Some encrypted databases aren't secure, finds Microsoft study

There's more bad news regarding the security of healthcare data, according to a study from Microsoft.

Many types of databases used for EHRs are vulnerable to leaking protected information, regardless of their encryption status. Researchers found that sensitive information, including sex, age, race, hospital admission information and other medical data could be accessed and stolen using four types of cyberattacks.

In an experiment with encrypted databases operating in a steady-state where enough encryption layers had been peeled to allow applications to run queries, the study authors found the attacks could correctly recover order-preserving encrypted attributes for more than 80 percent of the patient records from 95 percent of the 200 hospitals included in the study. Certain attributes under deterministic encryption could be recovered for more than 60 percent of patient records.

The authors suggested that while the amount of recoverable data described in the study is already considerable, it should be viewed as the lower bound on what could potentially be extracted. “The first reason is that the attacks only make use of leakage from the [encrypted database] and do not exploit the considerable amount of leakage that occurs from the queries to the [encrypted database],” they wrote. “The second reason is that our attacks do not even target the weakest encryption schemes used in these systems (e.g., the schemes used to support equi- and range-joins).”

Not surprisingly, the researchers conclude that the types of encrypted database systems they studied and found vulnerable to attack should not be used for storing medical information.

Read the complete study.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.