Unintended consequences of new technologies in health care – thoughts on blockchains, part two

Feb. 8, 2017 / By Senthil Nachimuthu, MD, PhD

In part one of this blog I discussed blockchains and how they could be used in health care in an ideal world. In the real world however, block chain use poses many challenges. The challenges range from security to accessibility perspectives, some of which are unique to health care. In a healthcare blockchain, each unique identifier is a human being, not a piece of cryptocurrency. So, anyone with access to a blockchain can see how many transactions a patient has had and their timestamps, then extrapolate how healthy or sick a person has been. The timestamps as well as the names and inferred locations of hospitals and doctors who are granted access expose some amount of personal information about the age of a person, what provider he/she has seen and when, and possible diagnoses, location or travel patterns. So, it becomes critical to control access to the blockchain itself, not just the records that the blockchain entries point to.

It would be naïve to assume that all patients can manage authorizations to their blockchain if they have a mobile application, considering we have been struggling with patient education and patient compliance for years in the real world. Many patients struggle to understand their health conditions and to comply with treatments or preventive interventions, let alone being able to afford and use a mobile device effectively. I can see that mobile devices with simple screens can ask a patient whether they want to allow “Dr. X at hospital Y to access their medical record,” but the questions become complex if the access is for specific documents or specific purposes for specific periods of time. Furthermore, if the data access is for research, the authorization questions become even more complicated.

It is just as complex to help users revoke complex access patterns. When mobile phones figure out how to provide an easy mechanism to grant or revoke specific hardware or data access permissions to the umpteen number of apps in a usable manner, I would think it is possible to do so with blockchain access control.

Another challenge for patient privacy is to define a way to protect sensitive data categories (HIV, mental health or substance abuse records, for example). We need a way to protect the blockchain entries for these categories through effective use of authorization records in the blockchain. Authorization records will need to specify the authorized individual at applicable document and accessing healthcare provider levels rather than allowing access to the patient’s entire blockchain and accessing healthcare organization levels. The blockchain entries need to have sufficient metadata to describe sensitive data categories and the blockchain service needs to return appropriate responses when there are redacted sensitive data categories to which a provider is not allowed access.

Currently, some of the challenges in creating a longitudinal, interoperable medical record are the unique identification of patients across multiple systems and merging duplicate identifiers reliably in Enterprise Master Person Index (EMPI) systems. This becomes even more challenging with blockchains because we would require patients to provide their blockchain identifier rather than their name, date of birth, driver license or social security number. We would need to find each patient’s blockchain identifier to avoid creating multiple blockchains for a single patient, and we need the ability to merge or unmerge blockchains to reconcile cases where a patient ends up having multiple blockchains or when the blockchains of different patients are erroneously merged. Such capabilities are required before the technology can be adopted in health care.

Additionally, we need to consider the ramifications of a security breach and develop measures to reduce the risk or mitigate the consequences. Due to the replicated nature of blockchains, the blockchain services will potentially have blockchain entries of individuals from all over the country or the world. There are both pros and cons to allowing or disallowing global replication of blockchain entries. Ideally, the blockchain service should not have any personally identifiable information (PII) in order to reduce the risk of this information being compromised in a breach. Not having PII would mean that one cannot search the blockchain using a patient’s PII. So, a patient’s blockchain would need to be replicated to all trusted blockchain services so that the patient’s entire medical record can be reconstructed without knowing any PII. Now, if methods to identify patients become available in the future, we cannot limit the exposure of past entries that are already added to a patient’s blockchain and could get replicated globally. There is no way to guarantee the security of all the distributed blockchain services, and one breach would mean that the blockchain entries of all patients are out in the open. The authorization entries in the blockchain would be invalid. This would place undue burden of security on the off-blockchain medical record stores. They may have to resort to measures such as one-time passwords (single use keys) that the patient gives to the provider to further authenticate the access request, or we may need a separate trust relationship system that is outside the blockchain.

Modern medicine is “modern” due to the adoption of new technologies, while it remains “medicine” due to the almost fanatical devotion to the guiding principles of ‘primum non nocere’ and the scientific method. As practitioners and supporters of modern medicine, it behooves each of us to think through all the unintended consequences that are unique to health care, as well as applicable to other domains while we create new breakthroughs to make medicine even more modern.

Senthil K. Nachimuthu, MD, PhD,  medical informaticist with 3M Health Information Systems’ Healthcare Data Dictionary (HDD) team.