The obligation to secure your opponent's data in the age of hacking
Hacking, corporate espionage and data breaches are on the rise around the globe.
This article first appeared in the August 2017 issue of PLC Magazine
There is currently a lot of excitement in the life sciences and healthcare sectors about the deployment of distributed ledger and blockchain technologies (see Briefing "Blockchain technology: emerging from the shadows" and box "What is blockchain?"). While these technologies and the regulatory framework within which they operate are still evolving, many companies and organisations are actively developing use cases and potential applications to automate a wide range of activities within the life sciences and healthcare sectors.
Given the complexity of modern healthcare systems, it is perhaps no surprise that the potential applications of blockchain technology which, to date, have been best publicised in the financial services sector, are only now becoming apparent in the life sciences and healthcare sectors. What is clear is that the use of distributed ledgers and blockchains have the potential to significantly increase security and transparency, empower patients with greater control over their medical care, and, at the same time, help contain or even lower costs.
The government is already alive to the potential for blockchain technology. In January 2016, the Office for Science published a report on the technology,(the report) and highlighted the National Health Service as a potential beneficiary of the technology, particularly “by improving and authenticating the delivery of services and by sharing records securely according to exact rules.” The private sector is also embracing the blockchain. For example, Philips recently launched the “Philips Blockchain Lab” and has partnered with blockchain recordkeeping start-up Tierion on an unspecified project to examine how blockchain technology could be used in the healthcare sector.
Some of the potential applications in the life sciences and healthcare sectors include:
Medical records. As the report suggests, medical records could be operated on a decentralised blockchain rather than held in a central database. There could be a reduced risk of unauthorised access as the blockchain would contain protocols governing how patient records could be accessed and by whom. So, for example, a receptionist in a GP surgery might only hold the key to access limited information about a patient, (such as name and address), while a doctor would have a full key enabling access to all medical information.
Medical records could also give patients full access to their patient data. Patients could specify preferences about what treatment they should receive in different circumstances or request that certain family members be permitted to make medical decisions in the event of an emergency. Similarly, it would enable patients to record and update their organ transplant preferences while giving medical practitioners instant access to these preferences which would help to avoid the loss of organs due to the transplant window being missed.
Public and private health systems generally use their own systems for tracking each patient’s medical data. This has the effect that healthcare providers often possess fragmented information about patients. A patient could authorise access to their patient records contained on a blockchain to all regulated healthcare providers, such as the NHS and private healthcare providers, thereby giving all providers seamless access to one complete version of a patient’s medical data.
This is not as far-fetched, a concept as some might think. In Estonia, Guardtime, a data security start-up, has announced a partnership with the Estonian eHealth Foundation which will see it deploy a blockchain-based system to secure over one million patient healthcare records. The project will integrate Guardtime’s keyless signature infrastructure blockchain into the Estonian eHealth Foundation’s database to provide real-time access to patient records. Similarly, IBM Watson Health announced earlier in 2017 that it had signed a research initiative with theUS Food and Drug Administration aimed at defining a secure, efficient and scalable exchange of health data using blockchain technology.
Protection of intellectual property. Proof of existence platforms are being developed to provide innovators with a tamper-proof way of storing encrypted information, enabling companies to verify the date on which they created intellectual property, such as patents. The time-stamped documents can then be used as incontrovertible evidence that an inventive step occurred at a particular time and before anyone else. Courts around the world will, however, need to be persuaded about the security and veracity of these time-stamping systems before they establish the necessary legal precedents.
Collection of clinical data. The blockchain, coupled with other technological advances including wearable tech and data analytics, will enable pharmaceutical companies to collect securely ever more detailed medical information about patients in real time (see Focus "Wearable technology: intellectual property and contractual considerations"). For example, a patient could record his health data on a continuous basis by the day, hour or even minute by uploading his data to a blockchain. The health data uploaded to the blockchain could then be analysed to identify patterns signifying potential conditions that a patient may suffer from or be at risk from in the future.
Some pharmaceutical companies are already time-stamping the results of clinical trials as a way of providing evidence of when clinical trial results were obtained for inclusion in clinical trial reports to regulators. Recording clinical trial results in real- time on an immutable blockchain will also make it more difficult for clinical trial results to be subsequently manipulated by researchers, for example, where the focus of a clinical trial is altered to fit the results.
Supply chain. The integrity of the supply chain is of paramount importance to any pharmaceutical manufacturer. The blockchain could be used to assign each batch of drugs with a unique electronic serial number, with each batch being tracked as it moves through a series of transactions and through the various stages of the supply chain, for example, from factory to central warehouse, local warehouse, pharmacy and finally to patient. Intermediaries through the supply chain will then be able to validate receipt of drugs and provide updates, for example, the date received, the number of days in storage, and the date shipped. A transcript of a drug’s movement through the supply chain could then be provided to regulators, suppliers and end-users as evidence of compliance with applicable regulations. By tracking movements in real- time it will be much harder for counterfeit drugs to enter the supply chain. This may be particularly beneficial in developing countries where it is estimated that over 30% of drugs are counterfeits. It may also facilitate prompt product recalls in the event that defects are subsequently discovered.
Many of the potential use cases of blockchain in the life sciences and healthcare sectors relate to the recording, tracking and management of medical data. As a result, special attention must be given to how proposed applications for blockchain will comply with data protection laws, including healthcare-specific requirements.
However, applying some of the requirements of data protection laws to blockchain-based applications can be challenging because of the inherent features of blockchain (see box "What is a blockchain?"). For example, as the technology currently stands, entries on a blockchain are immutable. Therefore, information stored on a blockchain cannot be subsequently amended or deleted. This will be problematic where the blockchain operates in EU jurisdictions where the General Data Protection Regulation (679/2016/EU), which comes into effect across the EU in May 2018, gives individuals the rights to be forgotten, erase data and correct data (see feature article "General Data Protection Regulation: a game-changer").
Another challenge is how to comply with the obligation to hold personal data no longer than is necessary when the blockchain acts as an immutable record. Some solutions may try to deal with this issue by storing the personal data “off ledger” where the data can be deleted as required rather than holding the data on the ledger itself. Similarly, another feature of blockchain is that information can be encrypted so as to ensure that the information stored on the blockchain is secure. However, it is likely that the encryption applied to a blockchain today will be made obsolete as more sophisticated encryption techniques are developed. Again, an off ledger solution that allows encryption to be updated may help to ensure that information stored on a blockchain remains secure over time. However, while storing data off ledger may assist with these technical issues, it may not be appropriate for all applications and use cases.
Companies are increasingly exploring how blockchain-based technologies can be used in the life sciences and healthcare sectors. From the outset, they will need to consider carefully compliance with data protection laws, given that in the life sciences and healthcare sectors this will involve the collection of sensitive medical data. It remains to be seen how regulators will respond to the challenge of reconciling some of the inherent features of blockchain with existing data protection laws. While technological solutions may help to address some of these challenges, it remains likely that regulators will need to address the unique challenges presented by blockchain technology.
Victoria Birch is a partner, James Baillieu is an of counsel, and Lara White is a senior associate, at Norton Rose Fulbright LLP.
What is a blockchain?
In its simplest form, a blockchain is a ledger or database of the assets held and transactions entered into by members of the same blockchain network. The information can then be shared or distributed among those members. Blockchains have three key characteristics; that is, they are:
Public or closed. They can be public, open for all to inspect, and controlled by no-one, or they can operate privately within a closed community of participants with rules governing who may join and access the information.
Distributed. They operate on a distributed basis; that is, the record or ledger of all transactions is replicated in full on each participant’s computer, and not on a central database controlled by a third party. As such, they are highly transparent, because each participant has a complete, traceable record of every transaction contained on the blockchain. Records can also be encrypted if desired to restrict which participants have access to the data.
Immutable. Once made, records cannot be altered or deleted; they can only be added to in blocks.
Encryption and correspondence between the respective copies of the ledger provide the requisite trust between participants, even if they are strangers. Parties interact with the system itself rather than an independent central authority, in the same way that a clearing house clears trades in shares between buyers and sellers.
Hacking, corporate espionage and data breaches are on the rise around the globe.
Implications for cryptocurrency trading, smart contracts and AI
Decree No. 228 of 2019 (Decree 228/2019) came into effect on 27 August 2019, which simplifies and revokes previous decrees of the Ministry of Employment (MoE) to widen the type of job titles allowed for foreign professionals to work in Indonesia.