Send to:

Choose Destination
See comment in PubMed Commons below
J Am Med Inform Assoc. 2007 Jul-Aug;14(4):397-9. Epub 2007 Apr 25.

Encryption characteristics of two USB-based personal health record devices.

Author information

  • 1Department of Medical Informatics and Clinical Epidemiology, Oregon Health & Science University, 3181 Sam Jackson Park Rd., Portland, OR 97239, USA.


Personal health records (PHRs) hold great promise for empowering patients and increasing the accuracy and completeness of health information. We reviewed two small USB-based PHR devices that allow a patient to easily store and transport their personal health information. Both devices offer password protection and encryption features. Analysis of the devices shows that they store their data in a Microsoft Access database. Due to a flaw in the encryption of this database, recovering the user's password can be accomplished with minimal effort. Our analysis also showed that, rather than encrypting health information with the password chosen by the user, the devices stored the user's password as a string in the database and then encrypted that database with a common password set by the manufacturer. This is another serious vulnerability. This article describes the weaknesses we discovered, outlines three critical flaws with the security model used by the devices, and recommends four guidelines for improving the security of similar devices.

[PubMed - indexed for MEDLINE]
Free PMC Article
PubMed Commons home

PubMed Commons

How to join PubMed Commons

    Supplemental Content

    Full text links

    Icon for HighWire Icon for PubMed Central
    Loading ...
    Write to the Help Desk