The hacker collective known as the Dark Overlord first surfaced in June 2016, when it advertised more than 600,000 patient files from three U.S. healthcare organizations for sale on the dark web. The group, which also attempted to extort ransom from its victims, soon offered another 9 million records pilfered from health insurance companies and provider networks across the country.
Since 2009, federal regulators have counted nearly 5,000 major data breaches in the United States alone, affecting some 260 million individuals.
Last October, apparently seeking publicity as well as cash, the hackers stole a trove of potentially scandalous data from a celebrity plastic surgery clinic in London—including photos of in-progress genitalia- and breast-enhancement surgeries. "We have TBs [terabytes] of this shit. Databases, names, everything," a gang representative told a reporter. "There are some royal families in here."
Bandits like these are prowling healthcare's digital highways in growing numbers. Since 2009, federal regulators have counted nearly 5,000 major data breaches in the United States alone, affecting some 260 million individuals. Although hacker incidents represent less than 20 percent of the total breaches, they account for almost 80 percent of the affected patients. Such attacks expose patients to potential blackmail or identity theft, enable criminals to commit medical fraud or file false tax returns, and may even allow hostile state actors to sabotage electric grids or other infrastructure by e-mailing employees malware disguised as medical notices. According to the consulting agency Accenture, data theft will cost the healthcare industry $305 billion between 2015 and 2019, with annual totals doubling from $40 billion to $80 billion.
Blockchain could put patients in control of their own data, empowering them to access, share, and even sell their medical information as they see fit.
One possible solution to this crisis involves radically retooling the way healthcare data is stored and shared—by using blockchain, the still-emerging information technology that underlies cryptocurrencies such as Bitcoin. And blockchain-enabled IT systems, boosters say, could do much more than prevent the theft of medical data. Such networks could revolutionize healthcare delivery on many levels, creating efficiencies that would reduce medical errors, improve coordination between providers, drive down costs, and give researchers unprecedented insights into patterns of disease. Perhaps most transformative, blockchain could put patients in control of their own data, empowering them to access, share, and even sell their medical information as they see fit. Widespread adoption could result in "a new kind of healthcare economy, in which data and services are quantifiable and exchangeable, with strong guarantees around both the security and privacy of sensitive information," wrote W. Brian Smith, chief scientist of healthcare-blockchain startup PokitDok, in a recent white paper.
Around the world, entrepreneurs, corporations, and government agencies are hopping aboard the blockchain train. A survey by the IBM Institute for Business Value, released in late 2016, found that 16 percent of healthcare executives in 16 countries planned to begin implementing some form of the technology in the coming year; 90 percent planned to launch a pilot program in the next two years. In 2017, Estonia became the first country to switch its medical-records system to a blockchain-based framework. Great Britain and Dubai are exploring a similar move. Yet in countries with more fragmented health systems, most notably the U.S., the challenges remain formidable. Some of the most advanced healthcare applications envisioned for blockchain, moreover, raise technological and ethical questions whose answers may not arrive anytime soon.
By creating a detailed, comprehensive, and immutable timeline of medical transactions, blockchain-based recordkeeping could help providers gauge a patient's long-term health patterns in a way that's never before been possible.
What Exactly Is Blockchain, Anyway?
To understand the buzz around blockchain, it's necessary to grasp (at least loosely) how the technology works. Ordinary digital recordkeeping systems rely on a central administrator that acts as gatekeeper to a treasury of data; if you can sneak past the guard, you can often gain access to the entire hoard, and your intrusion may go undetected indefinitely. Blockchain, by contrast, employs a network of synchronized, replicated databases. Information is scattered among these nodes, rather than on a single server, and is exchanged through encrypted, peer-to-peer pathways. Each transaction is visible to every computer on the network, and must be approved by a majority in order to be successfully completed. Each batch of transactions, or "block," is date- and time-stamped, marked with the user's identity, and given a cryptographic code, which is posted to every node. These blocks form a "chain," preserved in an electronic ledger, that can be read by all users but can't be edited. Any unauthorized access, or attempt at tampering, can be quickly neutralized by these overlapping safeguards. Even if a hacker managed to break into the system, penetrating deeply would be extraordinarily difficult.
Because blockchain technology shares transaction records throughout a network, it could eliminate communication bottlenecks between different components of the healthcare system (primary care physicians, specialists, nurses, and so on). And because blockchain-based systems are designed to incorporate programs known as "smart contracts," which automate functions previously requiring human intervention, they could reduce dangerous slipups as well as tedious and costly paperwork. For example, when a patient gets a checkup, sees a specialist, and fills a prescription, all these actions could be automatically recorded on his or her electronic health record (EHR), checked for errors, submitted for billing, and entered on insurance claims—which could be adjudicated and reimbursed automatically as well. "Blockchain has the potential to remove a lot of intermediaries from existing workflows, whether digital or nondigital," says Kamaljit Behera, an industry analyst for the consulting firm Frost & Sullivan.
The possible upsides don't end there. By creating a detailed, comprehensive, and immutable timeline of medical transactions, blockchain-based recordkeeping could help providers gauge a patient's long-term health patterns in a way that's never before been possible. In addition to data entered by their caregivers, individuals could use app-based technologies or wearables to transmit other information to their records, such as diet, exercise, and sleep patterns, adding new depth to their medical portraits.
Many experts expect healthcare blockchain to take root more slowly in the U.S. than in nations with government-run national health services.
Smart contracts could also allow patients to specify who has access to their data. "If you get an MRI and want your orthopedist to see it, you can add him to your network instead of carrying a CD into his office," explains Andrew Lippman, associate director of the MIT Media Lab, who helped create a prototype healthcare blockchain system called MedRec that's currently being tested at Beth Israel Deaconess Hospital in Boston. "Or you might make a smart contract to allow your son or daughter to access your healthcare records if something happens to you." Another option: permitting researchers to analyze your data for scientific purposes, whether anonymously or with your name attached.
The Recent History, and Looking Ahead
Over the past two years, a crowd of startups has begun vying for a piece of the emerging healthcare blockchain market. Some, like PokitDok and Atlanta-based Patientory, plan to mint proprietary cryptocurrencies, which investors can buy in lieu of stock, medical providers may earn as a reward for achieving better outcomes, and patients might score for meeting wellness goals or participating in clinical trials. (Patientory's initial coin offering, or ICO, raised more than $7 million in three days.) Several fledgling healthcare-blockchain companies have found powerful corporate partners: Intel for Silicon Valley's PokitDok, Kaiser Permanente for Patientory, Philips for Los Angeles-based Gem Health. At least one established provider network, Change Healthcare, is developing blockchain-based systems of its own. Two months ago, Change launched what it calls the first "enterprise-scale" blockchain network in U.S. healthcare—a system to track insurance claim submissions and remittances.
No one, however, has set a roll-out date for a full-blown, blockchain-based EHR system in this country. "We have yet to see anything move from the pilot phase to some kind of production status," says Debbie Bucci, an IT architect in the federal government's Office of the National Coordinator for Health Information Technology. Indeed, many experts expect healthcare blockchain to take root more slowly here than in nations with government-run national health services. In America, a typical patient may have dealings with a family doctor who keeps everything on paper, an assortment of hospitals that use different EHR systems, and an insurer whose system for processing claims is separate from that of the healthcare providers. To help bridge these gaps, a consortium called the Hyperledger Healthcare Working Group (which includes many of the leading players in the field) is developing standard protocols for blockchain interoperability and other functions. Adding to the complexity is the federal Health Insurance and Portability Act (HIPAA), which governs who can access patient data and under what circumstances. "Healthcare blockchain is in a very nascent stage," says Behera. "Coming up with regulations and other guidelines, and achieving large-scale implementation, will take some time."
The ethical implications of buying and selling personal genomic data in an electronic marketplace are doubtless open to debate.
How long? Behera, like other analysts, estimates that relatively simple applications, such as revenue-cycle management systems, could become commonplace in the next five years. More ambitious efforts might reach fruition in a decade or so. But once the infrastructure for healthcare blockchain is fully established, its uses could go far beyond keeping better EHRs.
A handful of scientists and entrepreneurs are already working to develop one visionary application: managing genomic data. Last month, Harvard University geneticist George Church—one of the most influential figures in his discipline—launched a business called Nebula Genomics. It aims to set up an exchange in which individuals can use "Neptune tokens" to purchase DNA sequencing, which will be stored in the company's blockchain-based system; research groups will be able to pay clients for their data using the same cryptocurrency. Luna DNA, founded by a team of biotech veterans in San Diego, plans a similar service, as does a Moscow-based startup called the Zenome Project.
Hossein Rahnama, CEO of the mobile-tech company Flybits and director of research at the Ryerson Centre for Cloud and Context-Aware Computing in Toronto, envisions a more personalized way of sharing genomic data via blockchain. His firm is working with a U.S. insurance company to develop a service that would allow clients in their 20s and 30s to connect with people in their 70s or 80s with similar genomes. The young clients would learn how the elders' lifestyle choices had influenced their health, so that they could modify their own habits accordingly. "It's intergenerational wisdom-sharing," explains Rahnama, who is 38. "I would actually pay to be a part of that network."
The ethical implications of buying and selling personal genomic data in an electronic marketplace are doubtless open to debate. Such commerce could greatly expand the pool of subjects for research in many areas of medicine, enabling the kinds of breakthroughs that only Big Data can provide. Yet it could also lead millions to surrender the most private information of all—the secrets of their cells—to buyers with less benign intentions. The Dark Overlord, one might argue, could not hope for a more satisfying victory.
These scenarios, however, are pure conjecture. After the first web page was posted, in 1991, Lippman observes, "a whole universe developed that you couldn't have imagined on Day 1." The same, he adds, is likely true for healthcare blockchain. "Our vision is to make medical records useful for you and for society, and to give you more control over your own identity. Time will tell."