Gary LaFever | May 2, 2016

Blockchain and big data privacy in healthcare

Anonos-BigPrivacy-Article-IAPP-6.pngAs the volume of digital data proliferates in virtually every field, the potential value from analyzing it skyrockets—but so do associated privacy risks.

Methods of privacy protection that were developed years or even decades ago no longer translate well in the age of big data. This is because these older methods either aren’t strong enough at scale (a phenomenon described by “the Mosaic Effect,”) or require a degradation of the quality of the data itself, making it less valuable.

Healthcare – one of the most privacy-sensitive data domains – has a unique set of regulatory requirements related to privacy protections, primarily laid out in the U.S. under the Health Insurance Portability and Accountability Act of 1996. 

Fortunately, new and complementary tools and methods of privacy protection make it possible to simultaneously protect data privacy and accuracy in order to leverage the value of big data in healthcare and also comply with federal and international laws, including HIPAA.

One promising approach is blockchain, which, together with Bitcoin, has garnered much enthusiasm in the financial sector by enabling trusted, auditable transactions using a decentralized network of peers accompanied by a public ledger.

In healthcare, blockchain could provide a secure yet transparent record of who has shared health data with whom, while protecting the details of the data itself.  While this is undoubtedly a valuable piece of the privacy puzzle, blockchain is premised on mathematically derived pseudonyms for distributed ledger verification and the HIPAA Privacy Rule prohibits use of mathematically-derived pseudonyms because of potential re-identification of de-identified protected health information (PHI). This limitation on the use of mathematically-derived pseudonyms as re-identification codes for de-identified information effectively makes blockchain non-HIPAA compliant (Page 53233).

Similar issues have been raised about the use of blockchain to support more accurate ratings for e-commerce and travel sites and for individuals such as teachers, doctors, landlords, colleagues, and police officers due to potential threats to anonymity and privacy online.  The potentially irreversible nature of such distributed blockchain “trust” systems also raise concerns about undermining an individual’s right to be forgotten.

One solution to address blockchain’s challenge in healthcare (non-compliance with HIPAA), is to combine blockchain with Dynamic Data Obscurity to support non-mathematically derived dynamically anonymous identifiers to address HIPAA compliance issues, overcome the Mosaic Effect, and enable granular privacy controls.

Last year, I wrote that Dynamic Data Obscurity can support ‘proportional’ use of data in a manner that is responsive to the variety and complexity of different, potential uses of data. Specifically, dynamic de-identification can reveal different levels and type of information to the same and/or different parties at different times, for different purposes, at different places – with respect to each, only as necessary for each proposed use of data. By combining blockchain and Dynamic Data Obscurity, it would be possible to support de-identification requirements under the HIPAA Privacy Rule.

Potential benefits from blockchain applications in healthcare, such as those set forth below, depend on concerns over, and regulatory requirements for, maintaining privacy and security of sensitive data (e.g., Protected Health Information in the U.S. and personal data in the EU) first being resolved: 

  • Introducing efficiency and transparency into the heavily siloed healthcare industry by enabling governmental agencies, insurance companies, hospitals, doctors, clinics, and patients to use a common blockchain;
  • Allowing health providers to share networks without compromising data privacy, security, or integrity;
  • Managing the lifecycle of patient records via blockchain; and
  • Streamlining the lifecycle of medical bills via blockchain.

The synergy between blockchain and Dynamic Data Obscurity can hopefully serve as an example of technologists rising to the challenge laid down by former U.S. FTC Commissioner Julie Brill in her 2013 speech on the role they can play in protecting privacy. "This is your 'call to arms,' – or perhaps, given who you are, your 'call to keyboard,'" she proclaimed, "to help create technological solutions to some of the most vexing privacy problems presented by big data."

This article originally appeared in IAPP.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.


Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.