Medical Data Protection: Empowering a Privacy-driven Future With Web 3

Medical data is very sensitive, especially regarding personal records. This data is already in the possession of various organizations — pharmaceutical enterprises, medical institutions, tech companies, etc. It is also often found in 'free' circulation on the black market. In fact, the medical data market was estimated at USD 32.9 billion in 2021 and is expected to reach USD 105.73 billion by 2030. However, in 2021, 45 mln individuals became victims of healthcare data attacks, while a single medical record can go for up to $1,000 on the black market.

Nowadays, a person does not control their medical data. However, being a blockchain enthusiast since 2013, I believe that Web 3.0 can create a privacy-driven future while ensuring compliance with legal frameworks and robust security standards in healthcare.

Let’s imagine a blockchain network, or maybe a depersonalized application (dApp), that ensures maximum patient awareness and participation in how their data is used, depersonalized, and secures data flows throughout the entire ecosystem.

How should it work?

The test of law: GDPR and HIPAA

Under GDPR, health data is a special category of personal data that can be shared only upon the data owner's consent. Following this standard means that users provide explicit consent when filling in their personal and health data to the dApp.

In addition, the synchronization of medical records from MIS and other data providers should be created upon the user's request for the latter to synchronize data records belonging to the user with their health card - let’s name it medical ID for the sake of thematic consistency.

Lastly, for the purposes of distribution within the system, the data should be depersonalized, thus making it impossible to identify the person. This is the core requirement HIPAA stipulates for protecting medical data.

To achieve this condition - all data in our assumed ecosystem should be encrypted and stored in a decentralized network. The system should comply with the Data Protection Law, GDPR, HIPAA, and the Data Protection Act to ensure that the information attached to the patient’s unique ID is depersonalized and always remains anonymous.

Going the extra mile with Blockchain

Web 3.0 makes it possible to secure medical data and enhance individual protection to a higher level while providing even more power (and ultimately benefit) to the owners of that medical data.

As I already mentioned, the medical data market is huge. Data is used, for example, by big pharma enterprises to accelerate medical research, effective drug compositions, and improve healthcare outcomes. But true owners of those healthcare records - ordinary people, not doctors, clinics, or labs as we used to assume - still don’t earn from selling their depersonalized medical data for its further processing for the purposes of the healthcare industry.

What if patients finally get complete control of their personal medical data in terms of privacy as well as remuneration for every instance when it’s being anonymously used? While always having the opportunity to turn off access or delete data that is no longer relevant.

This approach to medical data sharing can radically change the current paradigm.

1. Blockchain & security

An eligible medical blockchain ecosystem should provide market-specific advancements in the healthcare industry's security, traceability, and data processing. Thus, it has to apply a multi-layered approach that focuses on preventing attacks and mitigating the effect of ransomware.

The first level of security certainly should be during the input data validation. The second level should encrypt the data using top-tier banking-grade encryption methods to prevent unauthorized access. Lastly, data should be recorded in the blockchain network, making it immutable and secure. It’s better to be a private blockchain structure to protect the network from any external threats with a Proof-of-Authority consensus mechanism, and all the nodes should run internally on secure server networks.

2. Transparent data flow and architecture

How should the ecosystem be designed to ensure that all the participants - patients and healthcare providers - operate fairly and transparently while enjoying the benefits of the Web 3.0 data economy?

It all could start when the person is registered and a profile that serves as their 'digital international health passport' is created. This would be a unique user identifier through which all their medical data is available anywhere in the world.

Personal data should remain encrypted and never be shared or seen by any network participant besides the patients. The addition of verified medical data from medical institutions (labs, hospitals, etc.) can be initiated by the patient through the API.

Once this has been established, verified medical data may be included in the 'marketplace' upon the patient’s request within the network, where this data is filtered by profile, characteristics, and type and is added to the corresponding data pool. As medical and lifestyle data would be encrypted using a private key, the patient would have the option to sell all of his or her depersonalized medical or lifestyle data or selected parts.

3. Making data owners part of the equation

Now, it would look like individuals are the true owners of their data and properly compensated for its usage. In such an ecosystem, each time any data buyer - pharmaceutical enterprise, insurance company, research institution, etc. - would request the data they need, they would pay for it in nominal ‘currency,’ or for example, in native tokens, and part of this payment would go to the patient as royalty. Moreover, those earned tokens could be used within the ecosystem or withdrawn to a bank card.

Explicit patient consent should be the pillar of the security architecture. To synchronize their data from MIS, a clinic, lab, or any other provider of healthcare records to ‘medical ID’, patients should request MIS to deliver that data via an API connection. This connection should be implemented via a secure IPsec channel, and the data packets should be authenticated and encrypted in HL7 format by the SHA256 algorithm. Health Level Seven (HL7) is a standard that defines a format for transmitting health-related information. At the same time, Secure Hashing Algorithm (SHA) 256 encrypts the transferred data by transforming it into a secure unreadable format.

This described approach would let individuals - like you and me - share their data and know exactly how it's used. In addition, we would be able to revoke the data we share at any time. Finally, and most importantly, we would never use our data — only depersonalized records would appear in datasets.

Utopia? Nope. This is what we have already implemented in DeHealth, paving the way for developing the radically new Web 3.0 Medical Data Economy.