Blockchain for Health Records
The main spur for the development of technology to secure sensitive records (including personal health records was a major cyberattack that Estonia suffered in 2007. The attack, believed to be state-sponsored, paralysed the government for days. Scientists in the country went to work to develop a system to prevent similar malicious attacks with a potential to devastate lives down to the individual level. Note that this effort pre-dates the launch of Bitcoin by the mysterious Satoshi Nakamoto in 2009. The underlying technology is, however, the same.
Estonia the country
Estonia is one of the Baltic states located in the north-east of Europe. It is a small country with a population of 1.3 million people. In addition to the mainland which forms the bulk of the land mass, there are over two thousand small islands forming the Republic of Estonia. Modern Estonia is a relatively young country. It was part of the Soviet Union until 1991 when it regained independence. It joined the European Union (EU) in 2004.
Healthcare in Estonia
Estonia runs a national health service and provides universal healthcare to its citizens and residents. This is financed through general taxation. This translates into healthcare being free at the point of use. This is similar to what is provided through the National Health Service (NHS) in Britain.
Electronic Health Records (EHR) in Estonia
On regaining independence, Estonia recognised that many of the systems that had hitherto been in place were not going to be fit for purpose. That included the healthcare system.
In 2002, some doctors and other experts started working on establishing a system to digitise medical records. In October 2005, the Estonian eHealth Foundation was launched. This involved all the most important stakeholders in the country including the Ministry of Social Affairs which runs the national health service. The Estonian National Health Information System (ENHIS) was launched in September 2008. Projects included in the ENHIS were Electronic Health Record (EHR), Digital Registration, Digital Image, and Digital Prescription. The cost of launching the EHR was roughly 7.5 Euros per citizen.
Of course, Electronic Health record (EHR) systems have been around for significantly longer than that. With that accumulated wider experience, authorities in Estonia knew that, despite EHR’s numerous and blindingly obvious advantages when compared to paper-based health record systems, they also had drawbacks and inherent risks. Enter blockchain.
Deploying Blockchain for Health Records in Estonia
There is an imperative to secure personal medical records at all times. All health authorities and healthcare providers understand this. Estonia, as a central plank of its eHealth strategy, is the first country in the world to deploy blockchain technology to secure health records for each of its inhabitants.
In 2011, the Estonia government in partnership with Guardtime, a cyber-security company founded in Estonia in 2007, deployed the latter’s Keyless Signature Infrastructure (KSI) blockchain technology to secure health records. The basic premise of KSI is that, using only hash-function cryptography, it provides data authentication without reliance on centralised trust authorities.
Health Records NOT on the blockchain
This is an area of some confusion and it requires clarification. Unlike other blockchain ledger platforms, with the KSI blockchain, no copy of the data is placed on the blockchain. The initial focus of Guardtime’s KSI was large scale data management. The platform ensures a clear chain of custody on how records are being managed, from the hospitals and other healthcare facilities, down to the individual doctor and/or other healthcare worker with access. There is a clear unalterable record of who, when and where the records are accessed and how and for what purpose. Healthcare providers and relevant government institutions are individually accountable for data processing and security. The government’s directive explicitly states that the information security responsibility lies with each institution’s top-level management. This is in order to provide optimal protection for each individual’s private data.
Public Key Infrastructure (PKI) and Health Records
Over the last two decades or so, Estonia has been a clear leader in matters of eGovernance. In Estonia, most residents carry a PKI smart card enabling access to over 1000 eGovernment services. This is meant to be an enabler of transparency, e-safety, e-security and entrepreneurship and has proved very successful.
“…solely relying on perimeter security and goodwill of the insiders would be inexcusably naive. We need independent integrity instrumentation, both for the data, as well as for our systems, and the blockchain technology has a lot to give here.”
Public Key Infrastructure (PKI) is the main technology currently deployed for digital signatures and verifying integrity of system components. It is very effective. Nonetheless, it faces several challenges. For one, PKI relies on uncompromised system administrators (a human weak link). It also relies on Certificate Authorities (CAs), the so-called trust anchors. There is a whole host of examples where these have been compromised and, across the globe, data security breaches continue to occur apace. Referring to this, Taimar Peterkop, the Director General of Estonian Information Systems Authority (EISA) was quoted saying: “…solely relying on perimeter security and goodwill of the insiders would be inexcusably naive. We need independent integrity instrumentation, both for the data, as well as for our systems, and the blockchain technology has a lot to give here.”
You can see the logic behind Estonia’s pivot to blockchain for healthcare data security and integrity.
Accessing own health records
In Estonia, each resident carries a unique identity credential through which he/she is able to link back to his/her healthcare record.
Access to one’s health records is through the eHealth Patient Portal. The Estonian National ID card is required for authentication. The Personal Health Records that can be accessed by the individual consists of:
- Illness data from healthcare system (Patient’s Portal)
- Self-monitoring data
- Wellness data from third parties
- Data from social system
- Patient forums
- Screening remainders
- Decision support
- Virtual health check
Whilst by default medical specialists can access the data, any patient can opt to deny access to their own data to any or all healthcare providers; including one’s own GP. Accessing the records by others, such as a pharmacist must be explicitly authorised by the patient, within the eHealth System.
Details of every access are automatically recorded, and the patient is able to see records of access to their records. Estonia subscribes to the notion that an individual owns their health/medical data. With that in mind, the aim is to implement a meaningful and profound control of one’s personal dataset.
The Future: What Blockchain in Healthcare Offers
In healthcare, the blockchain potential extends well beyond secure and reliable records. The Estonia experience gives a mere glimpse of what the blockchain technology can offer just in the realm of healthcare records. That is not only to service providers and authorities but, more importantly, to the individual. Having accurate and complete health records that are instantly accessible mean the ambition of personalised care is now distinctly realisable. The portability of those records also mean, in the globalised world we live in, distance should not compromise the quality of care.
The Estonia model is by no means perfect or even the complete article. It has several challenges and constraints. The question of where the actual medical records are stored does not yet have a perfect answer with the scalability challenge remaining one of the most vexing. However, the Estonia experience is undoubtedly a giant leap in the quest for realisation of quality healthcare provision and access.