Encrypt Patient Data

Question

I am going to use AES_ENCRYPT() and AES_DECRYPT to store patient data in an EMR System, and I was wondering how to store the key. I need to be able to allow authorized users access to that key in order to decrypt and read the data that is stored in the patient's record. How can I easily share a key with many users, but keep that key secure. Any thoughts or examples are appreciated.

Answer 1

The standard way to do this is to create a "system" key for each patient, and use that key to encrypt that patient's data. Do not share that key with the patient, or with any of the users.

When a user enrolls in the system, use the password to create a "user" key for that user. (For example, take the SHA-256 hash of the user's password.) Do not store the user's password on the system.

Then, when the user is authorized to access a patient's data, encrypt that patient's system key with the authorized user's key and save the encrypted key in the user's account. If the user is authorized to access additional patients' records, repeat this process for each patient's system key.

Finally, when an authorized user wants to access the patient's data, s/he enters his or her own password, which is used to decrypt the patient's system key, which in turn is used to decrypt the patient's data.

When a user wants to change his/her password, you must decrypt each of the system keys that are associated with that account, and then re-encrypt them using the new password.

---

Disclaimer: Security is Hard^* and I am not a cryptographer. In addition, the law may require that patient data be encrypted and otherwise protected according to certain standards. Before you implement any security system, consult an expert, and never under any circumstances create your own security scheme, especially where financial, medical, or other critical information is concerned.

^*Bruce Schneier, Chief Security Technology Officer, BT