On the occasion of the International Bar Association Annual Conference, in October 2018,  I have been invited by the IBA Healthcare and Life Sciences Committee to join a roundtable about the usage of blockchain techology for patients’ data storage in the healthcare sector.

Here a synopsis of my speech:

The new frontier of healthcare data protection: the Estonian blockchain-driven case study”

Healthcare, for the mere fact of representing a basic, fundamental, inalienable and constitutionally guaranteed right, is supposed to be one of the main fields entitled to benefit from technological advances.

And this is actually what happened and continues to happen with the so called “vertical innovations”, which include all those kinds of advancements conceived and developed for a specific type of industry. The discoveries of increasingly effective active principles and drugs, as well as the design of sophisticated, precision medical devices can be considered, for example, two macroscopic paradigms of successful vertical innovations in the sector.

But at what stage is the relationship between healthcare and horizontal innovations, namely all those types of transversal innovations which can provide benefits to an uncountable number of diverse industries?

This question becomes particularly relevant when it comes to patients’ data management.

Indeed, in an era marked by vast, often uncontrollable cyberthreats, where personal, private healthcare data have become an appetizing “golden target” and the recent events have thrown the focus back into privacy issues, this field seems to struggle in keeping up with what could be defined as “risk-driven” adjustments.

The fact that data management, in public and private healthcare services, is based on a central server, with a unique, centralized ledger collecting information, entails two major consequences:

-The safety of highly sensible data exclusively depends on the organisation’s ability to prevent and respond to cyber security incidents, which decreases proportionally to the attacks’ complexity.

-Patients, entrusting personal information to a service provider, rely exclusively on its integrity with regard to data transfer and, at the same time, are not able to exercise a direct control over them, for example supervising the provider’s administration of data access or even personally granting or denying data access to third parties.

In this sense, the blockchain technology could revolutionize traditional data management systems, guaranteeing higher levels of safety for sensible data and reducing bureaucratic costs, useless waste of time and difficulties in data sharing between the involved, authorized stakeholders.

The blockchain could be defined as a peer-to-peer technology based on decentralization. And its peer-to-peer nature is actually the element which could potentially allow the healthcare system to become not only more patient-centred, but also more privacy-oriented.

In order to facilitate the comprehension of such a new, unexplored mechanism, let us consider the table just below:

Let us suppose that a patient seeks medical advice at what we will call “Clinic A”. Patient ’s data are collected into clinic A’s central ledger. Let us now consider some scenarios:

-Clinic A, violating the patient’s right to privacy, or taking advantage of privacy legislation’s grey areas, transfers his data to a non-authorized stakeholder. The patient is not able to exercise a real-time supervision over significant changings in the usage of his data, and, most likely, will stay unaware of the violation for a long time.

-The patient decides to seek a second medical opinion at what we will call “Clinic B”. Personal data and a complete anamnesis are already stored in clinic A’s central ledger, but the patient isn’t able to authorize a quick, automatized data transfer from Clinic A to Clinic B.

In both the scenarios, the patient plays a marginal role: on one hand, is not able to defend himself from illegitimate data sharing and, on the other hand, is not capable of legitimately sharing his data without encountering bureaucratic procedures, additional costs and, above all, a waste of time, which often negatively impacts the outcome of medical treatments.

Now, let us imagine that a copy of patient’s data, instead of being collected in one central server, is distributed between a group of stakeholders: the patient, clinic A, and some patient’s close relatives.  Each stakeholder, directly authorized by the patient, holds a copy of patient’s data, and every copy is connected to each other to maintain uniformity and real time, simultaneous updates. Here some scenarios:

-The patient decides to seek a second medical opinion at what we called “Clinic B” and is able to automatically and independently transfer his data without the need of a third party (Clinic A) intercession.

-Clinic B, due to a clerical error, modifies patient’s sensible data. Thanks to an automatized validation mechanism, a human error is easier to be detected and corrected.

-Clinic A, in order to share information with third stakeholders, must go through the patient’s direct approval, enabled by the blockchain technology. It could be defined as a form of real-time, digitally expressed consent.

-Clinic A suffers a hacker attack. It is abundantly clear that a data breach is more likely to happen when the target is a centralized ledger. The distributed nature of the blockchain, with data protected through the presence of multiple “checkpoints”, guarantees a very high level of protection. 

Estonia is one of the first countries to have begun a process of healthcare modernization, and the first country to use blockchain on national level, thanks to a partnership between the Estonian government and a blockchain technology provider.

Almost the totality of Estonian citizens owns an ID card which provides access to over 1000 electronic government services. With specific regard to healthcare, every patient is able to supervise medical data, submit statements of intention, appoint representative(s) or act on behalf of the persons who have appointed him/her as their representative.

As reported by the official Estonian electronic solutions website, “Due to its widely witnessed property, blockchain technology makes it also impossible to change the data already on the blockchain. With KSI Blockchain deployed in Estonian government networks, history cannot be rewritten by anybody and the authenticity of the electronic data can be mathematically proven. It means that no-one – not hackers, not system administrators, and not even government itself – can manipulate the data and get away with that.”

 The aim of this work is to shade some light on the new frontier of healthcare sensible data’s protection bringing on the table an excellent case study unique in the world.