With health data more at risk than ever, there is an urgent need to find a solution that enables collaboration without exposure. Among all the bad cybersecurity news brought by the pandemic, the rise in healthcare data breaches is particularly striking. As in other industries, the sector was ill-prepared to pivot so suddenly to remote delivery, but of course in health, that problem was just one of many. Covid-specific challenges such as the need for contact tracing and the Covid certificate have added to the pressure and the risks. Is there a way to reduce the privacy risks that come along with increasing our physical safety?
Pooling knowledge makes us smarter, but more vulnerable
The pandemic arrived as healthcare systems around the world were in the process of introducing centralized electronic health records (EHRs) – ironically a step back in data security, since paper dossiers were less vulnerable. The USA was an early adopter, having started the transition in 2009, and its experience is salutary: breaches of these record systems have exposed the data of more than 100 million people. The reason they’re so tempting is that stolen medical data can be used for insurance fraud, making it more valuable even than credit card data.
Is it worth the risk? EHR advocates say that they offer far greater benefits than simply an increase in efficiency. Bringing together information on a single patient from multiple healthcare providers implies a more holistic view of that person’s health, and therefore can enable better patient care. At the same time pooling the knowledge of multiple patients across providers could promote greater system-wide learning – the kind of learning that might have helped with building a better understanding of the coronavirus (from how it spreads to unusual symptoms and long-term effects) at an early stage.
In the Harvard Business Review, John Glaser calls for a “new form of EHR”, not just a record but a system, that would use intelligent analytics to improve population-level health management as well as patient-level information exchange and provision. He warns that this will require an unprecedented level of industry cooperation – which in a privatized market raises further questions; information sharing between independent, potentially competing service providers is sure to be fraught. And the plethora of stakeholders and platforms involved adds yet another layer of complication, with interoperability as much a concern as security.
Apps lay further traps
A more urgent problem is how to win public trust in the security of their personal records when using a Covid app. Earlier this year the Swiss platform Myvaccines was found to have violated data protection rules, adding to privacy concerns among a public already resentful of Covid restrictions and requirements. At the same time, there are plenty of digital health apps besides Covid tracing and certificates, and as the possibility opens that these apps can draw on patient data from third parties, the risks increase.
In addressing these concerns, privacy needs to be absolutely non-negotiable and independent of legal protection. Privacy laws are inconsistent and in many regions inadequate. And especially since apps make data flows possible not just between individuals and public institutions, but between different institutions or companies, it must be possible to store, process and access the data in a way that does not expose individual records.
The blockchain benefit
Using decentralized storage goes some way to reducing the risk. Where a central server offers a single point of attack, blockchain has certain inherent security advantages. The distributed architecture provides no hackable entry point; data in transit can be protected from interference; decentralized storage limits the amount of useful information from any breach so that it no longer rewards the attempt; and data tampering is immediately evident on the public record. However, blockchain’s transparency is also a factor that needs to be mitigated when it comes to data protection – and it’s important to remember the GDPR right to deletion, which conflicts with putting any personal linkable data on a blockchain.
One solution that presents itself is the use of trusted execution environments. A TEE is a hardware component within a server, effectively equivalent to a locked box to which not even the administrator has the key. Once data enters the TEE, it can be processed in predetermined ways and the results of those processes can be accessed, but not the data itself. As no one actor has the rights typically associated with the admin of a centralized server, TEEs also greatly reduce the potential risk of hacking. As we have seen, in the context of highly valuable medical records, that risk is considerable.
The great advantage of this technology is that it enables collaboration between competitors by enabling them to pool their data but not directly share it. All the stakeholders in a system such as Glaser’s envisioned “new EHR” would be able to contribute knowledge, and benefit from the power of big data analytics, without having access to the underlying data sets.
Multi-party computation is another privacy-preserving technology that could potentially be applied to this problem, being another way to pool data without revealing it. In MPC, each party contributes an input and receives a specified output after the computation has been run, but has no access to any of the other inputs. In theory, this would also solve the problems of private and secure health data processing, but as the method is still mostly an academic topic it is not yet very helpful in addressing the urgent data problems of the healthcare sector.
In developing solutions for the next generation of EHR systems and digital health, data privacy and trustless collaboration must be top of mind. It will be important to avoid the security pitfalls of centralized storage and to maximize interoperability. If these challenges are met, the benefits will be felt not just by the healthcare sector, but by all of us.