When health tech companies turn to distributed ledger technology, security is one of the key reasons they do it. But to say that blockchain is inherently more secure than other technologies would be a dangerous oversimplification.
In reality, blockchain is a novel technology for solving certain security problems. But to be truly useful in healthcare, it will need to be approached smartly and combined with other security technologies.
Beth Israel Deaconess Medical Center CIO Dr. John Halamka, who also serves as editor in chief of the online journal “Blockchain in Healthcare Today”, sees two major security-related use cases for blockchain — data integrity and patient consent.
“How can you prove that a medical record was not changed, deleted, or amended?” Halamka wrote to MobiHealthNews in an email. “When an encounter is complete, create a ‘hash’, or a one way mathematical digest of the record, and write that hash into the blockchain. If anyone has questions about the completeness or integrity of a record, it can be provided by comparing the ‘hash’ today with the historical hash recorded the blockchain.”
Syed Abrar, CEO of Azaad Health, a startup using blockchain for medical records, stressed that blockchain makes it very difficult to tamper with data.
“If anyone tries to tamper with any one record, the hash of the relevant system goes to query their data, it says ‘Yeah this data has been tampered with’,” he said. “If you change data, you have to do it for the entire hash, one by one. And you don’t have to just do that for one node, you have to do that for 10 or a thousand or how many nodes you have. And that kind of computing power you have to change all of the data just does not exist at this point. I read somewhere that it would take a supercomputer at a minimum a year to change data on a blockchain network.”
As for patient consent, Halamka pointed to MIT Media Lab project MedRec as an example of how blockchain can support those applications.
“The US has 50 states with 50 different privacy and consent policies,” Halamka wrote. “We believe that recording consents on the blockchain instead of in each EHR will enable transfers of patient data while respecting patient preference via querying a public ledger before each exchange.”
How to use the blockchain securely
What makes blockchain work is that data is stored not in one place, but in many places. In the case of the public blockchains used for most cryptocurrency applications, those nodes can be on any computer, anywhere. Even with encrypted data, this isn’t a reassuring proposition for healthcare data security.
So most healthcare blockchain users are turning to private or hybrid blockchains, in which all of the nodes are located within a secure network.
“The market was giddy over a lot of the early blockchain capabilities and use cases around things like democratization of data, around the total distribution of information and so forth,” Anthony Begando, whose company uses Blockchain for healthcare credentialing, told MobiHealthNews. “And there’s a lot of that that will carry forward, but if you want to create industrial level solutions that blockchain is ideal for, things like we’re doing, you’ve gotta be able to insure privacy. You need to be able to isolate transaction sets so a competitor doesn’t know what another competitor is acquiring. These sorts of real-world business realities.”
Using non-public blockchains also has the advantage of not requiring an economy or incentive system to work.
“So [our product runs on] a permission blockchain,” Abrar said. “It’s a hybrid between private and public. It’s specifically designed for this purpose. So in public blockchain, which is what most of the companies are trying to do right now, public blockchains require cryptocurrencies and tokens or coins to basically churn out those processes. But in a permission blockchain all the processes are executed by the nodes inside that network. So it doesn’t require any coins or cryptocurrencies. The operators don’t require a whole new economy to run and deploy it, they can just run and deploy it into existing systems.”
A number of entrepreneurs, including Open Health Network CEO Tatyana Kanzaveli, told MobiHealthNews that they make a point of not storing health data itself on the blockchain.
“A, Blockchain is publicly available and B, there might be performance issues,” Kanzaveli said. “So it’s not a good place where you actually want to store healthcare data. However, it’s really cool that if you use blockchain as a ledger, it enables you to see who does what when with your health data.”
Particle Health CEO Troy Bannister made a similar distinction.
“We are just a partition layer on top of the silo,” he said. “But because we have a shared ledger of permission, now we can aggregate all that data together.”
Blockchain is not enough
In the case of Nebula Genomics, Chief Strategy Officer Dennis Grishin and his team saw in the blockchain a way to enable one piece of their genome sharing platform.
“What blockchain enables is to establish a single source of truth, irrevocable data ownership,” he said. “What we do, for example, is associating data owners with the hashes of the data and we store that information on the blockchain. And this is added once, and blockchain being our only database, it can’t be revoked essentially. This kind of control over access to the data, that’s what blockchain is.”
But blockchain alone would not have enabled the company to do what they do. To secure the data, they also employ distributed computing to limit and control access to the data and homomorphic encryption to do keep the data secure but computable.
Similarly, at Azaad Health, Abrar has built redundant protections into his blockchain offering.
“On top of blockchain the entire data is actually encrypted,” he said. “So if someone gets ahold of it they can’t read it, because they don’t know what key was used and that key itself is stored separately on a private board for that particular patient. So this data will essentially be useless for them, because the encryption cannot be broken without that public key access.”
Not only does blockchain need to be augmented with other security technologies, but companies also need to keep their eyes on potential security problems that blockchain won’t touch. Karolina Starczak, whose startup Nutrimedy decided to pass on blockchain for now, noted that human error is still responsible for a high number of healthcare data breaches.
“There’s only so much technology can account for and you can still have some of those mistakes that you currently have with human error,” she said. “There’s going to be a process and a workflow of how this data gets shared and how you access information, and not everyone’s going to follow that process. So we have certain issues around training, around making sure we’re kind of incorporating some of these workflows into healthcare right now and maybe there’s a lot of room for improvement there. Just throwing another solution on top of it may not remove some of those root causes that we know exist and can sometimes be a little bit concerning.”
When blockchain is used for the things it’s best at and augmented with other technologies, it can be an important part of securing healthcare data.
“Blockchain is just a part of the story,” Grishin said. “It’s an important part, but it’s not the only part.”