Data breaches can cost healthcare organizations $380 per affected record, but current systems are vulnerable to numerous types of attacks. Patient data is extremely valuable to hackers looking for detailed identity information, which makes securing electronic health records (EHRs) and associated personal details a top priority in the healthcare industry.
Emerging blockchain technology may offer a solution to healthcare’s biggest security challenges. Features such as decentralized storage, cryptography and smart contracts provide a framework for organizations to improve data protection while maintaining accuracy and preventing unauthorized access to or alteration of patient information.
Maintaining Consistent Permissions
A blockchain may be set up as permissionless or permissioned. Permissionless, or public, blockchains are theoretically accessible to any user, but becoming part of a permissioned blockchain requires consent from the owner. Given the highly sensitive nature of patient data, permissioned blockchains are more appropriate for healthcare settings.
This can present problems if permissions aren’t handled properly. Healthcare professionals must have easy access to patient data at a moment’s notice, especially in emergencies. Inconsistent permissions may block access at critical moments, which could put patients in life-threatening situations.
Blockchain technology employs two solutions for seamless, secure permission management:
• Smart contracts grant access using predetermined parameters agreed upon by all parties involved in the contract. This rule-based form of access control can be customized to automate a variety of workflows.
• Cryptographic keys put access control in the hand of patients. Each patient has a “master” key to “unlock” health data and can give a copy of this key to health care professionals or institutions as needed. Actions may be restricted to reading or writing information, and patients can revoke keys in the event the device on which a key becomes compromised.
By allowing for the automation of processes currently requiring one or more middlemen, smart contracts and cryptographic keys minimize the risk of human error and reduce the time between the collection of health information and fulfillment of actions like insurance billing and payment.
Protecting Patient Information and Identities
Giving patients the choice of whom they share their keys with effectively puts them in control of what can be done with their health information, including who can access it and when. Because data can’t be decrypted without a key, no one should be able to read patient information without express permission. Hackers obtaining encrypted health data would need to also steal the keys to make use of the information they obtain. Combining keys with smart contracts prevents unauthorized parties from adding information to a patients’ records, including outsiders seeking to tamper with data for malicious or self-serving purposes.
Utilizing the blockchain also creates an environment in which all participants, including patients, review information before it officially becomes part of a record. This provides the opportunity for healthcare providers and patients to evaluate information, thus preserving the accuracy of data throughout the blockchain. Since 40 percent of patient health records currently contain errors, switching to this kind of collaborative system has the potential to improve patient care and reduce the risk of life-threatening mistakes.
Companies like MedChain and MedRec are currently working on permissioned blockchain platforms to bring these benefits to healthcare organizations and the patients they serve. By moving patient health information to a decentralized storage solution in which records are broken into fragments and distributed across the blockchain, these companies seek to provide a better way for healthcare organizations to protect patient information.
Challenges of Blockchain Implementation
While the blockchain has many potentially beneficial applications in the healthcare industry, the technology still needs time to mature before it becomes practical to pursue widespread adoption. Adherence to HIPAA regulations is a key concern when storing private patient information in a decentralized environment, and use of blockchain technology alone isn’t enough to ensure complete privacy. Stringent security regulations, including encryption and onsite administrative protocols, would be required of each healthcare organization retrieving, storing or sharing patient data within a permissioned blockchain.
Implementing permissioned blockchain models in existing systems requires help from IT professionals who are trained and certified in the technology and familiar with the security challenges such a framework poses in a healthcare setting. An appropriate system of checks and balances must be established at the outset to prevent data errors from becoming permanent parts of the blockchain, and provision must be made for accessing records in the event of emergencies in which patients are rendered incapable of granting access using their security keys.
Healthcare organizations looking to blockchain technology to improve patient privacy and ensure greater accuracy need to weigh the benefits against the potential pitfalls and work with qualified identity and access management professionals to deploy solutions customized to the unique security and compliance needs of the industry while focusing on access management, data protection and the prevention of identity theft.