Securing EHRs: fusion of cryptographic techniques and legal approach

Given the sensitivity of health data and the drastic implications of it being compromised, Harsh Bajpai and Pranav Bhaskar Tiwari analyse that a remedy for these risks would include both technical – like standards of encryption, as well as regulatory solutions – like the implementing authority and improvements in healthcare infrastructure

With the advent of the Internet of Things (IoT) in the healthcare sector, the transmission of sensitive personal data of both patients and doctors is a daily routine. Thousands of apps monitor a variety of health data – sleeping patterns, mental health, heart rate, cholesterol levels. This enables individuals to get more accurate, real-time and varied nature of data instantly.

Apart from commercial apps, the Government of India has launched several healthcare schemes like Ayushmaan Bhaarat, National Rural Health Mission, Integrated Disease Surveillance Programme and the Health Management Information System (IDSP-HMIS) among others. These are aimed towards collecting data for targeted interventions and predictions at the national, state and local level to better respond to healthcare emergencies.

Given the sensitivity of such data and the drastic implications of it being compromised, utilising encryption technology to ensure the privacy and security of the users is a promising way forward.

A mega breach

Greenbone Sustainable Resilience, a German company, providing Vulnerability Management services across the globe in sectors including healthcare, revealed in a report about the number of exposed servers and medical images disclosing 1.19 billion patient scans. In India, DICOM (Digital Imaging and Communications in Medicine) – a file format is used to store and share medical images – X-Ray, CT scan, MRIs along with personally identifiable information (PII) of the patient. The PII compromised ranges from the name, DOB, clinic, health details, to images, investigation results etc. It is these medical images amounting to 104,120,549 which are exposed to risk, specifically in India. According to the said report, India ranks second only to the United States, in terms of the number of Electronic Health Records which are at risk.

A security researcher has even identified specific hospital servers also called PACS (Picture Archiving and Communication Systems) which allow unprotected access to the DICOM archive, like QTRS Hospital, Krishnagiri, K.G.M. Hospital, etc. The said security researcher could easily access the archive by typing a usual/common username and password “admin: admin” to access all the patients’ healthcare records.

Risk model

Now, let us extrapolate the possible repercussions which might be faced if such personal data is misused. First, one’s medical data can be weaponised in the sense that any malicious actor can use the sensitive information to threaten, or influence individuals in order to extort money, or disparage someone by false or real additional data or exploit individuals who are in the public eye. Second, the malicious actor can use one’s information to obtain a medical service or gain access to a counterfeit settlement against health insurers – termed as ‘Medical Identity theft’. Third, the Electronic Health Records (EHRs) can be used to facilitate financial fraud by creating credit cards or bank profiles as much financial information is stored along with the medical reports (which includes medical images), and bills. Fourth, the contact details mentioned alongside EHR can be used to commit phishing scams. An open or weakly protected PACS server communicates with a network of IP-enabled devices via the DICOM Protocol, and a mere network scan can potentially reveal worthwhile targets for the attacker and jeopardise the privacy and security of millions.

In the specific context of medical imaging, Israeli researchers announced in 2018 that they developed a malware which can fool doctors by adding tumours into CT and MRI scans. To put things in perspective, critics wondered whether Hillary Clinton was fit for office when she was detected with pneumonia after excessive coughing in the 2016 U.S. Presidential race. With the above said malware, her medical scans could even have shown fake malignants or cancerous nodes leading to further misinformation about Clinton. The malware could be installed on a hospital’s PACS Network or any other centralised repository where all the health information is stored. Thus, breach of data could not only lead to loss of personal information but also create a political battle.

Any strategy to remedy the above said risks would include both technical – like standards of encryption, as well as regulatory solutions – like the implementing authority and improvements in healthcare infrastructure.

Technical measures: Cryptographic solutions

Web browsers and networks like PACS are some of the most frequently used services by hospitals and clinics. Thus, the data mentioned above is especially vulnerable to exploitation through man-in-the-middle attacks for example, where an attacker intercepts encrypted communications & information and is then able to decrypt it by stealing a private key. India, among other countries is pushing towards Transport Layer Security (TLS) 1.3 which is a secure advanced encryption protocol, being debated by the Internet Engineering Task force [IETF], which should be promoted nationwide.  TLS 1.3 coupled up with Forward Secrecy, involves generating a new set of encryption keys for every layer of information shared each time. Encrypting the transmission layer will ensure that even if a particular set of information is exploited, the past information remains secure and the level of potential damage would be restricted.

Deploying Zero-Knowledge Proofs or Zero Knowledge systems is the natural second step. Such systems employ protocols which make probabilistic assessments, which means they prove unlinkable information that can cumulatively or individually show the validity of an assertion – in simple terms, the server has ‘zero-knowledge’ of the data. For example, the website operator can verify that a user is above 18 years of age without learning the user’s actual birthdate. In July 2019, the Defence Advanced Research Projects Agency (DARPA) announced a new initiative called Securing Information for Encrypted Verification and Evaluation that aims to adapt zero-knowledge proofs. Utilising advanced encryption protocols and zero knowledge systems is a crucial technical measure to ensure security of sensitive health data.

Regulatory approaches

One of the key facets of Digital Information Security in Healthcare Act (DISHA) is to ensure privacy, confidentiality, and security of digital health data. However, such measures would be only implementable once the guidelines are formulated by the appropriate authority. The following regulatory approaches typify the healthcare infrastructure inequities and simultaneously provide solutions:

While Clause 24 of the Personal Data Protection Bill, 2019 prescribes use of ‘encryption’ to ensure user privacy and data integrity, there is scope for the sectoral regulator, in this case the National Medical Commission, to prescribe the standards for securing health data. Ideally, the encryption standards should be made for both ex-post deployment of medical devices and ex-ante at the designing stage. Clear design standards can help to provide frameworks around Fairness, Accountability and Transparency (FAT norms).

Often the hospitals themselves are not aware what vulnerabilities their internal systems are susceptible to. Accordingly, there is scope for medical device manufacturers to collaborate with cybersecurity professionals, wherein the latter can report potential vulnerabilities, and the former can then assess, disclose and mitigate the potential cybersecurity vulnerabilities identified. This will enable the dissection of the healthcare ‘black-boxes’ and promote transparency reporting mechanisms in the sector

A sector like healthcare faces the dilemma of whether to allocate resources for more oxygen cylinders, operation beds, surgical instruments, necessary for a patient or invest in cybersecurity which will protect their privacy. In absence of the required staff, doctors and nurses will be overburdened to identify a hacked device and report it to the concerned authority. Also, in the event of a hardware or a software failure the hospitals require not only a dedicated IT infrastructure team to repair and restart the systems but also immediately gauge the potential risks of exposure of any information. There is a need for regulatory intervention mandating the appointment of cybersecurity professionals in the healthcare sector as a norm and not as a luxury to ensure privacy and security of all.

The key to securing sensitive health data is prescribing the use of encryption technology as a norm in the healthcare sector and identifying cybersecurity as a key responsibility of the healthcare sector in the internet age.

(Harsh Bajpai is a Doctoral Candidate & Part-Time Tutor at Durham University, UK and Pranav Bhaskar Tiwari is a Programme Manager at The Dialogue, India)