Could New Database Methodology End Massive Healthcare Data Breaches?

If a hacker succeeds in breaking through network security defenses and gains access to patient data, hundreds of thousands of healthcare records can be stolen in an instant. In the case of Anthem, tens of millions of records were obtained by data thieves.

However, a new methodology for protecting relational databases has been devised by Washington D.C-based MD and computer scientist, William Yasnoff M.D. Yasnoff, a managing partner of the National Health Information Infrastructure (NHII) Advisors, believes that the new architecture could help healthcare organizations avoid large-scale data breaches.

In a paper published in the Journal of Biomedical Informatics, Yasnoff explains that he has developed a new health record storage architecture that allows healthcare organizations to store and encrypt individual patient’s data separately. By using Yasnoff’s “personal grid” methodology, healthcare organizations can greatly reduce the risk to patients in the event of a data breach.

The technique is not being sold by Yasnoff, but can be used free of charge by healthcare organizations and technology companies.

Hackers Would Be Required to Decrypt Each Record One at a Time

Traditional databases store all records in a single file. If an attacker gains access to a system, that file can be stolen. One intrusion can therefore result in the files of every patient being obtained. If the data are encrypted, cracking the encryption will allow the attacker to gain access to every record contained in the database.

Using Yasnoff’s methodology, each record would be stored separately and would require a separate key to decrypt each record. If a hacker gained access to the machine on which the database is stored, each record would need to be decrypted individually.

Search Speed Sacrificed for Superior Security

However, the benefit of traditional relational databases is the speed at which records can be searched. The database file contains multiple indexes which allows searches to be performed rapidly, even with large databases.

While patient records are undoubtedly more secure when using Yasnoff’s personal grid, there is a tradeoff with speed of access of information. Since each record is stored and encrypted separately, conducting a search of the database takes time. The records must be searched sequentially and each must be decrypted separately.

Data security therefore comes at the expense of speed. According to the paper, depending on the complexity of the search and the size of the database, record searches may take between 7 and 33 minutes before a patient’s record can be accessed. Yasnoff points out that speed of access is not a critical requirement of a health information infrastructure.

While patient records need to be accessed promptly, searches of healthcare databases are not so time-critical. According to Yasnoff, “Searching across multiple records rapidly is not a requirement for any user that I have been able to find in healthcare.”

Search Speed Can Be Improved by Using Multiple Virtual Servers.

Conducting a search of a database containing a million records would be slow as there are no indexes. “Get record one, decrypt record one, find what you are looking for, update your tally, and move on to the next record. That is very slow.” says Yasnoff.

Fortunately search speed can be improved by using multiple cloud-based virtual servers. Temporarily allocating 500 virtual servers will allow searches to be performed 500 times faster. If 1,000 virtual cloud servers are used, even large database searches could be conducted within an hour.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.