Encryption Characteristics of Two USB-based Personal Health Record Devices
- Affiliations of the authors: Department of Medical Informatics and Clinical Epidemiology, Oregon Health & Science University(AW, DFS), Department of Medical Informatics, Northwest Permanente, PC (DFS), Portland, OR
- Correspondence and reprints: Adam Wright, Department of Medical Informatics and Clinical Epidemiology, Oregon Health & Science University, 3181 Sam Jackson Park Rd., Portland, OR 97239; e-mail: <wrightad{at}ohsu.edu>
- Received 15 December 2006
- Accepted 13 April 2007
Abstract
Personal health records (PHRs) hold great promise for empowering patients and increasing the accuracy and completeness of health information. We reviewed two small USB-based PHR devices that allow a patient to easily store and transport their personal health information. Both devices offer password protection and encryption features. Analysis of the devices shows that they store their data in a Microsoft Access database. Due to a flaw in the encryption of this database, recovering the user’s password can be accomplished with minimal effort. Our analysis also showed that, rather than encrypting health information with the password chosen by the user, the devices stored the user’s password as a string in the database and then encrypted that database with a common password set by the manufacturer. This is another serious vulnerability. This article describes the weaknesses we discovered, outlines three critical flaws with the security model used by the devices, and recommends four guidelines for improving the security of similar devices.
