4

I am going to use AES_ENCRYPT() and AES_DECRYPT to store patient data in an EMR System, and I was wondering how to store the key. I need to be able to allow authorized users access to that key in order to decrypt and read the data that is stored in the patient's record. How can I easily share a key with many users, but keep that key secure. Any thoughts or examples are appreciated.

Adam Liss
  • 47,594
  • 12
  • 108
  • 150
  • please describe what the access to your app looks like. is it web-based? closed system? what aspect of security? data or authorized access? (btw a nice option would be to store the AES key for each patient on a personal ID chip card) – Michal Apr 11 '12 at 00:44
  • It is a web based application which allows users to log into the system. Physicians can view detailed (encrypted) patient info and Receptionist can only view basic (unencrypted) patient info. I need to be able to allow certain physicians to view particular patients. –  Apr 11 '12 at 00:47
  • Have you looked into what HIPAA involves to comply with? No small task... – ceejayoz Apr 11 '12 at 00:52
  • well this is not only a security but also a privacy issue. store the key in a chip card and add user privileges to different roles (physician, recepcionist). – Michal Apr 11 '12 at 00:54
  • The keys should be stored securely. If you do not trust your database, is there another place that you trust where you can store the keys? They need to be stored *somewhere*. – Andrew Savinykh Apr 11 '12 at 01:25

1 Answers1

7

The standard way to do this is to create a "system" key for each patient, and use that key to encrypt that patient's data. Do not share that key with the patient, or with any of the users.

When a user enrolls in the system, use the password to create a "user" key for that user. (For example, take the SHA-256 hash of the user's password.) Do not store the user's password on the system.

Then, when the user is authorized to access a patient's data, encrypt that patient's system key with the authorized user's key and save the encrypted key in the user's account. If the user is authorized to access additional patients' records, repeat this process for each patient's system key.

Finally, when an authorized user wants to access the patient's data, s/he enters his or her own password, which is used to decrypt the patient's system key, which in turn is used to decrypt the patient's data.

When a user wants to change his/her password, you must decrypt each of the system keys that are associated with that account, and then re-encrypt them using the new password.

Disclaimer: Security is Hard* and I am not a cryptographer. In addition, the law may require that patient data be encrypted and otherwise protected according to certain standards. Before you implement any security system, consult an expert, and never under any circumstances create your own security scheme, especially where financial, medical, or other critical information is concerned.

*Bruce Schneier, Chief Security Technology Officer, BT

Adam Liss
  • 47,594
  • 12
  • 108
  • 150
  • Where will the patient's system key be stored? if we are to store it in the database, it defeats the purpose if the data base can be accessed. – iWantSimpleLife Apr 11 '12 at 01:06
  • 1
    @iWantSimpleLife: Right. That's exactly why security is hard, and why you shouldn't trust your system's security to someone on StackOverflow. :-) You could encrypt the system key with some "master" key that only the application itself can access, but sooner or later there must be an "ultimate" key, which must be protected. Key management is often the most difficult--and weakest--part of a security implementation. Consult the experts. – Adam Liss Apr 11 '12 at 01:14