Microsoft study: EHR databases can leak personal data
- Despite using encryption methods, many types of databases for EMRs are vulnerable to leaking personal information such as gender, race, age and admission information, according to a recently released Microsoft study.
- The study used patient data from 200 U.S. hospitals.
- According to the authors, an experiment found that cyberattacks to the hospitals recovered 80% of order-preserving encrypted attributes (age and disease severity) of patient records from 95% of the hospitals.
In addition, the researchers found deterministic encryption could recover more than 60% of certain attributes (sex, race and mortality risk) of patient records.
The authors suggested the amount of recoverable data should be viewed as the lower threshold of what could be recovered, stating, “[One] reason is that the attacks only make use of leakage from the [encrypted database] and do not exploit the considerable amount of leakage that occurs from the queries to the [encrypted database].”
Follow Jeff Byers on Twitter