A privacy-preserving solution for storage and processing of personal health records against brute-force attacks

Abstract

There is a crucial need for protecting patient's sensitive information, such as personal health record (PHR), from unauthorized users due to the increase in demands of electronic health records. Even though cryptography systems have been signi cantly developed, cyber attack is dramatically increased during the last couple of years. Although using high entropy passwords in the encryption methods can decrease the success of an adversarial attack, it is not popular among the users to choose such passwords. However, using a weak password makes the system vulnerable to brute-force attacks. Towards this end, we present a new framework as a solution for a secure storage of PHR data regardless of the password entropy. Our system is an application of Honey Encryption (HE) scheme which is a new approach that provides a security beyond the brute-force bound and therefore dominates the Password Based Encryption (PBE). We utilize almost 10K patients' information from various datasets in order to construct a precise encoder/ decoder model as a core element of HE. By providing the proposed model, we ensure that the encryption with invalid keys yields a valid-looking but incorrect health information of a patient to an adversary. The previous applications of HE are mainly on the static datasets that are not changing over the time. However, we were able to design an HE based model on a highly dynamic dataset of PHR. To the best of our knowledge, we are the rst to provide a robust password based framework against brute-force attacks of health records regardless of the password entropy. The results of the comparing our proposed encoding method with the direct application of the PBE scheme show that it is almost impossible for an adversary to eliminate any wrong password. We also consider real-life scenarios for di erent attacks with side information about a patient's health related attributes. We implement a robust and concrete framework for storing and processing the PHRs that is also a novel, practical solution for protecting PHR data.