Microsoft, the renowned software giant of the world has warned that many types of databases, used to store medical records are not spill-proof. Its study which involved real patient records from 200 U.S. hospitals indicated that these types of databases are vulnerable to leaking information despite being encrypted.
A whitepaper related to the study will be presented at the ACM Conference on Computer and Communications Security next month, and will show how sensitive medical info of patients could be pilfered with the help of 4 diverse cyber attacks. The sensitive data includes, gender details, race, age and admission information like contact details, house address, social security number and such.
The researchers involved in this study focused on encrypted relational databases based on the design of CryptDB, which allows SQL queries to be performed on scrambled data. In such databases, property-preserving encryption (PPE) schemes were used as search designation. And this practice has made the systems more vulnerable to data spill.
According to the whitepaper which will be briefly available to the media for a while sans its official release, the researchers have found that CryptDB based systems are often used by organizations because few changes are required to the legacy database infrastructure and they run on encrypted data, in same way as they operate on plaintext data.
Generally, a tradition is being followed in the storage industry that encryption makes a database or the data storage appliance highly secure from any kind of cyber attacks. This is due to the fact that if the data gets spilled, the hackers would need the decryption keys, which are closely protected to read it.
But what the Microsoft researchers have discovered in their study is that encrypted info gets decrypted in a computer memory and is dangerous if cyber attacks can get access to a server cache
Although the researchers focused on databases with electronic medical records, the attacks would likely be successful against human resource or accounting databases, as those systems often store the same kind of demographic data.
The healthcare industry is highly vulnerable industries to cyber crime and the best instance is the latest, where Anthem-one of the largest US health insurers was targeted for data breach in Feb 2015, and exposed data of 80 million people to the world. The attack was carried out by a china based group nicknamed Deep Panda
About a month later, health insurer Premera said customer data, including bank account and clinical data going back to 2002 may have been compromised in an attack, affecting over 11 million people
Thus, to all those IT teams managing the databases of Healthcare organizations beware that all databases are vulnerable to cyber crime, despite encryption. So, better keep an eye on the activities taking place at server and storage level.