The necessity to adopt the Five Rights of Secure Health Data
As attacks ramp up, a new protocol is needed for privacy of patients’ information, and KERI represents a revolutionary step forward.
When it comes to patient safety, we all recognize parts of clinical care — like medicine administration — must be checked every time, without fail. It’s time we treat the safety of healthcare’s data the same way.
Think back for a moment to 2005; you probably remember standing in line for the release of “Revenge of the Sith” while listening to Green Day on your iPod Nano. Despite what your grandma said, you rocked that spiked hair with bleached tips. Oh yeah, and the Department of Defense just put out a report stating 50 percent of patient safety events were the result of medication errors.
In the two decades following that report, health systems significantly de-risked the administration of medications. Barcode-enabled point of care (BPOC) approaches gave hospitals a simple, technology-enabled way to check the Five Rights of Medication Administration every time, without fail.
When a patient is checked in, just slap a barcoded bracelet on their wrist, and let the clinicians scan away! It’s quick, easy and life-saving.
If you’re not familiar with it, the Five Rights of Medication Administration are a set of checks that ensure patient safety. By verifying the five rights before giving a medication, doctors, nurses and pharmacists can — and very often do — successfully avoid catastrophic medication errors. These are:
Because of technology like barcodes, clinicians have an automated way to check all five every time. If a patient's barcode doesn’t match the medication's barcode, no drug is administered until the issue is resolved. One study showed BPOC completely eliminating missed medication doses.
Now, let’s come back to the present day. You just saw Dune 2, you’re already optimizing your Spotify for 2024’s Wrapped, you’ve ditched those sweet bleached tips, and healthcare is still reeling from the latest major data breach.
HHS appears to be seriously considering reinstituting the HIPAA audits as industry luminaries are pushing for “too big to fail” style interventions after the Change Healthcare incident. Which, by the way, is now being called a $100 billion cyberattack. Such attacks increase in both frequency and devastation as bad actors leverage new technologies like AI to supercharge their efforts.
The result is a staggering 133 million medical records breached in 2023, with the prognosis for this year also looking bleak. The costs go beyond the financial, hacker groups have begun extorting patients themselves following breaches by promising to release compromising medical information or selling data on the dark web. One group allegedly posted 2,800 images of breast cancer patients following an attack.
It is clear that healthcare has reached a breaking point, and something’s got to give.
Enter the Five Rights of Secure Data Exchange. We need a simple checklist we can verify every time, before data is exchanged or access is granted.
If any one of these five rights are wrong, the data transaction should be barred. However, healthcare currently does the data-equivalent of barely checking a nurse once when they clock in. If they’re wearing the right badge, they’re never checked again as they administer meds throughout their shift.
It’s actually worse, because in this hypothetical, you at least get an in-person validation that the nurse isn’t being impersonated. No such physical check happens in data exchange. This data security catastrophe happens on the scale of thousands of users, clients, servers and devices in even a modest health system’s infrastructure.
And don’t forget, medication administration’s main problem was mistakes, not malice. But with health data, there are actual nation-states who view U.S. health systems as critical infrastructure targets. The result? Ransomware, HIPAA violations, patient harms, increased costs and damaged reputations. Healthcare desperately needs a BPOC for health data, a mechanism to check the Five Rights of Secure Health Data Exchange on every data flow for every transaction.
The BPOC of Health Data Exchange
Until recently, a BPOC for data that enables healthcare entities to reliably and efficiently verify these five security rights every time simply didn’t exist. But for the past five years, pioneers in the digital trust and identity space have been working on a new, open source protocol with the capacity to fill this need – the Key Event Receipt Infrastructure (KERI).
For the true techno-nerds, you can learn more about KERI here. For everyone else, a simple way to understand KERI for health data is to compare it with the barcodes of medication administration. It provides a simple yet robust way to sign and verify those signatures on both data in motion (active data exchange) and data at rest (stored data). Note that signing here means a “tamper-proof cryptographic seal” rather than a “digitized wet signature” and without that cryptographic signature attesting to all five rights, the transaction is barred.
This process enables healthcare entities to check their “five rights” swiftly and securely, every time. By adopting the Five Rights of Secure Health Data Exchange and employing open-source digital ID technologies (like KERI), healthcare can move to a higher standard of data trust and security.
This is the first article in a series laying the foundation for understanding the crucial role of modern digital ID in secure data exchange for healthcare. Next, we’ll take a deeper dive into each Right of Secure Health Data. Stay tuned for more insights into securing the lifeblood of modern healthcare – it’s data.
Jared Jeffery is an HDM contributor and Philip Feairheller is chief technology officer of healthKERI.