In 2017, there were at least 477 healthcare data breaches reported to the U.S. Department of Health and Human Services (HHS) or the media, affecting 5.579 million patient healthcare records. These breaches cost approximately $408 per record — more than 2.75 times the global average across industries. Partially in response to this ongoing issue, healthcare technology innovators are exploring the use of blockchain to establish a more secure, integrated healthcare recordkeeping system.
Blockchain is a promising cybersecurity tool because of its decentralization and inherent security features. Many large companies and research institutions, IBM, MIT and Walmart, for example, are already working to implement blockchain into healthcare recordkeeping.
What is a blockchain?
A blockchain is a chain of blocks secured by cryptographic techniques. More specifically, it is a chain of blocks comprised of information recorded on a continuous, distributed (decentralized) digital ledger to which a new block can only be added once it is verified by the consensus of the parties to the ledger. Consensus methods vary by blockchain. For example, bitcoin relies on miners to validate blocks by performing a proof-of-work algorithm as a vote towards consensus. Each block in the chain contains a unique hash, for example, a number in a consecutive list of numbers, as well as the hash of the preceding block.
A promising healthcare cybersecurity tool
Blockchain offers many cybersecurity benefits that address some of the endemic needs of the healthcare industry. These include consensus by consortium, individual record security, universal auditing and smart contracts.
One method of consensus that may work particularly well for healthcare entities is consortium. In this model, only a group of pre-defined trusted parties have access. This model could allow restricted access and limited permissions among groups of healthcare entities.
The digital architecture of blockchain as a decentralized chain of blocks is an innate security benefit. Records are currently often held in one digital repository such that if the repository is compromised, thousands of patient records may be breached. With a blockchain of patient records, hacking of the encryption key to one patient’s record can limit harm because the hacker would need to obtain the unique encryption key of each member to access identifiable information. Even if this were accomplished, the hacker would have to repeat the process for every patient. This helps prevent massive, multi-patient breaches.
An additional critical feature of blockchain technology is that every member of a blockchain generally can access and audit the entire ledger. This allows all interested parties to confirm and update the information contained in individual blocks.
Another significant benefit is that laws and regulations can be programmed into the blockchain as smart contracts. Smart contracts are logical rules programmed into the blockchain. They are self-executing contracts where the built-in agreement is enforced on all members. Smart contracts mimic traditional contracts and laws, and can be used to program in obligations and consequences. In this way, the requirements of specific data privacy and security laws, such as the Health Insurance Portability and Accountability Act of 1996 or the European Union General Data Protection Regulation, can be embedded in the blockchain.
Innovators are already experimenting with blockchain use cases in the healthcare context that demonstrate many of the blockchain security benefits. Researchers at the MIT Media Lab have developed a prototype system called MedRec, an open-source prototype that applies blockchain smart contracts to create a decentralized content-management system for healthcare data. The MedRec pilot program illustrated that the system disperses authorization data across participating entities, rather than creating a central target for attacks.
MIT Media Lab “MedRec: A Case Study for Blockchain in Healthcare.” Available at: https://dci.mit.edu/research/blockchain-medical-records. Accessed September 30, 2018.
CJ Rundell is an attorney in Reinhart’s Healthcare Practice. Rundell represents his clients in all aspects of regulatory and transactional healthcare law. He is also a member of the firm’s Data Privacy and Cybersecurity group, a cross disciplinary team which assists clients with their data privacy and security needs.