Why Data Leakage Should Be ‘Alarming' You

By Katie Wike, contributing writer

EHR data is far from safe and, according to a new study from Microsoft, data leaks are allowing an “alarming” amount of sensitive information to be exposed.

Researchers from Microsoft say encrypted medical record databases are vulnerable to attack and often leak sensitive data. NetworkWorld adds that, while encryption is usually the best way to prevent cyber-attacks, it leaves decrypted information the computer’s memory that is still vulnerable.

“While encryption could offer some protections ... it also has serious limitations,” study's authors write. “In particular, since an encrypted database cannot be queried, it has to be decrypted in memory which means the secret key and the database are vulnerable to adversaries with memory access. In cloud settings, where a customer outsources the storage and management of its database, encryption breaks any service offered by the provider.”

According to Fierce EMR, researchers were able to uncover the mortality risk and patient death attributes for 100 percent of the patients for at least 99 percent of 200 large hospitals. In addition, they were able to find the following information for at least 80 percent of the patients in at least 95 percent of 200 large hospitals:

• disease severity
• mortality risk
• age
• length of stay
• admission month
• admission type

“When the encrypted database is operating in a steady-state where enough encryption layers have been peeled to permit the application to run its queries, our experimental results show that an alarming amount of sensitive information can be recovered,” the researchers wrote.

If this isn’t worrisome enough, authors indicate actual leakage is probably higher since the study only reviewed attacks on the electronic database but did not exploit leakage from the queries to the database. Also, researchers didn't target the weakest encryption schemes in the system.