Patient data should be owned and controlled by individuals

It’s for good reason that medical history is among the most protected areas of personal data. Our medical identity includes critical details of who we are, where we live, and, of course, a chronological record of our health history. Yet, it changes hands constantly. The average person shouldn’t have to stress test the cybersecurity of an emergency room before showing up with a broken arm.

And yet well-intentioned rules mapping the routes by which a patient’s records travel — from doctors and hospitals, pharmacists and clinics, insurance providers and government services — are often underpinned by legacy tech infrastructure. This has made them vulnerable to cybersecurity attacks, like ransomware, which can have profound negative impacts on both healthcare providers and their patients. Removing the single point of failure presented by centralised databases and allowing users to own and control data not only stands to greatly reduce risk to healthcare providers, but also empowers users to control how their personal data is used and maintained.

The time has come for change, and the combination of decentralised technology and verifiable credentials will be at the very heart of it.

The Hippocratic predicament

Medical history constantly gets lost between points A and B, particularly when patients change providers. This can result in a litany of problems, including patients receiving medicine that they’re allergic to when the note never made it to their latest doctor.

Indeed, according to John Hopkins data, medical blunders are the third leading cause of death in the US, making the inefficiency of fragmented medical records more than just an inconvenience.

The patient, meanwhile, often can’t verify their own information directly and has no meaningful control over where their data ends up or how it’s used.

This is not an abstract worry. High-profile ransomware attacks continue to cripple services at major hospitals. Healthcare remains a leading target for ransomware gangs precisely because the stakes are so high and the spoils — medical data — are so valuable. Hacks lead to patients’ most personal information ending up on the darknet. This issue is exacerbated by the fact that these exact types of attacks are on the rise, with 66% of all healthcare organisations reporting some form of ransomware attack in 2021 alone.

The effects of these events can be devastating for businesses. It isn’t just the cost of paying a ransom: an attack can also shut down operations for extended periods, further eroding any income. Then, there are the costs associated with rectifying any issues that occurred as a result, bolstering cybersecurity to prevent another event, and possibly incurring legal costs as a result of insufficient data practices, not to mention the irreparable reputational damage caused.

Over 45 million Americans have had their information affected like this. The Department of Justice recently tried hackers for trading information on 2.6 million Medicare beneficiaries.

More insidiously, in some countries, like the US, there are no privacy laws stopping data brokerage firms from buying and selling patent data.

Medical data brokerage firms are profiting enormously. In its last annual report to the Securities and Exchange Commission, IQVIA, one of the largest firms trading in medical data, reported revenues of $14.4 billion in 2022.

Patients, meanwhile, make nothing from the use of their data, which is clearly worth something. Worse still, they don’t even get a chance to opt out.

In the waiting room

Some countries are already exploring alternatives. In December, India’s National Health Authority commissioned a million health accounts via a blockchain-backed identity provider.

Meanwhile, Britain’s National Health Service is working on its own digital identity for its medical staff. While still in development, they have already run an interim digital passport for medical workers to ease movement between facilities, particularly for staff treating COVID-19.

Telemedicine and remote medical services have steadily increased, but the COVID-19 pandemic kicked the need for stronger digital identities into high gear. These platforms rely on digital verification that may be no more secure than those to log on to social media. Even more alarming, they often leave verification information like passwords and phone numbers on centralised databases.

The ever-expanding array of online services and diagnostics introduce more attack vectors by bad actors or personal data harvesting.

Self-sovereignty

Current technologies offer a new level of security and individual control over personal data. Advancements in blockchain protocols and cryptography are changing how we handle personal data worldwide.

Self-sovereign decentralised identity, or SSDID, powered by blockchain and smart contracts can ensure security and eliminate the need for trusted intermediaries. Data to which you alone hold the keys can be secured on nodes.

Moreover, combining SSDID and zero-knowledge proofs (ZKPs — a cryptographic marvel that proves that something is true without revealing any additional information beyond the evidence itself — can further limit the flow of information, exposing only what a patient wants or needs to share with a specific party. A pharmacist can verify that a customer has a prescription without that patient exposing any outside medical data.

By limiting data exposure, an individual’s or organisation’s attack surface is significantly reduced. Furthermore, all transactions on a blockchain are traceable and unfalsifiable. Lastly, because identities are cryptographically verifiable, it becomes notably harder to attack victims by impersonating a loved one or health provider.

Mass systems transitions can be challenging, particularly when they involve information with such a personal magnitude. But rolling along with current institutional inertia is a mistake, not least because it significantly underestimates how vulnerable current medical data practices leave patients in the here and now.

Current “stability” takes advantage of people who may be at their most sick and vulnerable and grants an unnecessary monopoly to medical institutions. Instead, the next generation of health services should offer tech-enabled data self-sovereignty.