by exploiting security vulnerabilities. The paper cites four methods that can be used by hackers to gain access to the Protected Health Information of patients.
The researchers were so concerned about the high risk of data exposure, it was deemed necessary to issue a warning to healthcare providers and other HIPAA-covered entities that were using CryptDB based protections. They were told in no uncertain terms to start searching for an alternative encryption system, as their current one was liable to leak data.
Effectiveness of EHR Data Encryption in Doubt
The study investigated encrypted relational databases based on CryptDB; a popular database system that allows SQL queries over encrypted data, often using property-preserving encryption (PPE) schemes. PPE has been demonstrated to leak data in the past, although in spite of known vulnerabilities in the system, the risk of data exposure had never been properly studied or quantified until now.
Data encryption based on the CryptDB system is popular in the healthcare industry as it requires little in the way of changes to the legacy database infrastructure, and the system is fast. But the way the system encrypts and decrypts makes it liable to leak data.
Microsoft Researchers found that “When the encrypted database is operating in a steady-state where enough encryption layers have been peeled to permit the application to run its queries, our experimental results show that an alarming amount of sensitive information can be recovered.”
The data obtained by the researchers in one of the attacks included information about the risk of mortality and severity of the disease suffered, the length of stay in hospital, the admission month, admission type and age of the patient. Data of this nature was obtained for 80% of patients, but more worryingly, the researchers discovered attacks of this nature were possible on over 95% of the largest 200 hospitals in the country. It would also be possible to attack HR and accounts databases in the same manner, according to the researchers.
Data encryption will reduce the probability of data exposure if mobile devices are lost or stolen, but it is not the universal solution to keep PHI 100% secure. It is unlikely that data encryption alone will prove to be 100% effective at keeping data protected during a cyberattack.