Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
Blockchain is one of the hottest words in cybersecurity. Best to know what it is.
From the outset, the definition and functioning of blockchain needs to be established, as well as its application to healthcare. A blockchain can be thought of as central list of transaction records from various computers in real time. A common use of blockchain is cryptocurrency (think Bitcoin), a common payment method to release a hostage’s data during a ransomware attack.
Recently, the National Institute for Standards and Technology published a draft of NISTIR 8202, which closed for public comment in February. As this publication sets forth,
“[B]lockchains are immutable digital ledger systems implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority. At their most basic level, they enable a community of users to record transactions in a ledger that is public to that community, such that no transaction can be changed once published. In 2008, the blockchain idea was combined in an innovative way with several other technologies and computing concepts to enable the creation of modern cryptocurrencies: electronic money protected through cryptographic mechanisms instead of a central repository. The first such blockchain based approach was Bitcoin. These currency blockchain systems are novel in that they store value, not just information. The value is attached to a digital wallet-an electronic device (or software) that allows an individual to make electronic transactions. The wallets are used to sign transactions sent from one wallet to another, recording the transferred value publicly, allowing all participants of the network to independently verify the validity of the transactions. Each participant can keep a full record of all transactions, making the network resilient to attempts to alter that record (or forge transactions) later.”
The packets of data form a chain that links one recipient of data to another; basically, anyone connecting the decryption key to the encrypted packet. Currently, there is no formal guidance or legal regulations that have been issued by the Department of Health and Human Services Office for Civil Rights. However, some are speculating that the use of blockchain in healthcare may protect personal health information in new ways because of the decentralized nature of the storage.
But, is it really decentralized if it records transactions in a single place throughout a network?
“In a blockchain healthcare model, patients would have ownership of their healthcare records in the form of data packets. Patients could grant physicians access to their data by exchanging their decryption key,” …according to compliance solution provider Compliancy Group.
In healthcare, if the healthcare blockchain technology is hacked, then there are HIPAA and HITECH Act penalty exposures.
The take-aways for physicians include:
• Don’t implement new technology without making sure that it is HIPAA/HITECH Act compliant.
• Assess risk (risk = probability x severity) of a potential breach of a blockchain.
• Consider disclosures which may need to be made in a Business Associate Agreement.
• Make sure to understand how blockchain works within the practice in relation to patient interactions, as well as interactions with business associates and other providers.