Biometrics and Blockchain – For Healthcare IT professionals and companies concerned with security. This briefly examines the hacker threat, then dives into use of biometrics and blockchain technology, separately and if used together.
How Secure is Secure Enough?
Cyber attacks always presented a threat to our personal and financial data, but now they threaten our healthcare records and potentially our lives. News of compromised systems makes the news on an almost daily basis. Beyond posing risks of identity theft, hacks of healthcare systems can delay or prevent the delivery of proper medical attention. Securing your systems works for everyone’s best interests, but how secure is secure enough? This brings us to look at biometric and blockchain security protocols. Could they be the answer?
The Hacker Threat
The Department of Health and Human Services (HHS) reports 364 breaches of “unsecured protected health information” involving data of 500 or more people over 24 months leading up to September 2017. That’s one significant breach every other day. Total impact? Nearly 17 million records. In comparison, the Wannacrypt ransomware attack that made the news in May of 2017 affected 150 countries and 200,000 individuals. Monthly, cyber attacks still compromise an average of over 1.2 million records.
Hackers include all kinds of swivel-eyed actors – from some guy with a laptop to hacker groups like Anonymous to state-sponsored groups like Hidden Lynx, APT28, and Energetic Bear. Given enough time, skills and resources, if someone wants into a network, they will find a way in. On the security side, the objective is to make that as difficult as possible – and not merely with strong passwords.
As we should know by now, hackers are not always to blame. Data theft by employees and contractors constitutes a risk, too. According to the Bureau of Labor Statistics, nearly 373,000 employees nationwide have access to healthcare records as of 2017.
The Penalties for Being Hacked
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires protections for patient data, especially electronic health records (EHR). The American Recovery and Reinvestment Act of 2009 mandated all healthcare providers to adopt “meaningful use” of electronic medical records (EMR) by January 1, 2014. Further, the Affordable Care Act of 2010 included incentives for providers to implement their EMR programs.
All the way around, federal regulations put the responsibility for security and privacy of patient records squarely on providers – insurance companies, hospitals, clinics, etc. Violations of HIPAA requirements can include civil and criminal penalties. Fines range up to $50k per incident, up to $1.5 million per year. Individuals “who knowingly obtain or disclose individually identifiable health information” can face up to 10 years in jail. Patient privacy remains a serious issue.
A Case of the Blind Leading the Blind?
This is not intended in a derogatory sense. It’s far easier to say, “Protect your data,” than to actually do it. The Federal Government is hardly the gold standard when it comes to protecting and securing data of any sort. High profile data theft cases with both the NSA and CIA underscore the difficulties. One would think that if anyone has “100% security” they would, but they don’t.
The “rush” for EMR resulted in a massive, complex galaxy of insular, isolated repositories. The resulting EMR systems require “portal” passports for patients wanting access to their records from any given provider. According to IBISWorld research, the creation and maintenance of EMR systems was a $10-billion industry in the United States as of August 2016, growing at a rate of 7.6 percent annually, with over 1,600 businesses operating in the space.
Even various biometric security systems involving fingerprints, retina scans, voice recognition, even earlobes, can be spoofed. Heck, we see that all the time in spy movies. Passwords can be changed, but the argument against biometrics is that if compromised, it is compromised forever. Nevertheless, biometric security measures weed out all but the most dedicated and organized hackers. Biometric security, however, doesn’t prevent insider theft.
The EMR and Blockchain Breakout
Blockchain technology just began peeking out from under the shadow of Bitcoin in 2009, when the massive demand for electronic medical records hit the healthcare industry. Initial EMR systems had to be built on “legacy” database models, all of which are plagued by low-level security measures that are infamous for being hacked. Blockchain technology’s game-changing security features were far too new to have any immediate practical and realistic application to the problem. But, blockchain is evolving at light speed.
Statista estimates that the worldwide blockchain technology industry will likely exceed $335 million in 2017. It’s anticipated to explode to $2.3 billion by the end of 2020. It’s impossible to predict how much of that will be devoted to revolutionizing medical records. However, when IBM surveyed 200 executives of healthcare providers and payers in 2016, 16 percent said they expected “to have a commercial blockchain solution at scale in 2017.”
Biometrics And Blockchain
In 2016, the U.S. Office of the National Coordinator for Health Information Technology (ONC) sponsored a contest soliciting white papers, “That investigate the relationship between Blockchain technology and its use in Health IT and/or health-related research.” All of the 15 winning entries touted the unprecedented cryptographic security that is built into the blockchain, but some were not so sanguine that blockchain security alone is enough.
Laure A. Linn and Martha B. Koo, M.D., focused a light on this aspect in their paper, “Blockchain For Health Data and Its Potential Use in Health IT and Health Care Related Research,” saying, “Ideally, biometric identity systems would be utilized” as an additional overlay to make security for blockchain health records as bulletproof as humanly possible.
Craig Guthrie, deputy editor at Planet Biometrics, noted in August 2016 that “biometrics is emerging as perfect counterpart technology” to blockchain technology for privacy and security, announcing at the time that HYPR Corp was partnering with BitGo in marrying biometrics and blockchain systems.
Already giants such as Microsoft, Accenture, and the Rockefeller Foundation have teamed up—with the United Nations—for ID2020, an initiative dedicated to creating “digital identity.” Curiously, ID2020’s own literature avoids the term “biometrics,” but that’s what it’s about, using biometrics and blockchain, together. ShoCard is another company that has launched into the biometrics-plus-blockchain universe with its products ShoCard and ShoBadge, designed to work with mobile devices to give complete unbreakable security and privacy control to the user for all blockchain-related records and activities.
EMR Layered Defenses
So far, none of the biometrics and blockchain applications or initiatives are solely dedicated to healthcare records. It’s inevitable that the systems will meld into an integrated whole. When they do, it will be an ironic inversion, putting the absolute power over the security and privacy of medical records into the hands of the patients. Some feel that’s where it solely belongs.
Every security protocol has a weakness. Passwords can be hacked, heck – some can probably be guessed. While it’s not likely that someone will go through all the effort to spoof biometric protocols, it offers no safeguard against unscrupulous employees. Blockchain on a stand-alone basis could be compromised by someone having the key to the records. Biometrics and blockchain used together can dramatically limit who has access and the number of records they have access to.
We have to be thinking not just about how systems are being compromised today, but how they may be penetrated five or more years from now – with the likes of supercomputers and AI.