Could Fully Homomorphic Encryption be the breakthrough solution the healthcare industry needs to protect sensitive data from escalating cyber threats? Andrei Stoian, ML Director at Zama, discusses…
There’s no question that the healthcare industry has become a prime target for cybercriminals, with organisations facing cyber threats that are escalating both in numbers and sophistication.
Thanks to the vast amount of sensitive patient data and the criticality of operations, it’s perhaps not surprising to learn that healthcare features in the top 3 most attacked industries in Q2 of 2024 at approximately 1,999 attacks per week. Not only is this figure 15% higher than last year, but there have also been several recent cyber attacks prominent enough to feature in the news.
Just this May in the UK, a ransomware group published over three terabytes of data stolen from NHS Dumfries and Galloway on the dark web. The type of data that had been stored about staff meant an increased risk of identity theft, with staff now advised to be on their guard.
Shortly following this case, another ransomware attack on the pathology services provider Synnovis caused significant disruptions in healthcare services, affecting major London hospitals. Since the attack began on June 3rd, a total of 1,696 elective procedures and 10,083 outpatient appointments have been delayed, affecting many patients who were scheduled for important medical care.
Cases such as these aren’t exclusive to the UK either. Last year the 23andMe cyber attack dominated headlines, with hackers gaining unauthorised access to the personal genetic information of nearly 7 million people, while the Change Healthcare data breach in February this year is estimated to have impacted approximately one-third of Americans and cost the parent company between $2.3 billion and $2.45 billion in 2024.
The incidents really highlight how serious the impact of a cyberattack can be, not only on patient care and staff security, but also on a company’s bottom line. The reputation of healthcare providers is also at risk. When patients believe their confidential information is not adequately protected, trust in the healthcare system simply erodes. And when patients may become hesitant to share sensitive information with their healthcare providers, the quality of care they receive could be compromised.
Thankfully, however, the cases I’ve mentioned are also driving healthcare organisations to become more vigilant about cybersecurity, with many looking at a range of strategies and technologies to protect sensitive patient data and ensure the continuity of care.
Advantages of adopting advanced encryption technologies
One of these technologies in question, amongst other cybersecurity tools including multi-factor authentication (MFA) and intrusion detection/prevention systems (IDS/IPS) – is encryption.
The healthcare industry has been using traditional encryption methods – where you essentially lock up your data in a secure “box” (the encrypted form) using a key – for some time now. However, the problem with this comes when you need to do anything useful with the data, like performing calculations or searches, in which case you must first “unlock” or decrypt it using the key. Once decrypted, the data is vulnerable, and if someone gains access to it during this phase, privacy is compromised.
Fully Homomorphic Encryption (FHE), however, is emerging as an encryption technology capable of providing unprecedented protection for healthcare data. Unlike traditional encryption methods, FHE allows computations to be performed directly on encrypted data. This means that patients’ electronic health records, genetic data, medical images, lab results, and other sensitive patient data, can be processed without ever exposing the raw data to potential attackers. Two specific FHE-based solutions have been recently developed within the Zama Bounty Program exploring the application of Machine Learning to DNA testing, proving that it is possible to build genetic testing applications that are encrypted end-to-end.
As well as ensuring personal health information remains confidential throughout its lifecycle, from storage to analysis, there are several additional advantages to implementing encryption technologies like FHE in the healthcare sector including:
- Compliance with regulations: FHE facilitates compliance with stringent data protection regulations, such as GDPR in Europe or HIPAA (Health Insurance Portability and Accountability Act) in the US, by minimising the risk of data exposure. These regulations mandate the protection of patient information and encourage encryption as a safeguard against data breaches. In other words, FHE gives all institutions the superpower of full legal compliance by design by completely eliminating the risk of data breach.
- Secure data sharing: With FHE, medical organisations can perform computations directly on encrypted data, allowing them to securely share or collaborate on research, diagnosis, and treatment planning without the risk of exposing sensitive patient information. Essentially, FHE acts as a secure intermediary; allowing multiple parties to work with sensitive data without compromising its privacy opens up new possibilities for deriving valuable insights from healthcare data, all while adhering to stringent legal requirements.
- Fostering trust among healthcare providers and institutions: Streamlining the research and decision-making process, FHE fosters trust among healthcare providers and institutions, encouraging active participation in improving patient care.
- Improving patient-provider relationships: Patients are more likely to actively engage in managing their health when they know their sensitive information is protected. The trust established through FHE ensures that patients feel comfortable sharing their health-related data with healthcare professionals, leading to improved communication and better healthcare outcomes.
- Mitigation of insider threats: Since data remains encrypted even during processing, the risk posed by malicious insiders, as well as outsiders, is significantly reduced, as they cannot access or interpret the sensitive information either.
Challenges with implementing Fully Homomorphic Encryption in healthcare settings
Implementing FHE in healthcare settings seems like a no-brainer – and the healthcare industry is in fact currently exploring ways to integrate FHE into existing systems and workflows to maximise its benefits.But there are hurdles to overcome. The computational overhead historically associated with FHE, for example, has been shown to slow down data processing and analysis. Cryptography and computer science experts across academia and industry are currently working on developing faster and more practical FHE implementations by releasing cutting-edge software tools and hardware acceleration.
With these advancements, the end goal is to make FHE more accessible for real-world healthcare scenarios and to finally protect sensitive patient data once and for all.
About the author
Andrei Stoian, PhD, is head of the machine learning team at Zama. His main responsibility in this role is to oversee the development of Concrete ML, Zama’s privacy preserving machine learning toolkit based on fully homomorphic encryption. In the past, Andrei worked on machine learning tools and algorithms for video analytics and satellite image processing on embedded systems. Andrei has co-authored more than 20 papers about machine learning applications and holds several patents.
