In the digital age, data is often referred to as the new oil. Its value lies in the insights it can yield, particularly when it comes to healthcare, where data can help detect diseases, predict patient outcomes and help health professionals personalize treatments. But with the increasing digitization of sensitive health information, there are legitimate concerns about privacy and security. Healthcare organizations manage growing amounts of digital patient data that help ensure the information is available to caregivers across various organizations, but that data is always in great peril. Cyber attackers are after health records, PHI, the platforms that process data and healthcare organizations themselves, gaining leverage with data theft and disruptive ransomware attacks, to name a few.

Keeping data confidential can be achieved with different types of encryption. However, each encryption scheme can be suitable in certain scenarios and less so in others. When it comes to health information, there is a necessity to exchange data with external parties, where they would have to access the data and also perform analyses on it so that the desired insights can be shared. How can we ensure that patient data remains confidential when it’s sent to third-party service providers for analysis?

One potential solution lies in homomorphic encryption (HE). This post will take a closer look at what HE is, and how it can be used to help better secure healthcare data in today’s increasing demand for scale and advanced analytics.

What is homomorphic encryption?

Homomorphic encryption is a cryptographic method that allows computations to be performed on encrypted data without needing to decrypt it first. In other words, HE enables third-party service providers to process encrypted data and return the encrypted result, without ever seeing the sensitive data in its unencrypted form.

Imagine you have a secret number (let’s say 5), and you want to multiply it by 2. With HE, you can encrypt the number 5 into a cipher, for example, ‘abc’, and send it to a service provider. They will multiply ‘abc’ by 2 (resulting in ‘abcabc’) and send it back. You can then decrypt ‘abcabc’ and get the result, 10, without the service provider ever knowing the original number. This principle applies to highly complex operations that must be performed on data, all the while keeping it confidential and taking away the typical leverage attackers can have when they manage to exfiltrate health records from providers across the globe.

Thinking homomorphic encryption for healthcare data

Healthcare breaches are by far the costliest breaches for the 13th year running. While the average cost of a data breach, according to IBM and the Ponemon Institute, is $4.45 million across all sectors, healthcare breaches average $10.93 million. The cost of healthcare breaches has also risen more than 53% since 2020. In many cases, organizations suffered the loss of confidential data on top of the disruption caused by a sprawling ransomware infection.

Beyond just data, another effect of cyberattacks on healthcare providers has been the theft of highly sensitive patient images. In one case in March 2023, a patient, whose nude medical images were obtained by cyber criminals, sued her healthcare provider for not paying a ransom to prevent the images from eventually being published by the attackers. In a June 2023 case, the BlackCat ransomware gang threatened to do the same with images stolen from a plastic surgery clinic in Beverly Hills. These can be prevented with encryption, but they are great use cases for homomorphic encryption.

Here’s an example: consider a scenario involving a Service Provider (SP) that offers a classification service for chest CT imaging, capable of differentiating between conditions such as COVID-19 and pneumonia. By utilizing the capabilities of homomorphic encryption, the source organization – for instance, a hospital – can securely encrypt the original CT images and safely upload them to the SP’s system. Subsequently, the SP’s model can be evaluated over the encrypted data, all without ever needing to decrypt the images. This approach allows the hospital to take advantage of the computational power and resources of cloud services while increasing its ability to remain compliant with privacy and data protection regulations such as HIPAA and GDPR, for example.

Of course, image data is just one scenario that applies here. HE applies to any scenario where data must remain confidential through various processing, analyses and advanced analytic methods, like applying deep learning (DL) models.

Beating HE challenges for cutting-edge privacy advantage

Advancements in the application of HE are a reality, and according to a Gartner report, 50% of large enterprises are expected to adopt HE by 2025, as part of privacy-enhancing computation for processing data in untrusted environments. Indeed, benefiting from homomorphic encryption is starting to take shape across different organizations within various industries, and IBM is solving some challenges to enable favorable results with HE.

Let’s take for example the interaction of encrypted data with deep learning models. These models often involve complex operations and transformations on the input data, which presents certain challenges when it comes to using HE. Specifically, the modern schemes used in HE, such as CKKS, a public key encryption scheme, where a secret key and a public key are generated, require computations to be represented as polynomials. This is because the underlying mathematics of these encryption schemes is based on operations in polynomial rings.

However, deep learning models use activation functions that are often non-linear and non-polynomial, such as ReLU (rectified linear unit) and GELU (Gaussian-error linear unit), and operations like max-pooling. These functions and operations can’t be easily translated into polynomial computations, which can pose a significant obstacle to the use of HE in deep learning. For example, the ReLU function, which is defined as ReLU(x) = max(0, x), is non-linear and can’t be represented as a polynomial. Similarly, the GeLU function and max-pooling operation are also non-linear and non-polynomial.

This mismatch between the polynomial-based computations of HE and the non-linear, non-polynomial computations of deep learning models is a current-day challenge when it comes to using HE to secure deep learning computations. That said, these challenges are temporary and are being tackled by research teams even as you read this blog post. We must consider the simple reality: the old approach to data security won’t work in a future that features growing privacy regulation and increased data sharing in uncontrolled environments. HE is modernizing how we analyze encrypted data and can allow organizations to use AI and machine learning to compute encrypted data without exposing sensitive information.

In a recent paper our research team released, we propose a novel solution to this challenge. We presented the HElayers framework that acts as middleware between HE schemes, and the high-level tensor manipulation required in AI. Central to this framework is the concept of the tile tensor, which can pack tensors in a multitude of ways. The operators it supports allow users to feel like they are handling ordinary tensors directly. Moreover, the operators are implemented with generic algorithms that can work with any packing arrangement chosen internally.

Our framework is the first to report successful and practical inference over a large Neural Network, such as ResNet-152 (a convolutional neural network (CNN) architecture), over high-resolution images such as ImageNet. Today, we are in the process of extending our library to support larger and more complicated models, together with accelerating the runtime for E2E analysis.

HE is here to change the data privacy game

Cyber criminals never rest. They learn, they innovate and they continue to successfully attack organizations. Their biggest leverage is confidential data exposure. Homomorphic encryption is a game-changer for security and privacy in a new world where AI is a force to be reckoned with. On the one side, organizations collect data and analyze it to create a business edge, and on the other, nefarious attackers look to compromise that data for monetary gain or espionage.

While encryption does provide protection, and should definitely be used more often, sensitive data typically must first be decrypted to access it for computing and business-critical operations. That’s where HE offers a promising approach to maintaining privacy by enabling computations to be performed on encrypted data, ensuring that the data remains confidential even when it’s being processed by third-party service providers. This is particularly relevant in healthcare, where maintaining patient privacy is of paramount importance.

Keeping up with data protection needs

Data is one of the most critical elements in any organization and over the years data has become tied to regulatory requirements, security requirements and privacy demands. Can we really afford to continue treating data protection and privacy the same way we did 10 or 15 years ago? The world has changed considerably, attackers’ tactics and motivations keep evolving, and it is high time to adapt protection controls to the true needs of organizations that collect and process sensitive information.

An innovative technology, fully homomorphic encryption (FHE), is a solution to explore for better data privacy and confidentiality. It can help your security team achieve zero trust principles by unlocking the value of your data on untrusted domains without needing to decrypt it. Moreover, HE has been identified as a technology with significant potential in the Privacy-Preserving Machine Learning (PPML) market, which applies to a variety of sectors, beyond the healthcare data scenario. Think of its value in the financial sector, telecommunications and boosting regulatory compliance, to name a few.

The rise of HE is a testament to our growing capabilities in safeguarding sensitive data while still unlocking its potential for valuable insights. To learn more about IBM’s Fully homomorphic encryption services, please visit this page.

To learn more about the cost of a healthcare data breach, click here.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today