Who should be at the root of protecting the nation's healthcare data?

Greg Machler explains why there's a need for a root key for the national healthcare database

What are CISOs working in healthcare concerned about when it comes to protecting medical data in the future? There are a variety of concerns associated with who should and shouldn't be able to access your individual medical record. This is both a policy issue and a technology issue for the CISO.


If the United States moves to a national healthcare database, medical information will need to be accessed by hospitals, medical clinics, mental health clinics, pharmacies, medical researchers, government health care organizations and other medical institutions. The real question is: Who will decide what information should be accessed? Once the policy decision is made, how will the CISO enforce it?

There are some technological complications related to protecting the data. If the government opts to let the user manage who has access to data, how is that process enabled via technology? Would there be a national health care portal that allows an individual to define who can access certain portions of their data or would the national, state, and/or health care institution negotiate that access?


Data protection of the medical information requires use of encryption and a key or keys. All encryption that is used to protect data requires a root key. In the financial-services industry, many banks have their own root key so there is no national financial services root key. But a national database of individual medical data would require a root at the national level and potentially even globally. The root has the ability to access all information, thus giving the institution that owns the root great power.

A national database of medical data requires policy decisions and then technology the enable that policy. It will be difficult to determine who has access to different portions of health care data. Once the health care data access policies are complete, access rules will be created to enforce who has access to the data and encryption will be used to protect the data. But, because encryption with certificates requires a root key, the institution owning the key will have great power.

Gregory Machler is an information security architect and cloud security expert and a frequent contributor to CSOonline.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregory Machler

Latest Videos

More videos

Blog Posts