How blockchain technology can give you control over your own Medical Data
Today I’m writing about a blockchain solution we have been working on over the last couple months at blockbird.labs, related to healthcare data and how it can (and should) be easily controlled by you — the patient.
Let’s start by acknowledging some facts about the current state of the healthcare industry:
- Electronic Health Records (EHR) were never designed to manage the complexities of multi-institutional, lifetime medical records. As patients move between providers, their data becomes scattered across different organizations who lose easy access to past records.
- Electronic Health Records (EHR) should be easily accessible by any healthcare institution (HCI) to ensure that a patient’s treatment is not compromised by lack of access to historical data.
- Electronic Health Records (EHR) should also be made easily accessible to the patient, who should be able to easily control and define WHO can access WHICH medical information and WHEN.
- The existing siloed Electronic Health Records (EHR) infrastructure deeply hampers medical research and development as it is much harder to access a patient’s exhaustive end-to-end clinical history.
Our solution is the combination of a social need with a technological enabler.
A system that streamlines medical data across healthcare institutions through decentralized data access mechanisms, giving patients an accessible and transparent view and control of their medical records. We are putting personal medical data back into patients’ hands.
Before we dig deeper let’s clarify some concepts:
Access control mechanisms — are mechanisms (matrixes in this case) that manage access to files (read, write and execute) within entities (users or machines).
Entities — the users that access health care systems have different roles and privileges. Besides the group of medical staff and patients, other institutions must be granted access to these systems.
Confidentiality — there are different confidentiality levels within the records. Some records can be publicly accessed while others should only be accessed by a restricted number of users.
So how does it work?
- Our system comprises an App that gives patients access to all their medical records from different healthcare institutions.
- In this App, the user can easily consent or remove access (to/from different healthcare institutions) to their personal medical information at any point in time.
- The App is also a medical research facilitator as users can be notified and asked to provide medical information for research purposes.
- The information can be shared anonymously.
- A core component of our solution is an Access Control System which is deployed on a decentralized distributed Ledger (or blockchain).
- The Ledger is maintained by a Consortium of Healthcare Institutions.
- Each Healthcare Institution acts as a participant in the protocol and holds a copy of the Access Control Matrix (not the medical records).
- The Ledger can only be compromised if an attacker takes control of more than 51% of the network.
- Access Controls are kept secure while no single entity can fraudulently (without authorization) change or reverse access to the data
The picture below illustrates the proposed architecture:
The system architecture must be able to deal with the heterogeneity of all the systems used by Health Care Institutions, ensuring a suitable and accountable access to all EHR across the different HCI systems. In this context we propose the development of a middleware that provides an API for the HCI system, which should continue acting as the EHR data repository. This middleware should communicate with the Access Control System deployed on the Distributed Ledger (blockchain) in a secure and decentralized manner.
Although blockchain is only one piece of our system, it is the piece of the puzzle that was missing in order to make such scenario a reality.
- Because of GDPR, personal records cannot be stored on the blockchain. So, the healthcare institutions should continue acting as the data repositories.
- However, the Access Control Mechanisms, which are basically files that contain information regarding who can access which personal health records, can be stored on the blockchain.
- In fact, where else should these Access Control Mechanisms be stored? Would Hospitals (and patients) rely on a single entity to hold and keep this database safe, or would they rather store it on a blockchain that is maintained by a group of Hospitals?
- Additionally, every time an Access Control File of a certain personal health record is changed, such fact is stored on the Ledger — which is immutable. As such, each Hospital shall be able to demonstrate that the data subject has consented to processing of his or her personal data (Art. 7 GDPR — Conditions for Consent).
- The App allows patients to be able to obtain and reuse their personal data for their own purposes across different services (Art. 20 GDPR — Right to Data Portability) as well as to withdraw his or her consent at any time (Art. 7 GDPR — Conditions for Consent).
- Our system allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability (Art. 20 GDPR — Right to Data Portability).