Some encrypted databases aren't secure, finds Microsoft study

There's more bad news regarding the security of healthcare data, according to a study from Microsoft.

Many types of databases used for EHRs are vulnerable to leaking protected information, regardless of their encryption status. Researchers found that sensitive information, including sex, age, race, hospital admission information and other medical data could be accessed and stolen using four types of cyberattacks.

In an experiment with encrypted databases operating in a steady-state where enough encryption layers had been peeled to allow applications to run queries, the study authors found the attacks could correctly recover order-preserving encrypted attributes for more than 80 percent of the patient records from 95 percent of the 200 hospitals included in the study. Certain attributes under deterministic encryption could be recovered for more than 60 percent of patient records.

The authors suggested that while the amount of recoverable data described in the study is already considerable, it should be viewed as the lower bound on what could potentially be extracted. “The first reason is that the attacks only make use of leakage from the [encrypted database] and do not exploit the considerable amount of leakage that occurs from the queries to the [encrypted database],” they wrote. “The second reason is that our attacks do not even target the weakest encryption schemes used in these systems (e.g., the schemes used to support equi- and range-joins).”

Not surprisingly, the researchers conclude that the types of encrypted database systems they studied and found vulnerable to attack should not be used for storing medical information.

Read the complete study.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup