Most senior level decision makers in the UK hospital sector will be all too aware of how significant a target the healthcare industry has become for cybercriminals. Advanced encryption could hold the key to protecting sensitive data at the point of processing, writes Andrei Stoian.

Cybercriminals are not only attracted by the vast amount of valuable patient data and the healthcare sector’s reliance on outdated, disparate digital systems. The potential for immediate and severe impacts on patient care makes ransom demands highly lucrative too, as attacks are likely to be addressed quickly.

These factors combined see healthcare endure a shocking 1,999 attacks per week, featuring in the top 3 most attacked industries in Q2 of 2024. While it’s important to note that not all attacks are successful, those that are can have devastating consequences both on patient care and staff security, and on a company’s reputation and bottom line.

The Change Healthcare data breach, which took place only in February this year, is estimated to have cost the parent company between $2.3 billion and $2.45 billion in 2024, impacting approximately one third of Americans.

In the UK, we’ve also seen a number of significant successful attacks on its healthcare system of late. Just as a ransomware group was publishing over three terabytes of data stolen from NHS Dumfries and Galloway on the dark web this May – leaving staff with an increased risk of identity theft – another ransomware attack on the pathology services provider Synnovis closely followed. This caused significant disruptions across a number of major London hospitals, including the delay of 1,696 elective procedures and 10,083 outpatient appointments.

With cases such as these increasing in their frequency, sophistication and severity, healthcare leaders deploying traditional technologies to protect sensitive patient data are starting to wonder if it’s enough.

Advanced encyrption technologies

Right now, a range of cybersecurity tools are being used across the healthcare system – think multi-factor authentication (MFA), intrusion detection/prevention systems (IDS/IPS), email filtering and anti-phishing tools, endpoint protection and traditional encryption methods.

These tools undoubtedly help healthcare organisations mitigate the growing threat of cyberattacks, however, challenges clearly remain and no one tool should be used in isolation. With third-party risks, legacy systems to contend with and of course, human error, a comprehensive cybersecurity strategy that integrates a full suite of tools and protocols is needed.

That being said, some of the challenges lay in the tech itself. Take encryption, for example. It’s a long-used method that involves data being locked up in a secure “box” (the encrypted form) using a key. Data is 100 per cent secure until it’s decrypted, which has to happen if you need to do anything useful with it, like performing calculations or searches. At this point, the data is vulnerable and if someone gains access to it during this phase, privacy is compromised.

Thankfully, advances in encryption technology are being worked on right now. Fully Homomorphic Encryption (FHE) is an emerging encryption technology that allows computations to be performed directly on encrypted data, effectively eliminating the possibility of data breaches.

Unlike traditional encryption methods, patients’ electronic health records, genetic data, medical images, lab results, and other sensitive patient data can be processed without ever exposing the raw data to potential attackers.

Ensuring data remains encrypted even during processing not only reduces the chances of malicious actors – whether insiders or outsiders – accessing or interpreting sensitive information, but one of its primary benefits is secure data sharing. Because medical organisations can perform computations directly on encrypted data, it allows them to collaborate on research, diagnoses, and treatment plans, all without risking the exposure of sensitive patient information. This opens up new possibilities for extracting valuable insights from healthcare information, while deploying FHE in an organisation is also a big step towards privacy regulation compliance, helping to adhere to stringent data protection regulations, such as GDPR.

With these capabilities, FHE also helps foster trust among healthcare providers and institutions by streamlining research and decision-making processes. For patients, knowing their sensitive information is secure increases their willingness to engage with their healthcare, and increased trust between patients and providers can only mean much better healthcare outcomes in the long run.

Implementing FHE in healthcare settings

FHE is undoubtedly an exciting advancement at a time when the industry faces growing challenges around data security. With the increasing frequency and sophistication of cyberattacks, as well as stricter regulatory demands, the ability to actually process sensitive information all while keeping it encrypted could revolutionise how healthcare organisations handle patient data.

However, implementing FHE at scale requires substantial computational power, and the technology is still in the developmental stages when it comes to efficiency and performance. Avoiding delays or complications is particularly important in a setting such as healthcare, where speed is critical.

Right now, the healthcare industry is actively exploring ways to integrate FHE into existing systems and workflows to maximise its benefits. Cryptography and computer science experts across academia and industry are also currently working on developing faster and more practical FHE implementations by releasing cutting-edge software tools and hardware acceleration.

With these advancements – alongside training healthcare professionals and IT teams so they can understand how to use FHE effectively – the technology could be a game-changer for protecting sensitive medical information in what is an increasingly data-driven field.

My advice for the UK’s hospital leaders is to closely monitor developments in FHE and begin preparing their organisations for its eventual adoption. Whether it’s assessing how FHE could fit into current systems, conducting pilots, or simply ensuring staff are trained on its use and regulatory implications, now is the time to get informed and be proactive.

Andrei Stoian, ML Director at Zama
Andrei Stoian, PhD, is head of the machine learning team at Zama. His main responsibility in this role is to oversee the development of Concrete ML, Zama’s privacy preserving machine learning toolkit based on fully homomorphic encryption. In the past, Andrei worked on machine learning tools and algorithms for video analytics and satellite image processing on embedded systems. Andrei has co-authored more than 20 papers about machine learning applications and holds several patents.