Cybercriminals have a number of options for purchasing the personal data they need to really ruin someone’s financial life. Obviously, they need a social security number. Date of birth, current address, and a credit card number or two are no brainers. Many novice identity thieves make a common mistake when they’re starting out, buying this data piecemeal on the black market. But there’s a better way! They can get all of the data they need bundled together in one convenient package: medical records.
Medical records have been called the “holy grail” for cybercriminals because they contain a person’s name, address, date of birth, and Social Security number in a single record, making identity theft far easier than any of us would like to realize. So it’s not surprising that medical records fetch 10x the price of credit card numbers. The illicit demand for stolen medical data is on the rise, with the situation likely to get worse before it gets better.
Data security is already a mess in the U.S., as the Equifax breach demonstrated in 2017. That attack left more than 145 million Americans vulnerable to identity theft after their Social Security numbers were exposed in the breach. Those 10 digits have become the keys to our financial identities, but 81 years since the first SSNs were issued, their utility in the digital age has become questionable. We need a more secure way to protect our digital data, and blockchain technology may well provide the answer.
Why the premium on medical data?
Medical data is a lucrative haul for would-be criminals, particularly because the theft goes undetected for longer periods than in other crimes. People check their credit card balances more often than they review their medical files and insurance records, so they’re likely to spot a suspicious purchase much quicker than a false insurance claim. This buys hackers time to not only sell the data but use it to schedule medical procedures, purchase prescription drugs, or exploit the information in other ways.
Once victims realize what’s happened, coping with the theft can be arduous. With credit card theft, they can simply call and cancel the card, and they’ll have a new one within a few days. But the damage from medical data theft is more sinister, as criminals can use the information included to file false tax returns as well. Although careful, consistent monitoring of your accounts can help you protect your identity and catch suspicious activity early, there’s not a lot you can do to prevent the types of widespread hacks that have plagued hospitals and medical providers in recent years.
A substantial shift in how both governments and healthcare providers use cybersecurity defense technologies is long overdue, as evidenced by the WannaCry ransomware attack that struck the U.K.’s National Health Service, an attack the country’s own National Audit Office said could have been prevented if it had followed standard security best practices. The fact that a leading national health system could be crippled by what experts described as a “relatively unsophisticated attack” indicates just how fragile our most important data systems are around the globe.
When electronic isn’t everything
Security isn’t the only challenge when it comes to electronic medical records. Tom Price, the former U.S. Secretary of Health and Human Services, lamented earlier this year that, “We’ve turned physicians into data entry clerks.” Some doctors say that having to navigate electronic health records systems detracts from the quality of their patient interactions. Rather than having conversations about a patient’s symptoms, they’re concerned with whether they’re documenting the visit properly, which weakens the doctor-patient relationship and leads to inferior care. A 2016 study showed that physicians spend half their time consumed with desk work and electronic health records and only 27 percent actually attending to patients. The Mayo Clinic even found that the work burdens created by electronic records systems contributed to increased risk of physician burnout.
Accessing your medical records as a patient isn’t exactly a walk in the park, either. Once you submit a request to your doctor, it can take 30 days to receive the information, and you may have to provide a written statement asking for the records. If you want to change incorrect information, the provider may charge you. While we want some level of security when it comes to accessing medical records, submitting a written request and waiting 30 days to see our own information seems a bit outdated, to say the least, especially in an era in which we can transfer money, book flights, and even schedule doctor appointments directly from our phones.
Online portals allow a bit more flexibility and immediacy when we want to review test results or physician’s notes, but it’s cumbersome to have to log into different portals for every provider we visit. Someone who sees several specialists is often tasked with obtaining their medical records to ensure that each doctor has access to the same information, and even then, there is no guarantee of a cohesive care plan. There’s also little transparency as to who can see sensitive medical data, leaving patients disempowered.
What would a blockchain health record solution look like?
Blockchain could be a potent antidote to what ails existing electronic health record (EHR) systems. Medical data stored on a specially designed blockchain could be encrypted using a patient’s private key for access. This would make medical data less vulnerable to cyberattacks, as does the distributed structure of the blockchain. Because the data blocks in the chain are linked together, cyber attackers can’t simply try to hack one aspect or hide what they’re doing.
A blockchain-based EHR system would also put power in the hands of the patients, something demonstrated by researchers at Beth Israel Deaconess Medical Center in Boston. Their team engineered a proof-of-concept system that showed promising results. Writing in Harvard Business Review about the power of blockchain to transform EHR, the team outlined how their system works:
Imagine that every EHR sent updates about medications, problems, and allergy lists to an open-source, community-wide trusted ledger, so additions and subtractions to the medical record were well understood and auditable across organizations. Instead of just displaying data from a single database, the EHR could display data from every database referenced in the ledger. The end result would be perfectly reconciled community-wide information about you, with guaranteed integrity from the point of data generation to the point of use, without manual human intervention.
Importantly, the system shifts the control of medical records from institutions to the patients themselves:
It stores a signature of the record on a blockchain and notifies the patient, who is ultimately in control of where that record can travel. The signature assures that an unaltered copy of the record is obtained.
Under this scenario, all of a patient’s doctors and caregivers would access the same, up-to-date information. With less recordkeeping burden, doctors would spend more time engaging with patients, ostensibly leading to an increase in the quality of care.
Improving cybersecurity in general, and medical data in particular, is an urgent concern. With advances in artificial intelligence giving hackers better tools to commit cybercrimes, the future is one of more and more cyberattack attempts around the globe. We can’t stop hackers from pursuing valuable data like medical records, but we can make it harder for them to steal them—and blockchain could be an important tool in that fight.