Encryption characteristics of two USB-based personal health record devices

From Clinfowiki
Jump to: navigation, search

The paper investigated the security measure of two USB-based Personal Health Record devices. Both devices are small and consist of flash memory and a USB port. The underlying encryption technology and database of the two devices are largely the same. Both use Microsoft Access to store data and both require user to set up passwords to view personal health records.

Article summary

Instead of using the password that the user has chosen to encrypt the content, both devices encrypt the database with a common password that is fixed by the manufacturer. The authors managed to break the encryption set by the manufacturer, and opened up the content of both devices, without ever needing to know what the user password is.

The only advantage of this design is that the manufacturer can restore access to the device if the user forgets his or her password. However, if the manufacturer’s common encryption key is discovered, it will allow access to all the customers’ full medical records, which is a serious security breach. Even if the key is not lost to unintended personnel, it gives the manufacturer the ability to decrypt all its devices and thus get access to all its customers’ full medical records.

To allow for better security, the authors recommended that device manufacturers encrypt data according to individual user passwords and not to a common key, thus avoid encryption approaches that allow manufacturer or any unintended hacker to decrypt the data. Also, PHR device manufacturers should not rely on third party encryption or security schemes that are not well studied or accepted and to include encryption experts in projects of this nature.

Comments

Health Insurance Portability and Accountability Act (HIPAA) has been implemented in place to monitor and regulate the security and privacy of patient data in hospitals, clinics, and other healthcare-related professional settings. With the movement towards patient-centric care model, patients are having more power than before to control their own medical data, but the security of storing and viewing such data is becoming a major concern as the general public often needs to rely on vendors that may be less regulated to provide products for them to manage personal health data.

Not everyone understands encryption schemes and consumers often rely on the manufacturers to provide good security on their data. While setting up passwords seems to be a secure method of storing information, there are underlying mechanisms that can weaken this security measure. We cannot expect the general public to be well-versed in encryption algorithms, so the responsibility falls back on the vendor. Regulations and certification on products that store and manage personal health record may be necessary to ensure the quality of the technologies used.

Even if the security mechanisms are applied properly by the vendor, there is also education to be done for the public on choosing a strong password (e.g., long password with a mixture of symbols, numbers, and letters).

Conclusion

This study also raised some interesting questions that may stir up some philosophical debates. The manufacturer set up its encryption in such a way that in case the customer forgot his/her password, the manufacturer can help them to decrypt it, but it also gives the manufacturer complete access to their full medical record. Does the manufacturer have the right to do this? Should it notify the customers? How much access does the manufacturer have to each one’s personal record? First of all, access authorization must be clearly laid out in a legal agreement; secondly, it may also be necessary to de-identify some PHI information, even to the PHR product manufacturer, in this scenario to further protect individual privacy.