Professional Documents
Culture Documents
BenYuan,WendyLin,andColinMcDonnell
1
TableofContents
1Introduction 3
1.1TheBlockchain 3
1.2CurrentStateofElectronicMedicalRecordsintheUS 4
2DataStructureEnumeration 5
2.1RelevantQualitiesofDataStructures 5
2.2CandidateDataStructures 6
3DataStructureAnalysis 7
3.1Scorecard 7
3.2AnalysisofCandidateSolutions 8
3.2.1DataStructureswithoutChangeTracking 8
3.2.2Traditional,CentralizedDataStructure 9
3.2.3DistributedDatabasewithChangeTracking 10
3.2.4PrivateBlockchains 11
3.2.5PartiallyopenBlockchains 11
3.2.6Public,OpenBlockchains 12
4RecommendationsandConclusion 13
5Bibliography 16
6Appendices 17
6.1AppendixABlankscorecard 17
6.1AppendixBScorecardfortraditional,centralizeddatabase 18
6.3AppendixCScorecardfordistributeddatabasewithchangetracking 19
6.4AppendixDScorecardforprivateblockchains 20
6.5AppendixEScorecardforpartiallyopenblockchains 21
6.6AppendixFScorecardforopen,publicblockchains 22
2
1Introduction
1.1TheBlockchain
SincethecreationofBitcoinin2009anditscontinuedrelativelywideadoption,considerable
interesthasdevelopedintheconsensusmechanismsunderpinningthecryptocurrency.
Bitcoinssuccessstemsinlargepartfromtherobustnessofthesemechanisms,whichprovidea
meanstoachievedecentralized,trustlesscurrencyissuance,transactionvalidation,and
transactionsettlementremovingtheimplicitcentralizationrequirementforthesetasks.
Bitcoinsconsensusmodelcentersaroundtheblockchain,adatastructureandsetof
algorithmsdesignedspecificallyforachievingByzantinefaulttolerantconsensusaroundthe
stateofaglobaltransactionledger.Thekeyprinciplesoftheblockchaindatastructureasused
inBitcoinmaybesummarizedthus:
Transactionsarebundledintoblocks.Forablocktobevalid,allitsconstituent
transactionsmustalsobevalidaccordingtotheglobalstartstate.
Blockshaveparentblocks.Theglobalstartstatecorrespondingtoanygivenblockmay
bereconstructedbyreplayingallofitsancestorblocksinnormalchronologicalorder.For
ablocktobevalid,allofitsparentblocksmustalsobevalid.
Blocksalsocarrycertaindatausedtoprovethatacertainamountofcomputationpower
wasexpendedinitscreation.Forablocktobevalid,itsproofofworkdatamustbevalid
accordingtotheschemebeingused.
Consensusamongcorrectparticipantsrequiresthattheyeventuallyallconvergeonthe
samehistory.Bitcoinparticipantstakeasthemostrecentblocksomevalidblockfor
whichthetotalestimatedworkoftheblockanditsancestorsisgreatest.Aslongas
blocksarealwaysbeingaddedbycorrectparticipantstotheblocktheybelieveismost
recent,andthecorrectparticipantsoutnumbertheincorrectparticipantsintermsof
computingpower,thecorrectparticipantsdotendtoconvergetothesameglobalstate.
Correctparticipantsaregivenanincentivetocontinuecreatingblocks.InBitcoin,this
incentivetakestheformofcurrencyissuanceasuccessfulblockcreatorcanissueitself
currencyaccordingtoagreeduponrules.
Theresultisadurabletransactionledger,securedbyconsensusamongmultipleparties,that
doesnotobligatorilyrelyontrustinanysinglepartytofunctionnosinglepartycanalteror
removeanyportionofthecanonicaltransactionrecordwithoutperformingaverylargeamount
ofwork.Atransactionledgerthatisgloballyaccessible,easytoverify,anddifficulttomodify
providesevidentbenefitswhenusedastheunderpinningofadigitalcurrency:itallowsanyone
toverifythatagivenunitofcurrencybeingspenthasnotalreadybeenspentinthepast,and
preventspasttransactionsfrombeingarbitrarilyretracted.However,atamperresistantledgerof
thisformcanbeusedforpurposesotherthancurrency,whereverarequirementfor
censorshipresistant,repudiationresistantdatapublicationexists.Weexaminetherelative
3
potentialapplicabilityofthisparticularaspectofblockchaintechnology,incomparisonto
alternativesolutions,withrespecttoelectronicmedicalrecords.
1.2CurrentStateofElectronicMedicalRecordsintheUS
Electronicmedicalrecords(EMRs)todayarefragmentedacrossmyriadhospitals,private
practices,labs,pharmacies,and,increasingly,privatecompaniescollectingdatafromwearable
devices.Thisfragmentationwillonlyincreaseasmorefrequentjobchanges,greatermobility,
andtheriseofspecialtycaredrivemorechangesininsuranceplans,greaterrelianceon
multiplehealthcareproviders,andtheneedtoaccesshealthcareservicesfromahighernumber
ofoutlets.
Itiswellacknowledgedsincethe1990sthatreducingthisfragmentationbyincreasingtheease
withwhichEMRsareaccessedandtransferredacrossorganizationswillimproveourhealthcare
system.However,attemptstoimplementsolutionshaverunintobarriers,asaddressedinVest
andGammspapertitledHealthinformationexchange:persistentchallengesandnew
strategies1 [7],including:
healthcareprovidershesitationtosharewhattheyperceivetobeproprietarydata
patientconcernsaboutsecurityandprivacy
lackofstrongpoliticalwillfromregulators
historicallycostlytechnologicalsolutions,whosecostsoftenfalltohealthcareproviders
butwhosebenefitsoftenaccruetopatients,payers(e.g.insurancecompanies),andthe
healthcaresystemasawhole[5]
VestandGammsmodelreducesthespaceofhealthcarestakeholderstopayers,providers,
patients,andgovernmentalentities.Wefounditdifficulttohypothesizeabouthowagiven
stakeholderwouldreacttoaproposedchangeorincentivestructurewithoutmodelingthe
landscapeingreaterdetail.Belowisadiagramrepresentingtheheterogeneityofthe
stakeholdercategoriesinVestandGammsmodel,aswellasthespaceofinteractionsbetween
thesepartiesand,whererelevant,themiddlementhatmediatesuchinteraction.
Itswithinthiscomplexsystemofincentivescurrentlyinfluxthatwewillattempttoderivean
optimaldatastructureforEMRsthatwilladdresskeyproblemsofthestatusquo.Inevaluating
thesestructures,wewillassessbothcostsandbenefitstotheprimarystakeholdersofthe
healthcaresystempatients,(healthcare)providers,payers(includingMedicare/Medicaidand
privateinsurance),andregulators.Forcosts,wewillassessbothfinancialcostsaswellasthe
mentalcostassociatedwithbehaviorchangerelativetothestatusquo.Forbenefits,wehave
identifiedthekeygoalseachstakeholderhasforanEMRsystemandwillassesshowwell
differentdatastructuresaddressthesegoals.
1
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2995716/
4
Figure1:
Amapofstakeholdersandinteractionsinthehealthcareecosystem.
2DataStructureEnumeration
2.1RelevantQualitiesofDataStructures
Wetrytodefinethespaceofhealthcaredatamanagementsolutionsbyidentifyingtherelevant
propertiesofinterestandconsideringeachpossiblecombinationoftheseproperties.
Whentryingtoenumerateimportantorrelevantpropertiesofdatamanagementsolutionsfora
complexindustrylikehealthcareitsimportanttounderstandthespecificneedsofthe
stakeholdersinvolved.Inhealthcare,threefactorsareparticularlyimportant:data
lineage/integrity,datasecurity,andinteroperability.Weconsidereachofthesethreebriefly.
1. Ensuring datalineageanddataintegrity
isabigone.Ifyourehandlingresearchdataor
testresultswhoseintegritycandirectlyinfluencepeopleshealth,thenyouwanttoknow
thatthatdatahasntbeentamperedwithsincecreation.Assuch,itsinthepublic
interestforanyonetoverifythatresearchdataissecuredbyasolidchainofcustody
frombirth.Similarly,ifyourehandlingmedicalrecordsyouwanttoknowthatthose
recordsweregeneratedbyacrediblesource.Unfortunatelyadoctorinanotherstate
mayormaynotfallintothatcategory.
2. Ensuring datasecurityisanotherobviousconcernweneedtoensurethatrecords
cantberetrievedbypeoplewhoareunauthorizedtoviewthem.Ontheothersideofthe
5
coin,allpartieswhoareauthorizedtoviewthemshouldbeabletoviewtheminahassle
freeway,includingemergencymedicalpersonnel,thePCPofapatient,thepatient
herself,andanyoneelsethepatientwishestobringintotheloop.Notonlythat,butthe
processofaddingorsubtractingaccesspermissionsshouldbepainlessand
instantaneous.
3. Ensuring datamobility,integration,andinteroperability
isthefinalpieceofthepuzzle.
Whatsthepointinhavinglegalaccesstoamedicalrecordifyouhavetoflyacrossthe
countrytoexercisethatright?Medicalrecordsshouldbecapableofmovementbetween
providerswithaminimalamountoffriction.Thecurrentprocessisafarcryfromthisit
frequentlyinvolvesphonecalls,paperwork,andFedEx.Evendigitalrecordsare
frequentlyincompatiblebetweentheelectronicssystemsofdifferentproviders.
Buthowdoweconvertthesespecificationsintoasmallsetoffeaturesorpropertiesthatwecan
usetoenumeratecategoriesofdatastructures?Wesettledonthreepropertiesthatcollectively
encompasstheabovespecifications:changetracking,decentralization,andproofofwork.
Changetrackingreferstotheabilitytoseethestateofthesystemanditscontaineddataatan
arbitrarypointinthepast,asopposedtomerelythemostrecentversionofthedata.Thisof
courseachievesthespecificationofdatalineageandintegritymentionedabove.
Decentralizationreferstoadistributionofcontroloftheactualserversanddevicesstoringthe
dataamongmanydiscreteautonomousentities,whichhelpsguaranteedatasecurityand
requiressomedegreeofinteroperability.Proofofworkreferstothepuzzlesolvingexecutedby
Bitcoinminersthatenablesthemtocollaborativelymineblocksandachieveconsensus
surroundingaversionofhistory.Thispropertyalsohelpsmaintaindatasecurityandintegrity
whilenecessarilyinvolvinganagreeduponinteroperableblockstructure.
2.2CandidateDataStructures
Welookatallpossiblepermutationsofthesethreepropertiesbelowanddescribeafeasibleand
reasonabledatastructurethatfallswithinthatcategory.Ingeneral,weassumea
wellimplementedsystembasedonsoundtechnologyandonlycritiqueeachproposalbasedon
itsinherentpropertiesandpropensitytodemonstratevariousvicesandvirtues.
Themostsignificantbitrepresentsproofofwork.Themiddlebitrepresentsdecentralization.The
leastsignificantbitrepresentschangetracking.
000 atraditional,centralizeddatabaseadministeredbyoneentity,likelyaprovider
oragovernmentalorganization
001 atraditional,centralizeddatabasewithchangetracking
010 adistributedpeertopeerencrypteddatabase,perhapsemployingdistributed
hashtableswithmanyredundantcopiesofdata
6
011 adistributedversioncontrolsystemsuchasGit
100 notconsidered(asproofofworkdoesnotmakemuchsenseinisolation)
101 aprivateblockchainwithallnodescontrolledbyasingleentitywith
proofofworkrequiredtoimplementachange
110 adistributeddatabasewithoutchangetracking,sharedamongmany
stakeholders,andrequiringproofofworktoimplementachange
111 ablockchainwithproofofwork,ofwhichweconsidertwomajorvariants:
federatedblockchainswithasharedbutcontrolledownershipofmining
nodesamongasetofshareholders,includingthegovernment,
providers,payers,andvendors
pure,publicblockchainssuchastheBitcoinblockchain,withno
centralizedorfederatedcontrolonminingpower
Weevaluatealloftheseoptionsinturnforviabilityandsituationalaptitude.
3DataStructureAnalysis
3.1Scorecard
WecreatedascorecarddisplayedinTableAforevaluatingspecificproposalsregardingthe
administrationofEHRdatamanagement.ItisderivedfromthemodeldescribedinVestand
Gammspaperaswellasananalysisofthemostimportantissuestoeachstakeholder.Weuse
thisscorecardtoanalyzeeachofthesolutionsenumeratedabove.
Mental/
Behavioral
Costs
Financial
Benefits
Patientcontrols Easyandfastto Costsarelower,i.e. Qualityofcareisimproved?
privacyof modifyrecords? diseaseprevention,
record? compliance?
7
Securityof Qualityofcareis Makesfraudmore Easytomonitorpublic
patientrecord improved,i.e.fewer difficult? health,epidemics,health
assured? preventablemistakes? trends?
Doesnotjeopardize
customersormakeit
easiertoswitch?
TableA:
AscorecardusedtoevaluateEHRproposals.
3.2AnalysisofCandidateSolutions
3.2.1DataStructureswithoutChangeTracking(000,010,100,110)
Ensuringaccurateandcompleteprovenanceofrecordsisanimportantgoalinhealthcare.
Whenapatientreceivesacopyofhisorherownhealthrecord,orwhenadoctororpayer
receivesahealthrecordfromadistantoffice,therecipientwouldliketoensurethattherecordis
completeandcorrect.Patientsandproviderswantassurancethatnoimportantmedicalhistory
factshavebeenunknowinglyalteredorwronglyintroducedpayersneedaccurateinformation
onproceduresandtreatmentsperformed.
Anysystemthatmanageselectronichealthrecordsshouldprovidesomemechanismbywhich
changestoagivenrecordmaybetrackedandverified,atleastbyanyonewiththecapabilityto
readtherecord.Anauditorwhomaybeapatient,oradoctor,orapayer,oraregulator
shouldbeabletodeterminewhenaparticularvalueforaparticularattributewascreated,as
wellaswhatvalueswerepresentbefore,subjecttoanyusefulandreasonableprivacy
restrictionsapatientmaywishtoplaceonthisinformation.
Withagoodchangetrackingmechanism,datarecipientscanbeassuredthatthedatatheyare
receivingistheproductofasensiblerecordkeepingprocessandiftheobservedchange
historyisingreatconflictwiththepreviouslyobservedhistory,orotherwiseindicatesbehavior
outsidereasonableexpectations,thenthedatarecipientisjustifiedindemandingan
explanation.Anysystemwithoutrobustchangetrackingcannotprovidethiscrucialproperty,
sinceitbecomesmuchmoredifficultforadatarecipienttoascertainthelegitimacyofanydata
receivedespeciallywhenthatdatadoesnotconformtoexpectations.
8
Wethusdonotconsidersystemswithoutauditablechangetrackinginourdiscussionof
electronicmedicalrecords.
3.2.2Traditional,CentralizedDataStructure(001)
Afullycentralizedmodelassumesthatclientsrelyonthewordandworkofa singleauthority
for
theworldstate.Thissingleauthorityperformsallauthentication,authorization,dataprocessing,
anddatastorage.AnexampleistheUSSocialSecurityAdministration,whichisthesingle
authorityononeofthekeyidentifiersandmeanstoaccessgovernmentbenefits.
Inhealthcare,themostcredibleandpowerfulcentralauthorityisprobablytheCentersfor
MedicareandMedicaid(CMS).Asthelargestpayer,theCMSsetsthegroundrulesforhowand
whichhealthproceduresgetreimbursed,whichthenreverberatesacrosstheindustry.
Thetroubleisthathealthcareisnotacontainedsystemlikethatofsocialsecurityandmany
partiesmustfrequentlyreadandwritetotheEMRdatabase.Thus,thenaturalevolutionofusing
atraditional,centralizeddatastructurehasleadtotodaysworldwheremanyentitiesmaintain
theirownworldstatesbasedonthelimitedinformationtheyhavefromthedatatheyhave
accessto.Thereisnocommonworldstateacrosstheseorganizations,andpatientsand
providersmustdothelegworktoreconcileandunifytheseworldstatesininstancesofpatient
mobilityorcollaborativedeliveryofcare.
Evenifgovernmentmustersupthesubstantialpoliticalforceofwilltocentralizealldataunder
theCMS,thischangewilllikelyrequireamultibilliondollargovernmentproject,usingthemuch
simplerHealthcare.govs$500+millioncostasabenchmark.Inthisrealizationofafully
centralizedsystem,regulatorswillhavetobearallofthefinancialandmentalcost,requiring
relativelylittlebehaviorchangeorfinancialcontributionfromotherstakeholders(thoughonecan
arguethatultimatelythepatientsastaxpayingcitizensbearthefinancialburden).A
benevolent,enlightened,andsophisticatedgovernmentwouldthenbeabletohelpeach
stakeholderrealizehisobjectives.Morerealistically,centralizeddatabasesleadustowherewe
aretoday,wherebywegeneratenoadditionalmentalorfinancialcosts,butmustacceptits
failuretoaddressalloftheaforementionedgoalsofanoptimalEMRsystem.
Toprotectthesensitivityofthisdataacrossmultipleparties,thegovernmentintroducedHIPAA,
theHealthInsurancePortabilityandAccountabilityAct.Anyorganizationthatdealswith
protectedhealthinformationmustensurethatallrequiredphysical,network,andprocess
securitymeasuresareinplaceandmustabidebyprivacyrulesthataimtoinvolvepatient
signoffandsharingthebareminimumofdatatoachievegoals.Withouttheabilitytoachieve
thesegoalsthroughothermeans,HIPAAusesseverecivilandcriminalfinestopenalizebad
actorsafterthefact.
AcompletedscorecardcanbefoundinAppendixB.
9
3.2.3DistributedDatabasewithChangeTracking(011)
WenowconsideradistributeddatamanagementsolutionthattracksallchangestotheEHR
overtime.Weareassumingabestcasescenariowithrespecttothetechnology.Itshouldbe
entirelypossibletoimplementasecuredistributedversioningsystemthatallowsfinegrained
permissioningofbothreadandwriteaccess.Therecordshouldbesecureandprivate.It
shouldideallybepossibleforvariousorganizationstoreceivestatisticsrelatingtomedical
recordswithoutaccessingtherawdataitself.
Onecanimagineadistributedsystemofserversthattrackalargeamountofdataovertime,
andiscapableofrollingbacktoanypreviousstateofthesystem.Changestotherecordare
representedassetsofadditionsandsubtractionsfromthepreviousstateofthesystem.The
systemcanbemadetamperresistantwithchainedhashpointersandsignaturedependencies
topreventanyclandestinemodificationoftherecord,inasimilarmannertothemethodby
whichsomesoftwareversioncontrolsystemsensurechangelineageandintegrity.
Theparalleltoversioncontrolsystemsmayalsoprovideausefulmetaphorforunderstanding
theuserexperienceoftheproviders.Onecanhaveamasterbranchofthepatientsrecord
thattheproviderchecksoutwhenprovidingcaretothepatient.Intheprocessofdiagnosing
andtreatingthepatient,theprovidercanaugmentitslocalbranchoftherecord,thenmerge
thechangesintothemasterbranchwhenaconclusionordiagnosishasbeenreached.This
letstheproviderrunappropriatefollowuptestsbeforepublishingpotentiallymisleadingor
mistakentestresultstoapatientsrecord.Therecanbepoliciesinplaceregardingthe
frequencyofmergingrecordchangesforinstance,itmightbenecessarytopublishchanges
beforeprescribingapharmaceuticaloraftercertaintypesoftests.
Oneimportantquestionaffectstheperformanceofanyproposalinvolvingadecentralized
versioncontrolapproachtoEHRmanagement:whophysicallycontrolsthedata?Someoptions
includethestategovernment,thefederalgovernment,thepatientsthemselves,a
nongovernmentaltrustlessnetworkofservers(similartotheBitcoinnetwork,minusproofof
work),providers(perhapsthatmeetagivensizeaccordingtosomemetric),insurance
companies,oranycombinationoftheabove.Anyoftheseoptionsmaybeviable.Historically,
theburdenforhostingsimilardatahasfallentomedicalprovidersandtothegovernment.An
incentiveschemethatsomehowmotivatedinsurancecompaniesorpatientstoputforthtime
andmonetaryresourcestohostdatawouldvastlyimprovethechancesofasolutiontakingoff.
Iftherequirementforalwaysonlineaccesstothemostrecentdatabyanyauthorizedpartymay
bedropped,thenevensimplersolutionsfordatastoragemaybepossible,whileretainingthe
systemstamperresistanceandauditability.Onecanimaginethepatientcarryingawriteonly
memorydevice,perhapsintheguiseofaninsurancecardorsimilar,towhichsignedchanges
tothepatientsrecordarewrittenateachprovidervisit.Takingthedataofflineinthiswaydoes
seemtohinderpayerandregulatoraccess,asthecanonicalcopywouldexistonadevicethat
10
spendsmostofitstimedisconnectedfromtheworld.Oneshouldofcourseensurethatthe
storagedeviceusedisofacommonlyreadabletypeandusesaneasilyreadabledata
encoding,sothatpatientsretaintheabilitytoeasilyreadtheirownrecords.
AcompletedscorecardcanbefoundinAppendixC.
3.2.4PrivateBlockchains(101)
Privateblockchainsareabadideaingeneral.Theyeliminatethebenefitsofadecentralized
networkcapableoftrustlesstransactionsandrobustconsensus.Ablockchainwhoseentire
miningpooliscontrolledbyasingleentitydegeneratestoatraditionalcentralizedsystemwitha
bitofcryptographicauditabilitysprinkledontop.Whatsmore,thisauditabilitycanbeachieved
throughothermeansbesidesthemechanismsusedinblockchains.ToquoteVitalikButerin,
thereisnoreasontobelievethattheoptimalformatofsuchauthenticationprovisionshould
consistofaseriesofhashlinkeddatapacketscontainingMerkletreeroots generalizedzero
knowledgeprooftechnology providesamuchbroaderarrayofexcitingpossibilitiesaboutthe
kindsofcryptographicassurancesthatapplicationscanprovidetheirusers.[1]
However,thisproposalmaynotbeentirelywithoutmerit.Therearevanillaimplementationsof
blockchainsthatarepresumablyeasierforahospitaltogetrunningthanimplementingsecure
zeroknowledgeproofprotocol.Additionally,ifthedataformatoftheseprivateblockchainsis
somehowstandardizedearlyintheprocess,thentheadoptionofprivateblockchainsbythe
administeringstakeholdermayimprovedataportabilityandinteroperability.However,this
standardwouldlikelyhavetobemandatedbyastateorlocalgovernment,whichwouldbe
betteroffsimplymandatingastandarddataformatforconventionalrecords.
AcompletedscorecardcanbefoundinAppendixD.
3.2.5PartiallyOpenBlockchains(111)
Afederatedblockchainconsistofseveralpartiesthatjointlycreatetheworldstateandattempts
toreplaceBitcoinsdistributednetworkofvoluntaryminerswithproprietarycomputersbelonging
toapprovedusersthatprocesstransactions.Operationsonthisworldstatemayaffectmultiple
partiessimultaneously,andafederatedblockchainwouldforcethenetworktoshare
responsibilityovereachothersdatabases.
Inthecaseofhealthcare,suchagroupwouldlikelyincluderegulators,providers,andpayers.
Federationsarelikelytobeorganizedbysystemsofcare,mostlikelyidentifiedbygeography,
suchascommunityorstate.Patientsareassumedtostaywithinthesesystemsofcarethat
crossorganizations.Mostlikely,afederatedblockchainwillbeappliedontopofanexisting
healthinformationexchangecommunityasawaytofurtherreducecostsandhelpthe
communityreachfinancialsustainability.
11
Currentsharingofdataacrossthesesystemsofcareexistwiththecombinationofcentralized
datastructureswithineachindividualorganizationandHIPAAcompliantdatatransmission.
Withtheblockchain,organizationscancometogetherandjointlycreateapublic(tothe
federation)truththateachorganizationcanmodifywithrequisiteproofofwork.Becauseminers
aredistributedacrossorganizations,eachorganizationcheckseveryotherorganizations
databasemodifications.
Suchasystemismoresecurethanthestatusquo,asorganizationsareabletoaggregate
computingpowertosecuretheblockchain.Also,dataisredundantacrossorganizations,
avoidingsinglepointsoffailure.Fewerpartiesmeansitsquickertomodifythesystemscode
andrevertactionsnodesarewellconnectedandmanualinterventioncanquicklyfixalotof
faultsandenablefasterconfirmationtimes.Actionsonthechainarealsocheaper,requiring
lesswastedproofofwork.Itissimpletorewritetherules,especiallyregardingread
permissions,whichisausefulpropertyinthecontextofEMRs.However,manyofthesegoals
canalsobeachievedwithoutproofofwork,whichisanexpensiveformofsecurity.
Additionally,removingpatientsfromthepictureremovesoneofthekeybeneficiariesofamore
liquidEMRsystemandendsupleavingmostlyantagonisticpartiesatthetable.Givenasolution
likethisrequiressystemwidebuyin,itsunlikelythatwithoutpatientsatthetablepushingfor
thissolution,otherpartieswillreachconsensusinadoptingafederatedblockchain.
AcompletedscorecardcanbefoundinAppendixE.
3.2.6Public,OpenBlockchains(111)
Consideringthepotentialissueswithdeployingandensuringacceptanceofmoreclosed
systems,weturnourattentiontothepossibilityofbuildinganelectronicmedicalrecordsystem
usingapublic,openblockchainasatrustanchor.Itisofcoursenotdesiredtoplacemedical
recordsdirectlyonsuchablockchain,asanyinformationcommittedtoanopenblockchainis
naturallygloballyvisiblethispropertywouldimmediatelyintroduceseriousprivacyconcernsfor
thepatientsdescribedbytherecordsbeingkept.Additionally,ifapublicblockchainlikeBitcoin
istobeused,therestrictionsondatastorageforthehostblockchainmustberespectedBitcoin
itselfonlypermits80bytesofuserchosendatatobeaddedtotheblockchaininagiven
transaction[2],sofullmedicalrecordscouldnoteasilybestoreddirectlyevenifprivacywerea
nonissue.
However,ifwepermitasecondarydatastoragemechanism,e.g.adistributedhashtablewith
openparticipationandcustomaccesscontrolmechanisms,thenwemayhavethetoolsneeded
tobuildasensibleprivacyrespectingelectronicmedicalrecordsystem.TheEnigmaprotocol[9]
describesaprivacyrespectingprogrammablesubstrate,usingsecretsharingandsecure
multipartycomputationtoachieveTuringcompletecomputationoverprivatedata,andusingan
openblockchaintoperformidentitymanagement,accesscontrol,andauditing.Enigmais
constructedsuchthattheoffchainnetworkpermitsandincentivizesopenparticipation,allowing
12
anyonetoparticipateinkeepingtheEnigmasystemrunning,andsuchthatthepublic
blockchainstoresauditrecordsofoffchainactivity,allowinganyonetoverifythattheoffchain
networkisoperatingcorrectlywithoutbeingabletodiscoverprivatedata.
SinceEnigmaishighlyprogrammable,wecanconstructourEMRsystemessentiallyhowever
wewish.Itneednotfollowparticularlycomplicatedrulesasanexample,bydefault,agiven
patientsmedicalrecordcanbereadableonlybythepatient,andonlyuponrequestbya
providerand/orpayer(signalledbye.g.asmartphoneapplication)doestherecordbecome
accessibleandwritableasnecessarybytherespectiveparties.Suchanarchitecture,
instantiatedcorrectly,givesthepatientaccessandcontrolovertheirowncompletemedical
recordwithoutimposingthesingularburdenofstoringortransmittingit,whileallowingallparties
toparticipateinandverifycorrectoperationofthenetwork.
Ifpatientsarewillinginpracticetodisclosethenecessarydata,thenbeingabletocomputeover
completemedicalrecordsbringsadvantagestoproviders,payers,andregulators.Providers
andpayerscanassessthemedicalneedofanygivenprocedureinthecontextofapatients
entiremedicalhistory,potentiallyenablingotherwiseunavailableinsightsandpotentially
reducingtheincidenceofmedicallyunnecessarywork.Regulators,withoutneedingtohandle
theactualrecords,arestillabletocomputetrendsovermedicalrecordsinaggregate,
potentiallygivingthemthetoolsneededtodiscoverpublichealthtrendsessentiallyasthey
happen.
Thelargestissuewithanysuchsystem,supposingthepiecesworkasadvertised,istheissue
ofkeymanagement.IdentityinanyEnigmabasedsystemistiedtoprivatekeysshouldthese
keysbelostorotherwisecompromised,controlofthecorrespondingidentityislost.Thiscanbe
especiallyproblematicifapatientlosescontrolofthekeyowningacorrespondingmedical
record,asdirectcontrolofthemedicalrecordislost.Thissituationisnotentirelyimpossibleto
recoverfromforinstance,thekeyitselfmaybedistributedbyasecretsharingmechanismto
multiplepartiallytrustworthyparties,andakeyrecoverymechanismderivedfromthat,orthe
entiremedicalrecordmayberetrieved(ifdisclosedinsuchformintherecentpast)fromthe
patientslastvisitedproviderandreissuedunderanewkey.Anysystemusingprivatekeysas
identitiesmustconsiderthekeyrecoveryissue,butitisespeciallyimportantinthecaseof
medicalrecordmanagementaslossofanentiremedicalrecordwouldbeproblematicforthe
correspondingpatient,inthecontextoffutureandongoingmedicalcare.
Becauseinthisarchitecturethepatienthasfinalcontroloverwhatdatagetsdisclosedtowhom,
providersstillfacetheprospectofhavingtodisclosedatatheymayperceiveasproprietaryto
partiesthatmaybepotentialcompetitors.Aswithanypersonalhealthrecordsystem,providers
mustbeconvincedthatthenetbenefitsofcontributingcomprehensiveinformationtoapatients
recordoutweighthenetbenefitsofconcealinginformationperceivedproprietary.
AcompletedscorecardcanbefoundinAppendixF.
13
4Recommendation,Observations,andConclusion
Givenouranalysis,webelieveblockchainbasedtechnologyisaviablechoiceforEMR
management.Notably,thelackofanysingleentitythateveryonetruststorunacentralized
systemindicatesthatadecentralizedonemightbefavorable,andtheminimizationofrequired
trustrelationshipsseemslikeagoodfitforsuchanenvironment.Theweaknessesthat
blockchaintechnologycurrentlypresents,suchaslackofhighvolumeprocessinganddifficulty
handlingprivatedata,canincreasinglybeaddressedwithadvancementslikeEnigmaand
BitcoinNG,andwebelievethehighamountofdeveloperattentionontheblockchainwill
continuetoresolveotherweaknessesthatemerge.
However,whileblockchainsare a
goodchoiceforthisapplication,considerationmuststillbe
giventoalternativesthatachievethesamegoalofenablingcomplete,auditablepatientowned
personalhealthrecords.Arguably,alternativesbuiltondecentralizedchangetracking
databasescanbecomparablyeffectiveatenablingcompleteness,auditability,anddatacontrol
ifwellengineered.Tosettlethequestiondecisively,itmaybecomenecessarytoinstantiate
morecomprehensivesystemdesignsandconductmoredetailedcostbenefitanalyseswiththe
morecompletedesignsinhand.
ThebiggerquestionishowtogetthehealthcaresystemtoadoptanynewEMRmanagement
system,giventhecomplexandoftencompetinginterestsinvolvedintheecosystem.The
benefitstopatientsofhavingownershipofacomprehensivehealthrecordareappealing,but
patientsarehistoricallyalsothemostdisempoweredofthestakeholdergroups.Achievinga
successfulimplementationofpatientcontrolledEMRsrequiresacompellingenoughmessage
tomobilizepatientsandpatientadvocacygroupstojumpstarttheinitiative.Previousinstances
haveshownthatregulatorsrarelyhaveurgencyininitiativeswithoutsufficientcitizenattention,
anotherreasonformobilizingpatients[3].
Then,givenachangelikethisrequiressystemwidesupport,itmakessensetoimplementthis
firstinacontainedhealthcommunity,ideallyonewhere
therearemanysmallproviderswhoareonfragmentedEMRsystemsbutdonthavethe
abilitytoprovideallhealthcareservicesalone.Thissolutioncanallowthemtobecome
partofaphysicallydistributed,fullserviceprovider.Thisargumentbecomesmore
compellingashealthcareproviderscontinuetospecializeandfragment,asindicatedby
theriseofminuteclinicsandUberstyledoctorsondemand.Additionalkeyarguments
includecostsavingsversusthecurrentmethodofexchanginginformation(fax,security,
highcostHIPAAcomplianttechnologysolutions)andtheinevitablemarchofhealthcare
paymentstowardsapayforperformancebasis,whichrequirescoordinatedcare
thereisoneortwopayers,toreducethenumberofpartiesfromwhomwemustget
buyin
thereisaforwardlookingregulatorwhowillprovidesupportifthesolutiongainstraction
14
Somegoodcandidatesforinitialcommunitiesareonesthathaveestablishedhealthcare
informationexchanges,suchasthe UtahHealthInformationNetwork.
Foranalysisregardingotherpotentialapplicationsoftheblockchain,wesuggestasimilarinitial
approachofmappingoutthestakeholdersinthespaceandidentifyingtheirkeybehavioral/
financialcostsandmotivators.Alackoftrustacrossparticipatingpartiesineachotherorone
centralentityisagoodinitialindicationthatablockchainmaybeaworkablesolution.One
shouldconsiderwhethertheconstraintsoftheapplicationmaypermitadistributeddatabase
solutionwithoutcouplingtoaproofofworkrequirement.Then,giventhatanynewsolutionof
theseformsoftenrequiressystemwidechange,oneshouldassesshowdifferentpartiesinthe
systemareimpactedandwhichpartiesarelikelytoprovidetheprimarythrustforadoption.
15
5Bibliography
EthereumBlog
[1]Buterin,Vitalik."OnPublicandPrivateBlockchains." .N.p.,07Aug.2015.Web.16Dec.2015.
[2]"ChangetheDefaultMaximumOP_RETURNSizeto80BytesbyFlavienPullRequest#5286Bitcoin/bitcoin."
GitHub.N.p.,n.d.Web.16Dec.2015.
[3]Cordina,Jenny,RohitKumar,andChristaMoss."DebunkingCommonMythsaboutHealthcareConsumerism."
McKinseyandCo.,Dec.2015.Web.16Dec.2015.
[4]"HealthCareFraudandAbuse."(2009):n.pag.CenterforMedicareandMedicaidServices.Web.
HHS.gov
[5]"HealthInformationPrivacy." .USDeptofHealthandHumanServices,n.d.Web.16Dec.2015.
WashingtonPost
[6]Kessler,Glenn."HowMuchDidHealthCare.govCost?" .TheWashingtonPost,24Oct.2013.
Web.16Dec.2015.
[7]Vest,J.R.,andL.D.Gamm."HealthInformationExchange:PersistentChallengesandNewStrategies."
Journal
oftheAmericanMedicalInformaticsAssociation17.3(2010):28894.Web.
[8]"WhatIsHIE(HealthInformationExchange)?"HealthIT.gov,n.d.Web.
[9]Zyskind,Guy,OzNathan,andAlexPentland."Enigma:DecentralizedComputationPlatformwithGuaranteed
Privacy."(n.d.):n.pag.Web.
16
6Appendices
6.1AppendixA
BlankScorecard
Mental/
Behavioral
Costs
Financial
Doesnotjeopardize
customersormakeit
easiertoswitch?
17
6.2AppendixB
Scorecardfortraditionalcentralizeddatabase
Doesnotjeopardize
customersormakeiteasier
toswitch?
Lowdataportabilitydoes
makeiteasierforpatientsto
havelowercosttoswitchto
anotherparty.Canlimitthis
throughagreeduponrules
18
6.3AppendixC
Scorecardfordistributeddatabasewithhistorytracking
Securityofpatient Qualityofcareis Makesfraudmore Easytomonitorpublichealth,
recordassured? improved,i.e.fewer difficult? epidemics,healthtrends?
preventablemistakes?
Benefits
High,assuminggood High,thisshouldfollow Medium,thereis High
implementation naturallyfromeasy moreoversightto
accesstomedical changestomedical
records recordbutmany
fraudtypesarestill
possible
Doesnotjeopardize
customersormakeit
easiertoswitch?
Medium,thissystem
wouldlikelymakeit
easierforpatientsto
changeproviders
19
6.4AppendixD
Scorecardforprivateblockchains
Doesnotjeopardize
customersormakeit
easiertoswitch?
Low,these
blockchainswouldbe
managedbyindividual
providers,justasEHR
databasesarenow.
20
6.5AppendixE
Scorecardforpartiallyopenblockchains
Doesnotjeopardize
customersormakeit
easiertoswitch?
Low dataportabilitydoes
makeiteasierforpatients
toswitchtoanotherparty
inthefederation.Canlimit
thisthroughfederation
agreeduponrules
21
6.6AppendixF
Scorecardforopen,publicblockchains
Wefirstdescribethishypotheticalsolutioninmoredetail.WeareconsideringanEMRmanagement
systemusingtheEnigmasystemasabackend.Thissystemisimplementedassuch:
Enigmausesapublicblockchaintostoreproofsofcorrectexecution,andanoffchain
networkforaccomplishingsecuredistributeddatastorageandmultipartycomputation.
Apatientmaintainsownershipauthorityoverhisorherownmedicalrecord.
Inasimplersystem(treatingthisblockchainbasedsystemasadatabasenode),thepatient
canchoosetodisclosecertainelementsoftheirrecordtoaproviderorpayerondemand,
andtheupdatedrecordendsupintheprovider/payersystem.
Inamorecomprehensivesystem(implementingtheentiresysteminEnigma),thepatient
mayalsobeabletochoosetorevokevisibilityoncertainelementsoftheirdata.
Thisishard
toensurewithoutregulatorysupportandcarefulauditing,andmaynotactuallybepractical.
Enigmachargesfeesforcomputationandstorage.
22
Patientcontrols Easyandfastto Costsarelower,i.e. Qualityofcareis
privacyofrecord? modifyrecords? diseaseprevention, improved?
compliance?
Doesnotjeopardize
customersormakeit
easiertoswitch?
High,itislikelythat
anopenuniversal
datasystemwill
decreasebarriersto
switchingproviders
23