How does End-to-End Encryption Work in Practice
You may have come across the acronym E2EE — that’s a whole lot of E’s! You’d know from the title of this article that it stands for ‘End-to-end Encryption’.
Both medicine and technology are full of acronyms. With me as a technologist, and my wife a cardiologist, I have a vantage point for both of these worlds! With E2EE as the latest buzz word, let’s spend some time understanding it in layman’s terms.
End-to-end encryption is the key ingredient and the de facto standard in communication that should remain secure and private between two or more parties. As an example, if you send a message via email or SMS, you as a sender form one of the ‘Ends’. The party intended to receive the message is the receiver or the other ‘End’. So the information that flows between these 2 ‘ends’ is not always secure. This is obviously a problem and akin to sending a postcard via mail that anyone can read. You wouldn’t obviously want to include any sensitive information like bank account details in such mail items.
In order to address this issue, one of the methods employed when your message travels from one end to the other end is to obfuscate it with some methodology, known as encryption and it employs a mathematical algorithm using software that processes such messages. The message that travels from one end to the other is in the form of an encrypted message. For obvious reasons, if the methodology is too obvious, someone who intercepts this encrypted message can easily convert it back to the original message and defeat the whole purpose. So, let’s examine how this works in practice.
Typically, you’d be using some industry-standard software platform to send encrypted messages, however, if you are in the medical environment, you may be using a platform such as Skyscape’s Secure Medical Messenger, Buzz. Since the messages are encrypted using the method described herein, the sensitive information contained is protected from prying eyes and thus making it HIPAA compliant.
All messages sent through the Buzz Secure Messenger are encrypted on the sender’s device and remain encrypted as they travel over the mobile network/Wi-Fi/Internet, through the cloud/web server, and from there on to your chat partner (say a nurse or another physician). In other words, any bad actor who intercepts the message anywhere on the networks or servers will not have a clue what the two of you are chatting about.
How is it accomplished?
In order to E2EE work, it uses a concept of two keys — a public key and a private key. Every user of the software is assigned a public key and a private key. A public key, as the name suggests, is shared with anyone with whom you are going to communicate with. And conversely, the private key is known only by the user and typically resides only on the user’s device.
So the public key is like your mailing address or a phone number. This is generally well known and can be easily found, say via Google search (I resisted the temptation to say ‘White Pages’ — does anyone use it nowadays?)
The private key, on the other hand, is like your key that you use to enter your home. Clearly you protect it and keep it to yourself.
A message (which could be text, voice, image, or any other kind of data) can only be viewed on either the device of the sender (using the public key + the sender’s private key) or the recipient (using the sender’s public key + the recipient’s private key).
Step-by-Step
Let’s break down the process in steps:
STEP 1. Two keys, public and private are generated when a user opens the Secure Medical Messenger app for the first time. The encryption process takes place on your phone.
The private key remains with the user on the phone. The public key is transmitted through the server to the receiver.
The pubic key encrypts the sender’s message on the phone even before it leaves your phone to reach the server.
The server is only used to transmit the encrypted message. Only the receiver’s private key can unlock the message. No third-party can read the message. The beauty of this system makes it impossible for the developers of the software to view any of the messages, which is a critical part of any platform that claims to have no knowledge (or, Zero-Knowledge) of the details of the conversation between participants.
What can You Encrypt?
Anything. Really. Chat messages, files, or PHI data transfers (health records, images, reports, EKGs, and videos sent between hospitals, remote clinics, and providers), even live phone conversation.
In the medical context, it is imperative as HIPAA regulations demand that any information that includes patients’ identity should be protected in such a manner. Skyscape’s BUZZ, which is a HIPAA-secure messenger, has been built around this principle. The level of security is akin to what you have come to expect from your banking or other apps that require a high degree of security. Military-grade encryption is virtually impossible to crack as it uses 256-bit keys that generate 2²⁵⁶ possible combinations. Even the fastest supercomputers available today can’t crack such a key within a reasonable amount of time.
If you have enjoyed this post, please subscribe to our email newsletter, Medpresso Buzz
