Why there’s potential to use decentralized identity in healthcare
As data exchange grows in healthcare, it’s important to understand the shift to decentralized identity systems for enhanced security, privacy and efficiency.
Our last article delved deep into the double-edged nature of artificial intelligence tools. On the one hand, tools like ChatGPT offer ridiculous ease and efficiency, supercharging productivity for many. On the other hand, these same advancements empower bad actors by magnifying their ability to wreak havoc by easily compromising identities and credentials.
So the question is, what’s the fix for healthcare’s security problem?
To get to the answer, it’s important to understand that cyberattacks aren’t the problem – they’re the symptom. When Meaningful Use accelerated healthcare’s march into digitization, the industry took on not only the benefits, but the chronic conditions of the digital environment. Like a donor-acquired infection, adopting a digital infrastructure brought all the risks of the Internet with it.
The root cause of healthcare’s cybersecurity problem is an inherited condition that’s long been endemic across the web.
The problem is digital ID
The healthcare industry suffers from insecure digital identity. Whether we’re talking about a person, organization, server, or app, everything we interact with digitally presents an identity to us. These identifiers are the foundation of our ability to transact online. And to date, we’ve lacked the tools to solve digital identity’s veracity problem.
To put it simply, when you’re trying to log into any website there is an exchange of identity that takes place. Your computer checks that the website is actually the site it claims to be — typically through a third party attestation from a certificate authority (CA). Then, the site tries to verify your identity, either through a username and password, or by punting the identity question entirely to a third party or a centralized identity provider.
Most of us – often without realizing – have anchored our digital identities to centralized systems. Every time we opt to "Login with Google" or "Sign Up with Facebook," we're handing over a piece of our digital autonomy to these tech giants. And centralized identity systems, despite their convenience, are plagued with vulnerabilities.
This, coupled with the fact that breaching just one of these centralized systems gives access to thousands upon thousands of records, means they become treasure troves for hackers.
But what if you could self-certify your identity online, without relying on third parties and exceed “industry standard” security? Decentralized identity presents a novel approach to self-certification, with the potential to reshape online trust and data exchange.
The decentralized identity approach
The term decentralized identity (DID) might seem to be a bit of an oxymoron at first. After all, we're conditioned to associate identity with something centralized, be it a passport issued by a country or a username and password managed by Google.
Decentralized identity seeks to return control of identity data back to the individual or organization. Instead of relying on a third-party authority or intermediary to assert identity, a decentralized system empowers entities to control their own identity without the need for outside verification at every step.
Most importantly, decentralized ID solutions enable efforts to strongly tie actors to actions via digital signatures (which will be discussed in the final article of the series).
The spectrum of decentralizing technologies
While decentralized identity sounds futuristic, it's rooted in a combination of technological advancements that are both new and old.
The foundation of decentralized ID was introduced in 1976 when Whitfield Diffie and Martin Hellman introduced the world to public and private key infrastructure (PKI).
However, it wasn’t until recently, with the advent of technologies such as blockchain, KERI, W3C and others, that the promise of DID has begun to be realized. A couple of examples include:
Blockchain: A distributed ledger technology based on cryptography, where identity events are chronologically recorded. Blockchain adherents tout the technology for its transparency, immutability and ability to operate without a single central authority, using the ledger for authority instead. Despite its correlation with the alternative currency world, blockchain itself has already begun to be implemented in healthcare with groups like UCLA and their Bruinchain.
Key event receipt infrastructure (KERI): A unique, non-blockchain approach that hinges on a sign-everything methodology for each identifier. It ensures global uniqueness without the need for global consensus and operates without being tied to any specific blockchain or authority. KERI provides for self-certifying, end-verifiable identities without requiring everyone to be on the same distributed ledger. A great example of KERI in the wild would be GLEIF’s vLEI that creates a digital version of the long-standing Legal Entity Identifier (LEI).
Technologies like these and others, underpin decentralized identity, offering a new way to secure, validate and share identity, without relying on an outside centralized validator.
Benefits of decentralized identity in healthcare
In healthcare, PHI is sensitive and extremely valuable. Medical record information often sells for 10 to 40 times that of a compromised credit card number on the black market. The adoption of decentralized identity could usher in revolutionary improvements. These include:
- • Security. Healthcare institutions often maintain centralized databases that contain sensitive patient information, from medical histories to genetic data. Such treasure troves become prime targets for cyberattacks. By shifting to a decentralized identity model, the need to store large amounts of comprehensive data in a central repository is eliminated, vastly decreasing the risk of massive data breaches and ensuring the safety of patient data.
The real security win for healthcare isn’t cyber-perfection – it just does a better job of removing the incentives that drive bad actors. Break up the treasure troves of data, and the incentives to attack evaporate. - • Privacy and patient advocacy. Patients frequently voice concerns about who has access to their medical records. A self-sovereign approach to identity puts patients in control of their data. For instance, they could choose to share only specific medical conditions with certain specialists rather than granting blanket access to their entire medical history. This would help preserve privacy and reduce the vulnerability to the patient in the event of their data being breached.
- • Interoperability. Today’s care involves multiple people in the care team, from primary care doctors to specialists, labs and pharmacies. Decentralizing identities enables seamless sharing of necessary medical data across these providers without compromising privacy. No more repeated tests and paperwork – every provider would have the information they need, when they need it.
- • Reduced dependence. By eliminating third-party intermediaries in data verification, patients and providers can establish direct trust. This is especially critical in emergencies, where rapid access to accurate medical information can save lives. Think about the absolute data-chaos of 2020, which saw some states — like Alaska —needing to call in the National Guard to do data entry across multiple disconnected systems.
- Integrating decentralized identity into the healthcare sector could not only streamline administrative processes but also enhance the quality of care and patient trust.
Challenges for decentralized ID in healthcare
While there’s a compelling case for decentralized ID in healthcare, translating the technology from vision to reality means navigating a maze of challenges, both technical and cultural. A short list of some of the considerations include the following:
Rip and replace vs. incremental gains. Healthcare data exchange is already occurring today, and that makes current approaches unique because there’s little opportunity to stop the data flow to update technologies. Downtime is a primary metric of success or failure. The correct way to implement DID, then, is through incremental steps across time to reduce downtime in mission-critical systems.
Global standards. Health regulations vary across countries. A decentralized ID system must be flexible enough to cater to different regulatory environments. A successful system must rely on open-source, open-protocol and non-jurisdictional technologies. Proprietary technology is antithetical to decentralized systems.
Key management. Cryptographic key management is at the root of decentralized identity. Today, this onerous task is shouldered by chief information security officers and their teams, alongside fees paid out to third parties to hold cryptographic keys in trust, which is less secure. As we move control of these keys to the actual users, or “to the edge,” key loss or compromise is an issue to be addressed.
The path forward for digital identity
The emergence of decentralized systems offers a glimpse into a future, where healthcare’s data no longer has the allure of a quick payday for bad actors. The healthcare industry, with its complexities and need for trust and privacy, stands at the forefront of this transformative wave.
The marriage of healthcare’s data and next-generation identity solutions is not a question of "if" but "when." Stakeholders — from technology innovators to healthcare professionals, regulators to patients themselves — have already begun to collaborate and create a future where healthcare is secure, patient-centric and seamlessly efficient. The next article in this series will discuss the gains being made across industries to find and leverage decentralized solutions to the web’s authenticity problem.