Distributed Ledger Technology (DLT) for privacy, security and ownership of medical data

Project description

We implicitly "trust" that our medical data is securely held and our privacy is ensured by the centralised authorities who gather and manage this data. Generally, we would like to own our medical data and have control over who can access them. Emerging open source DLT implementations like Ethereum [6] and Hyperledger Fabric [7] have shown to provide strong cryptographic based secure data management capabilities with high emphasis on data privacy and ownership. Additional privacy and security could be provided using cryptographic techniques such as Zero Knowledge Proofs (ZKPs)[11]. Also, such DLT implementations have identity management systems that are decentralised (i.e., not controlled by a central authority) and the data can be securely tied to such an identity so that only the owner of the data can view the contents and control access.

 

Primary Supervisor: Dr Charaka Palansuriya

Overview of research area

This research programme aims to explore how the DLT technology could be used to provide secure data services to manage medical data with a strong emphasis on privacy and ownership of the data. That is, developing novel techniques using DLT for patient-centric data access and ownership of medical data. For example, one issue with medical data is that it is harder for a patient to securely access or carry certain amount of his/her medical history when travelling to another country. Timely access of such data could be life-saving if a patient has a medical incident whilst in another country. If a patient owns his/her medical history (e.g., certain tests, scans, results, medical notes, etc.) and if the patient can securely access them from anywhere in the world then this is a truly valuable capability. One of the objectives of this work is to explore how the ownership and control of data access could be maintained by either patients or someone with legal authority to act on behalf of a patient. In addition, a patient could control who can access the data (for example, only members of certain cancer research team in Edinburgh) and whether, for example, only the anonymised data could be accessed. At the moment, patient consent forms and other relevant legal documents are handled separately and require human intervention to check and provide access to relevant data. This is both cumbersome and error prone. In order to provide seamless access, use of DLT technology features such as Smart Contracts [8] will be investigated. Smart Contracts could be utilised to execute legal contracts automatically without human intervention when there is a request to access certain part of the medical data. The Smart Contracts could be examined by relevant stakeholders (e.g., patients, lawyers, data custodians, etc.) prior to installing them on the DLT platform and these could be versioned too. Then, for example, the stakeholders could agree upon a certain version of the Smart Contract for a particular patient in order to provide seamless access to the data owned by that patient based on who, when and where the data access is requested from.

Here’s a relevant quote on the use of DLT by the UK Government Chief Scientific Adviser [5]:

“ Distributed ledger technologies have the potential to help governments to collect taxes, deliver benefits, issue passports, record land registries, assure the supply chain of goods and generally ensure the integrity of government records and services. In the NHS, the technology offers the potential to improve health care by improving and authenticating the delivery of services and by sharing records securely according to exact rules. For the consumer of all of these services, the technology offers the potential, according to the circumstances, for individual consumers to control access to personal records and to know who has accessed them.

Some relevant research work has been done recently to allow secure access to medical data with an emphasis on patient privacy using the Hyperledger Fabric [1], one of the main open source DLT/blockchain platforms available at the moment. This particular research work uses a design which utilises two blockchains: a public (untrusted) blockchain which they call a main chain and a private (trusted) blockchain which they call a side chain. The private blockchain maintains the patient ID and all sensitive data and the public blockchain mainly has a temporary patient ID with links to the patient medical data in the private blockchain. This is a complex setup and maintaining, upgrading and trouble shooting issues as well as auditing it would be an expensive and complex operation. The main point of having these two blockchains is to maintain patient privacy. However, this privacy could be established using techniques such as Zero Knowledge Proofs(ZKPs) whilst just maintaining a single blockchain. Earlier research work has been done using the public Ethereum blockchain [2] to store anonymised data. However, many patients and medical institutes may not trust the use of anonymization for maintaining patient privacy. Within EPCC, an off-chain approach, similar to the one described at [3], was tried within MSc projects context and shown some success in patient-centric access control to the medical data as well as maintaining the privacy. However, the techniques used require more in depth and comprehensive experimentation and adaptation as well as analysis, in particularly how a digital identity and ownership could be used to give a patient a more control of his/her medical data. The majority of the literature available at the moment provide no details about how the techniques they have developed ensure that only a patient and well established entities authorised by the patient can access the medical data. This proposed research work aims to develop patient-in-control techniques, allowing a patient with privacy control/sharing of his/her medical data and having the ability to own the data.

Note that EPCC maintains the Scottish Data Safe Haven (https://www.epcc.ed.ac.uk/blog/tags/safe-haven) – a custodian service for Scottish medical data. Therefore, this research work can utilise the experience gained by providing this service and, in return, help improve its future operational capabilities. In addition, EPCC host the Edinburgh International Data Facility (EIDF), which is likely to host medical data sets for research and other purposes. It is hoped that this research work will directly feed into how such potentially sensitive medical data could be securely held and accessed by external entities.

Potential research questions

  • Could DLT provide improved security compared to existing technologies used to secure data in the medical domain?
  • What are the effective ways to use Smart Contracts to grant access to medical data where a patient is in control of the data and its ownership?
    • Could this be based purely on a decentralised identity?
  • Could the data privacy be improved using techniques such as Zero Knowledge Proofs(ZKPs)?
  • How could existing open source DLT implementations like Ethereum, Hyperledger Fabric or something else could be used to provide such secure data services?

Student Recommended/Desirable Skills and Experience

A strong programming background and willingness to learn new techniques and technologies. Knowledge about DLT/Blockchain technology would be useful but not necessary. Knowledge about Relational and NoSQL database management technologies and various cryptographic techniques such as Public Key Cryptography and Zero Knowledge Proofs (ZKPs) would be useful.

How to apply

Applications should be made via the University application form, available via the degree finder. Please note the proposed supervisor and project title from this page and include this in your application. You may also find this page is an uneful starting point for a research proposal and we would strongly recommend discussing this further with the potential supervisor.

References

  1. Blockchain-based approach for e-health data access management with privacy protection (2019), https://ieeexplore.ieee.org/abstract/document/8858469
  2. A Case Study for Blockchain in Healthcare : “ MedRec ” prototype for electronic health records and medical research data (2016), https://www.semanticscholar.org/paper/A-Case-Study-for-Blockchain-in-Healthcare-%3A-%E2%80%9C-%E2%80%9D-for-Ekblaw-Azaria/56e65b469cad2f3ebd560b3a10e7346780f4ab0a
  3. Towards Using Blockchain Technology for eHealth Data Access Management (2017), https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8167555
  4. Distributed Ledger Technology (DLT) & Blockchain, http://documents1.worldbank.org/curated/en/177911513714062215/pdf/122140-WP-PUBLIC-Distributed-Ledger-Technology-and-Blockchain-Fintech-Notes.pdf
  5. Distributed Ledger Technology: beyond block chain, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/492972/gs-16-1-distributed-ledger-technology.pdf
  6. Ethereum, https://ethereum.org/
  7. Hyperledger Fabric, https://www.hyperledger.org/projects/fabric
  8. An Introduction to Smart Contracts and Their Potential and Inherent Limitations, https://corpgov.law.harvard.edu/2018/05/26/an-introduction-to-smart-contracts-and-their-potential-and-inherent-limitations/
  9. Consensus Mechanisms, https://ethereum.org/en/developers/docs/consensus-mechanisms/
  10. How do Public Key Encryption work, https://ssd.eff.org/en/module/deep-dive-end-end-encryption-how-do-public-key-encryption-systems-work
  11. Zero Knowledge Proofs: An approximate introduction to how zk-SNARKS are possible, https://vitalik.ca/general/2021/01/26/snarks.html
  12. Layer 1 vs Layer 2: What you need to know about different Blockchain Layer solutions, https://medium.com/the-capital/layer-1-vs-layer-2-what-you-need-to-know-about-different-blockchain-layer-solutions-69f91904ce40
  13. General Data Protection Regulation (GDPR), https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/