Encrypted EHR data subject to 'alarming' leakage

Encrypted data in electronic health records is not totally secure, permitting an "alarming" amount of sensitive patient information to be exposed, according to a new study from Microsoft researchers.

The study evaluated EHRs containing real patient data from a number of U.S. hospitals using four different kinds of attacks on the data. The researchers found that all known practical solutions leak some information.

"While encryption could offer some protections ... it also has serious limitations," the study's authors say. "In particular, since an encrypted database cannot be queried, it has to be decrypted in memory which means the secret key and the database are vulnerable to adversaries with memory access. In cloud settings, where a customer outsources the storage and management of its database, encryption breaks any service offered by the provider."

For instance, the researchers recovered the mortality risk and patient death attributes for 100 percent of the patients for at least 99 percent of 200 large hospitals. What's more, they recovered disease severity, mortality risk, age, length of stay, admission month and admission type of at least 80 percent of the patients in at least 95 percent of 200 large hospitals.

They also recovered the admission month, disease severity and mortality risk for 100 percent of patients for at least 99.5 percent of 200 small hospitals.

The study's authors point out that such leakage is probably actually higher, since the study only reviewed attacks on the electronic database, but did not exploit leakage from the queries to the database. The study also didn't target the weakest encryption schemes in the system.

The study is to be presented next month at the ACM Conference on Computer and Communications Security, according to an article at Networkworld.

Cybersecurity of EHRs is a major concern, as healthcare providers, managed care plans and even EHR vendors have been the victims of cyberattacks in recent months.

The Health and Human Service Department's Office for Civil Rights' head Jocelyn Samuels, in announcing OCR's most recent resolution agreement with a provider to settle alleged HIPAA violations after a security breach, noted that "proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information."

To learn more:
- read the study (.pdf)
- here's the article