- Healthcare blockchain is quickly becoming a hot topic in the industry, but data privacy and security and how data will be properly utilized are key concerns for the technology.
Blockchain could play a key role though in the future of healthcare IT, especially in relation to ONC’s Trusted Exchange Framework and Common Agreement (TEFCA) draft, according to EHNAC Executive Director Lee Barrett.
Interoperability and data privacy and security are key focal points in the 21st Century Cures Act, especially from an ONC perspective, Barrett told HealthITSecurity.com.
“A continued promulgation of developing a trust exchange framework for the industry is really all about all these various aspects of trust exchange, privacy and security,” he said, adding that it’s especially true for the QHINs or recognized coordinated entities (RCE) that will be utilizing the framework.
Blockchain absolutely becomes a component technology of any trust exchange framework and blockchain-based systems have the potential of really reducing or eliminating the cost and the friction of current intermediaries, Barrett stated. Precision medicine and the whole aspect of patient care and outcomes research are some of the more compelling use cases for the technology.
“Mission-wide interoperability, how it's being leveraged in these trust exchange frameworks, makes blockchain a really excellent technology to leverage as part of any trust exchange framework,” he said.
“As we start to look for common agreement as well, it becomes an enabling technology for doing all of that,” Barrett continued. “If you look at blockchain, it's really focusing on data integrity, the decentralization and disintermediation of trust and reduced transaction costs.”
Currently, there is a lot of exchange of personal health records and HIE data. Blockchain is also taking advantage of the healthcare enterprise protocol, he noted.
“If you look at the definition of blockchain being a distributed system for recording, storing transaction records, it's basically an immutable record that really can't be changed,” Barrett explained. “There are peer-to-peer transactions that are going through the various networks. All of those various exchanges, whether it's personal health records or HIE records, are leveraging cryptographic techniques that are then implemented throughout that exchange.”
Barrett added that blockchain then essentially creates a digital ledger for all the various touchpoints along the way. This helps streamline and provide a level around identity verification and an authentication of the various entities that are using and are actually touching that record along that continuum.
Blockchain is a very important enabling technology for trust exchange for TEFCA, and ONC is likely going to be coming focusing on blockchain to help support the 21st Century Cures Act, he said.
Direct exchange and how Direct messaging is being used for email exchange can also benefit from blockchain. For example, organizations want to authenticate between the various entities that that email exchange is enabling and incurring within, he said. From there, entities want to be able to encrypt that data as well.
“That data exchange is another piece of really trying to provide the level of verification and authentication between the various entities,” Barrett pointed out. “All of these technologies are enablement technologies under a trust exchange framework.”
The identity verification and authentication are key, but there have been numerous problems in trying to do that.
“EHNAC has seen some real issues between various exchange points, either point to point or point to multipoint,” he stated. “Unless you can go through and have that level of identity verification and authentication between the various partners, that's where we've seen some real issues.”
Barrett added that it seems ONC is trying to help the industry and try to put together a framework in which healthcare can get behind and try to address those significant obstacles.
Approaching risk mitigation in healthcare for 2018
More healthcare organizations are realizing that they must take cybersecurity seriously, Barrett stated. It does not matter how large or small a covered entity is, he stressed.
“I continue to tell organizations that hackers love small organizations because they know, in many cases, a lot of the controls that other organizations might have in place, small organizations don't,” Barrett said. “If hackers can get a couple thousand records, that's terrific, given what records are going for on the black market.”
There is a lot more industry awareness, and organizations are working to continue to grow that awareness.
Providers should be conducting an asset inventory as part of their risk management strategy, Barrett advised. Organizations must consider all of their devices, whether its smartphones or connected medical devices, that are being utilized.
Regularly changing passwords and implementing regular software patches and updates will also be essential for stronger risk management.
“Make sure that whatever that your practice is doing, that when you get an update, when you get a patch from a Windows or an anti-virus patch, that you're implementing it immediately,” he said. “This is where a lot of vulnerability is, when organizations don't install these patches on a timely basis.”
Employee education will also be critical. Conducting penetration tests, or even testing employees on being able to recognize phishing emails can be greatly beneficial.
Providers also need to consider third-party accreditation for vendors with which they conduct business, Barrett concluded. This can give an extra level of assurance as part of an overall risk mitigation strategy to the provider organization.