Can Blockchain Really Keep Your Health Information Secure?
Blockchain, in theory at least, could revolutionize the U.S. health system. Blockchain's decentralized record-keeping has potential to streamline the industry's many inefficiencies. But the way forward is strewn with obstacles.
“It’s a question of, ‘Is the vision matched to the practical reality in healthcare?’” said Sharon R. Klein, a partner at law firm Pepper Hamilton LLP and chair of its Privacy, Security and Data Protection practice.
As more startups and established healthcare companies hawk their blockchain-based products as the “next big thing” in healthcare, they will have to answer a key question: can blockchain really help keep personal health information secure?
Blockchain and HIPAA: The Pros
Blockchain is the record-keeping system that underlies cryptocurrencies like Bitcoin, but it has applications well beyond the financial world. Blockchain allows multiple stakeholders who are connected in a network to independently view and verify every transaction that happens on that network, without the need for a centralized authority to update the record.
This capability has attracted attention in the healthcare industry, where records are often scattered across numerous different systems. A doctor’s prescription, for example, can require communication between doctors’ offices, insurance companies, pharmaceutical suppliers and the pharmacies themselves. All these entities may have also have to share information like a patient’s name, date of birth, address, and the medications they’re taking.
Today’s healthcare players have had to invest significant care and expense creating systems that keep that information secure, and to keep up with the regulations surrounding it. The Health Insurance Portability and Accountability Act, or “HIPAA,” one of the main laws governing healthcare data, contains over 100 pages of regulations about the protection of Patient Health Information (PHI).
“There are privacy rules and security rules; the enforcement omnibus rule; special rules on research data and data breaches […] You need privacy and security design at all levels,” said Klein. “Blockchain certainly makes it easier to check some of those boxes.”
For one thing, blockchain encrypts data, keeping it unreadable for anyone who doesn’t have access to decryption keys. This could help prevent unintended exposure of sensitive data.
Blockchain is also relatively tamper-proof. In order to change any of the information recorded via blockchain, someone would need more computing power than everyone else combined -- and even then it’s not guaranteed. This feature gives blockchain its reputation for “immutability”—and it’s a key area where blockchain can contribute to HIPAA requirements.
“Part of the HIPAA requirements are keeping a record of who’s accessing what and where it’s going,” said Katherine Kuzmeskas, CEO and co-founder of SimplyVital Health, a blockchain-based healthcare startup.
“This is really the first time in history that, up to a certain point, you can actually track who has access to your data, what they access and when they access it—in an immutable way,” she said. In more traditional auditing methods, the audit trail could theoretically be deleted, she pointed out. That’s less likely with blockchain.
Blockchain is not enough
But the security blockchain provides isn’t a total safeguard. And on its own, it doesn’t come close to the comprehensive protection that U.S. regulations require.
“If someone is unprepared for HIPAA or thinks that blockchain negates the need for HIPAA or that you don’t have to follow HIPAA because you’re using blockchain technology—that is totally not the case,” said Kuzmeskas.
Klein agreed: “There’s no silver bullet for this,” she said. “Blockchain at its best is a tool that may help with security, but it’s not a replacement for security under HIPAA.”
Blockchain provides certain protections, such as data integrity and some aspects of security. But “security” in a HIPAA sense is a much bigger concept than just encryption and immutability, explained Frank Sivilli, director of content strategy for Compliancy Group, a consulting firm for healthcare organizations about HIPAA compliance. HIPAA security requires that data, whether paper records or data on laptops and servers, be stored in a physically secure building, he said. It also requires technical safeguards like anti-malware programs on computers that hold sensitive data.
And on the privacy side, there are “minimum necessary” rules, where the fewest number of people see the least possible amount of data. “A geriatric surgeon should not have access to my information just because they’re at the hospital that I go to,” said Kuzmeskas. “They even have HIPAA restrictions within the same hospital.” Smart contracts could be one solution. They are a set of automatically-executed rules that could give access only to people within an organization with a specific job title, for example.
But even then, Klein has qualms. “How do you validate people on the nodes that have access to the chain itself?” she asked. Meaning: how do you verify that people are who they say they are?
What’s more, once someone has access to data, they could scrape, photograph or export and download it. At that point, the blockchain-based trail goes cold, Andy Coravos, CEO of biometric data company ElektraLabs, points out in a blog post about blockchain and healthcare.
The human element
Even with perfect technical design, a blockchain protocol "does not exist in a vacuum," Emin Gün Sirer, an associate professor at Cornell University's computer science department, told MIT Technology Review. The cryptocurrency hacks often occur when the online world, where blockchain is implemented, meets the offline world, he said, citing software clients and third-party applications as an example.
Kuzmeskas has heard it described as “‘The error is between the keyboard and the chair’—which means it’s the human.”
“We talk about this all the time, that the biggest threat in cybersecurity is the human. And it’s the same thing here,” she said.
These concerns have solid grounding in data. The Department of Health and Human Services’ Office of Civil Rights, which oversees HIPAA compliance, keeps a record of breaches where healthcare providers may not have properly protected personal data.
The categorization of incidents is imprecise, but the data shows that from 2009 through early 2018, close to half of all data breaches that affected 500 or more individuals were “theft,” often, theft of a laptop or of paper records. Roughly a quarter of incidents were categorized as an “IT incident,” which covers a variety of poor technical security practices, or “hacking,” usually a more malicious third-party break-in.
Sivilli’s organization, Compliancy Group, also lists “discussing [Personal Health Information] outside of the office” and “social media posts” as common sources of HIPAA violations.
A research analysis in the American Journal of Managed Care found that “health IT sophistication” was not a significant factor in whether or not a hospital’s data would be breached. In other words, blockchain alone won't solve the problem of human error.
Blockchain and HIPAA: the way forward
Yet in this morass of failure lies an opportunity. “I think the fact that patients are becoming more aware of [these breaches] and becoming more vocal about their lack of access and the risk their data is exposed to is only going to increase in the future,” said Sivilli.
“I think that keeping in mind patient access and just general security is going to be the thing that wins over patients, which will ultimately, I think, lend a lot of success to blockchain if it’s executed correctly,” he said.
A number of healthcare startups are giving it a try. MedRec, a collaboration between MIT and Beth Israel Deaconess Medical Center, takes HIPAA compliance into account. SimplyVital Health, Kuzmeskas’s organization, likewise emphasizes its dedication to HIPAA compliance, as do other startups like Embleema Health, a blockchain-based platform for sharing patient medical records.
Sivilli’s advice to these nascent efforts? “Look at some of the cautionary tales that have emerged out of the Electronic Health Record industry over the past few years,” he said. “See what you can do differently.”
Elise Hansen is a New York-based writer.