For many years, it seemed obvious that protecting and insuring the integrity of patient data required the use of centralized systems. Such systems do offer a certain degree of control over the use of the information but they also represent a single point of failure that is vulnerable to attacks. The lack of cyber hygiene in healthcare organizations has led to the theft of thousands of medical records over the past few months.
A September 2016 report “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims” by the Institute for Critical Infrastructure Technology for the U.S. Senate reveals that breaches can have disastrous consequences:
“[Once stolen] electronic health record will surface as a ‘fullz’ – the slang term on the deep web [for] a complete long-form document [containing] of all the intricacies of a person’s health history, preferred pharmacy, literally everything.”
Medical records are therefore extremely valuable because they contain a large amount of personal data: first name, last name, address, phone number, social security number or payment information – all in one place.
“What happens is the people who purchase those [fullz] then go to another vendor on the deep web for what’s called ‘dox,’ the slang term for documentation, where they then proceed to have passports, drivers’ licenses, Social Security cards – all these things that will help the counterfeit imitation of the victim. … So, you have electronic health record that will typically go for $20 apiece, and you’ll spend a couple hundred dollars on ‘doxs’ to support that identity, and once it’s an identity kit, you can sell it for $1,500 to $2,000.”
Due to the lack of awareness about the value of medical information and the vulnerability of EHRs, many healthcare organizations believe that they are sufficiently protected. However, a large majority do not have cybersecurity experts in their IT teams and the staff is not educated on good online practices, creating unconscious weaknesses.
According to the Breach Level Index, in the first half of 2016 alone, 554 million records were stolen or lost. In 2017, the NHS data breach was accountable for the theft of 26 million identity records, making 2017 a record year for stolen data across all industries.
“Medical information can be worth ten times more than credit card numbers on the deep web. Fraudsters can use this data to create fake IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers.” adds Jean-Frederic Karcher, the head of security at communications provider Maintel
Blockchain technology can bring more visibility to the use of medical data
Usually, data breaches happen because all the information is stored in one place creating a single point of failure. If one database is compromised and there are no tools to detect the abnormalities, then all the information is vulnerable. The situation would be entirely different if the same information was distributed across various databases and in order to access it, a network of stakeholders all had to give their permission. Security would be reinforced as the chances to corrupt all the members of the network and gain access to the data are slim.
When talking about EHRs, a patient can decide how many computers have to deliver permission in order for someone to gain access to the information. For instance, the patient can decide to give access to his medical records to four people but in order to access the information, at least two of the four access holders have to give their authorization. This is the type of security offered by blockchain technology.
A blockchain is a distributed ledger that lists the available information and translates access rights into code. Once a patient agrees to share access to his information with identified users, no one else will be able to retrieve the data.
However, a blockchain is not a database therefore it is not designed to store EHRs. As such, medical information will remain on traditional servers used by healthcare organizations. Only the access rights will be secured on the blockchain, providing the patient with visibility on the use of the data.
Blockchain creates new models around the use of medical data
Besides from being able to bring an extra layer of security and traceability to health data, blockchain technology can also build the foundations for disruptive data sharing and management models.
Many companies see the data they possess as an important competitive advantage. Hence, sharing it on a public and transparent ledger seems counterintuitive at first. However, this could have a substantial interest: each time the patient re-enters the healthcare circuit, all types of data are gathered from administrative information to medical insights. Most of that data has already been collected in the past but is inaccessible because healthcare providers will not share it with other stakeholders in the field. This redundancy dramatically increases costs for health organizations as time is spent collecting data or running complementary exams.
If a blockchain can act as a global catalogue of information across organizations, then all stakeholders would be able to see the available data. If the information already exists somewhere else, the patient can give his consent and allow access to the data. As such, healthcare organizations reduce their costs. Moreover, new economic models could be built, allowing patients and organizations to be rewarded provided they share their information. Way too often, data is seen in the healthcare industry as a means to an end. Pharmaceutical companies use it to produce blockbusters and healthcare providers use it to improve diagnosis. None of these stakeholders exploit data as a business on its own. This shift in paradigm will take time as the industry will have to radically change its economic models. Although the regulation in certain countries may be seen as an obstacle to implementing such models, blockchain technology and artificial intelligence are the catalysers to this change that will lead to the biggest disruption in healthcare yet.