With health data more at risk than ever, there is an urgent need to find a solution that enables collaboration without exposure. Among all the bad cybersecurity news brought by the pandemic, the rise in healthcare data breaches is particularly striking. As in other industries, the sector was ill-prepared to pivot so suddenly to remote delivery, but of course in health, that problem was just one of many. Covid-specific challenges such as the need for contact tracing and the Covid certificate have added to the pressure and the risks. Is there a way to reduce the privacy risks that come along with increasing our physical safety?
The pandemic arrived as healthcare systems around the world were in the process of introducing centralized electronic health records (EHRs) – ironically a step back in data security, since paper dossiers were less vulnerable. The USA was an early adopter, having started the transition in 2009, and its experience is salutary: breaches of these record systems have exposed the data of more than 100 million people. The reason they’re so tempting is that stolen medical data can be used for insurance fraud, making it more valuable even than credit card data.
Is it worth the risk? EHR advocates say that they offer far greater benefits than simply an increase in efficiency. Bringing together information on a single patient from multiple healthcare providers implies a more holistic view of that person’s health, and therefore can enable better patient care. At the same time pooling the knowledge of multiple patients across providers could promote greater system-wide learning – the kind of learning that might have helped with building a better understanding of the coronavirus (from how it spreads to unusual symptoms and long-term effects) at an early stage.
In the Harvard Business Review, John Glaser calls for a “new form of EHR”, not just a record but a system, that would use intelligent analytics to improve population-level health management as well as patient-level information exchange and provision. He warns that this will require an unprecedented level of industry cooperation – which in a privatized market raises further questions; information sharing between independent, potentially competing service providers is sure to be fraught. And the plethora of stakeholders and platforms involved adds yet another layer of complication, with interoperability as much a concern as security.
A more urgent problem is how to win public trust in the security of their personal records when using a Covid app. Earlier this year the Swiss platform Myvaccines was found to have violated data protection rules, adding to privacy concerns among a public already resentful of Covid restrictions and requirements. At the same time, there are plenty of digital health apps besides Covid tracing and certificates, and as the possibility opens that these apps can draw on patient data from third parties, the risks increase.
In addressing these concerns, privacy needs to be absolutely non-negotiable and independent of legal protection. Privacy laws are inconsistent and in many regions inadequate. And especially since apps make data flows possible not just between individuals and public institutions, but between different institutions or companies, it must be possible to store, process and access the data in a way that does not expose individual records.
Using decentralized storage goes some way to reducing the risk. Where a central server offers a single point of attack, blockchain has certain inherent security advantages. The distributed architecture provides no hackable entry point; data in transit can be protected from interference; decentralized storage limits the amount of useful information from any breach so that it no longer rewards the attempt; and data tampering is immediately evident on the public record. However, blockchain’s transparency is also a factor that needs to be mitigated when it comes to data protection – and it’s important to remember the GDPR right to deletion, which conflicts with putting any personal linkable data on a blockchain.
One solution that presents itself is the use of trusted execution environments. A TEE is a hardware component within a server, effectively equivalent to a locked box to which not even the administrator has the key. Once data enters the TEE, it can be processed in predetermined ways and the results of those processes can be accessed, but not the data itself. As no one actor has the rights typically associated with the admin of a centralized server, TEEs also greatly reduce the potential risk of hacking. As we have seen, in the context of highly valuable medical records, that risk is considerable.
The great advantage of this technology is that it enables collaboration between competitors by enabling them to pool their data but not directly share it. All the stakeholders in a system such as Glaser’s envisioned “new EHR” would be able to contribute knowledge, and benefit from the power of big data analytics, without having access to the underlying data sets.
Multi-party computation is another privacy-preserving technology that could potentially be applied to this problem, being another way to pool data without revealing it. In MPC, each party contributes an input and receives a specified output after the computation has been run, but has no access to any of the other inputs. In theory, this would also solve the problems of private and secure health data processing, but as the method is still mostly an academic topic it is not yet very helpful in addressing the urgent data problems of the healthcare sector.
In developing solutions for the next generation of EHR systems and digital health, data privacy and trustless collaboration must be top of mind. It will be important to avoid the security pitfalls of centralized storage and to maximize interoperability. If these challenges are met, the benefits will be felt not just by the healthcare sector, but by all of us.
Monthly Wrap-Up April 2025: EURC, WBTC & PEPE on Incognitee, TEER Landing on Ethereum, Winning the Hackernoon Awards & More
Monthly Wrap-Up March 2025: USDC, USDT & ETH Now on Incognitee, TEER on Uniswap Approved
Incognitee Feature Alert: USDT & USDC Now Available
Monthly Wrap-Up February 2025: Working on Incognitee, Discussing K-Anonymity & More
Monthly Wrap-Up January 2025: Launching Incognitee for DOT on Polkadot Asset Hub, Recapping 2024 & Releasing the Roadmap
Web3 2025 Predictions: What’s Going to Happen This Year?
Incognitee — The Start of Full Privacy for DOT
Integritee Network: Roadmap 2025
2024 at Integritee: Joining Coretime, Launching Incognitee, Developing New Features, Listing TEER on Basilisk & Much More
Monthly Wrap-Up December 2024: Launching the Incognitee Vouchers, Messaging, and More
Monthly Wrap-Up November 2024: All about Incognitee and Privacy in Web3
Monthly Wrap-Up October 2024: Incognitee Beta Launch & Guess the Number Contest
Incognitee Beta Launch & Guess the Number Contest
Monthly Wrap-Up September 2024: TEERDays Launch, Tech Updates, New Articles & More
TEERdays: A New Unit That Will Shape Incognitee
Monthly Wrap-Up July 2024: Talking at Decoded, Launching Treasury Proposals, Publishing Articles & More
Monthly Wrap-Up June 2024: Incognitee Bug Bounty Launch, Polkadot Treasury Proposal & More
Become a Collator Operator for Integritee Network!
Monthly Wrap-Up May 2024: Securing a Polkadot Parachain, Launching the Incognitee Test Campaign & More
The Incognitee User Test Campaign is Now Live!
Slot Auctions vs Coretime: What’s Changing for Polkadot Projects
Monthly Wrap-Up March 2024: Listing TEER on Basilisk, Attending Sub0 & Paseo Landing
Monthly Wrap-Up February 2024: Crowdloan, Governance and Treasury
Monthly Wrap-Up January 2024: Launching the Incognitee Testnet, Winning a Hackernoon Award & Much More!
Polkadot Crowdloan: Campaign Kicks Off on February 7th!
2023 at Integritee: Product Releases, Partnerships, a Privacy Sidechain & Much More
OLI Systems Releases Research Paper about a DLT-Based Local Energy Market Model
Monthly Wrap-Up December 2023: New Products, Fresh Content & More
2023 Integritee Content: Giving Back to Our Community
Unlocking Privacy in Transfers: The Power of Integritee’s Private Sidechain Model
Monthly Wrap-Up November 2023: New Content, TEER Recover & Tech Updates
Monthly Wrap-Up October 2023: Joining an Accelerator Program, Launching the New Website, Educational Content & More!
Monthly Wrap-Up September 2023: Winning an Award, Talking at Sub0, Partnering with OVH & More!
OVH Releases Whitepaper on How Integritee Is Re-Inventing Blockchain Security & Confidentiality Using Intel SGX Technology & OVHcloud
Monthly Wrap-Up August 2023: Launching the Attesteer, Encointer’s PoP Badge & More
Launching Integritee’s Attesteer
Monthly Wrap-Up July 2023: Video Releases, Tech Updates & More
Monthly Wrap-Up June 2023: Polkadot Decoded, New Add-Ons and More
Monthly Wrap-Up May 2023: Governance Platform Launch, New Environments and More
Integritee Launches New Governance Platform with Polkassembly
Monthly Wrap-Up April 2023: Tech Upgrades, Partnerships & Upcoming News
Monthly Wrap-Up March 2023: Product Releases, a Privacy Sidechain & More
Securitee & enclaive Team Up to Offer Ready-To-Use TEE-Secured Solutions
Securitee Launches Confidential Computing Platform to Protect Data in Use
Introducing Integritee’s Teeracle: A Framework to Build TEE-Based Oracles
A Privacy Sidechain for All Polkadot & Kusama Chains
Monthly Wrap-Up February 2023: Launching Roadmap, Partnerships and More!
SDK v0.11.0: Increased Performance and Faster Processes