Architecture and Value Analysis of a Blockchain-Based Electronic Health Record Permission Management System Michaël Verdonck, Geert Poels Faculty of Economics and Business Administration, Ghent University; michael.verdonck@ugent.be; Geert.Poels@ugent.be; Abstract. Adopting healthcare information systems and electronic health records (EHRs) result in various benefits for the healthcare sector such as real- time decision support and availability of critical medical information. Despite the many benefits that are associated with adopting EHRs, the transition to digitally stored and shared records hold various challenges regarding the privacy and se- curity of medical data. This paper aims to offer an alternative design to manage EHRs with blockchain technology, where the emphasis of our design lies in adopting blockchain and smart contracts as a permission management database. We present a general overview of the architecture of our blockchain-based EHR permission management system and describes the value exchanges that take place between the different parties participating in the EHR ecosystem in which our blockchain-based system is to be implemented. 1 Introduction Medical data is progressively being represented and stored electronically [1]. As such, health information technology and electronic health records (EHRs) are increasingly viewed as means to improve the efficiency, quality and safety of health systems [2]. Adopting healthcare information systems and EHRs result in various benefits for the healthcare sector such as real-time decision support for clinicians or making critically clinical information available to health providers [3]. Besides healthcare advantages, health information exchange in the form of EHRs are estimated to have substantial fi- nancial benefits [4, 5]. However, despite the many benefits that are associated with adopting EHRs, the transition to digitally stored and shared records holds various chal- lenges regarding the privacy and security of medical data [6, 7]. Data stored electroni- cally is prone to be copied, distributed, and mined for confidential information. Data breaches and the consequent loss or misappropriation of data can expose patients’ con- fidential information and lead to hefty fines for hospitals1. Another issue related to adopting EHRs is the lack of interoperability between the different systems that store patient’s data. These interoperability challenges are related to the sharing of data 1 https://eurocloud.org/news/article/fine-of-eur-460000-imposed-on-dutch-haga-hospital-by- dutch-data-protection-officer-the-first-dutch/ 16 Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). between different information systems storing EHRs, where each have their own data format and protocol to share EHRs. In order to tackle these problems, recent research efforts have been investigating the application of distributed ledger technology, more in particular blockchain technology. While originally introduced as a technology to support new forms of digital currency [8], blockchain has evolved as a promising foundation to support any type of transac- tions in society. In its essence, a blockchain is a data structure that is composed of an ordered, back-linked list of blocks of transactions [9]. Through the years, several new blockchain technologies have emerged, that act both as a database that records data transactions between parties, while also providing a computational platform for execut- able programs, i.e., smart contracts. More specifically, smart contracts can carry and conditionally transfer digital assets or tokens between parties [10]. Since smart con- tracts are stored and executed on the blockchain platform (assuming a public block- chain), they can be publicly viewed by parties having access to this platform. This fea- ture also makes that their execution runs in a predictable and transparent manner. Con- sequently, these unique features give blockchains and smart contracts certain ad- vantages such as traceability, transparency and enhanced security. For instance, a sur- vey by IBM [11] predicts that blockchain technology will be used to manage clinical trial records, supervised compliance and EHRs. Given this new technology’s distinct advantages, several research efforts have aimed to leverage the unique properties of blockchain to manage authentication, confidential- ity, accountability and data sharing of EHRs. For instance, Azaria et al. [12] developed the blockchain implementation ‘MedRec’ to demonstrate how principles of decentrali- zation might be applied to largescale data management in an EHR system. They pro- pose a modular design in order to integrate existing, local data storage solutions while facilitating interoperability. Through incentivization (e.g., access to aggregate, anony- mized data) of medical stakeholders such as researchers and public health authorities, they aim to engage these stakeholders in becoming the miners of the blockchain net- work. Another solution called ‘MedBlock’ focuses on the privacy of information by adopting the blockchain for access control and encryption purposes. In their design, a certification authority acts as a system administrator of the blockchain, where the block- chain manages pointers of the record as to find the true storage address of information of the EHR. A processing layer that is composed of local community hospitals and their servers can access and modify patient records, which are then uploaded to a supervising hospital. While the above mentioned blockchain-based EHR systems have their respec- tive advantages and strengths, the adopted blockchain is often implemented to simply store the memory address of an EHR record, where different records are still stored and secured at databases of local hospitals. Consequently, interoperability between healthcare providers remains a problem, while they are also still responsible for the security and maintenance of their own data – an expensive and strenuous task. This paper aims to offer an alternative design to manage EHRs with blockchain tech- nology. More specifically, the emphasis of our design focuses on adopting blockchain and smart contracts as a permission management database and engine. Additionally, we aim to leverage the strengths of each actor or technology within our design, allowing every actor to focus on their specific responsibilities and core tasks. For instance, a 17 healthcare provider should not be occupied with maintaining and securing patient data. Instead, a healthcare provider should have the data available of a certain patient when needed to fulfill its responsibility to deliver care to that specific patient. Thus, this paper aims to design a blockchain-based EHR permission management system, that facilitates the automation of a patient’s permissions to EHR access and updates for different par- ties, e.g., healthcare providers, patients, governing bodies, etc. Through the introduc- tion of smart contracts, we aim to design an information system that leverages both the advantages of blockchain technology (traceability, immutability and authentication) and the advantages of existing software systems and database management systems (transaction speed, storage availability etc.). The section below gives a general overview of the architecture of our blockchain- based EHR permission management system and describes the value exchanges that take place between the different parties participating in the EHR ecosystem in which our blockchain-based system is to be implemented. To facilitate the value analysis, e3value modeling is used as a tool. The e3value model of the EHR ecosystem shows for each involved party the value that is captured from using the proposed blockchain-based EHR permission management system. In our conclusion, we will discuss future research efforts that we will undertake to implement and evaluate this blockchain-based EHR management system. 2 Architecture of a blockchain-based EHR management system In our design, we identify five roles: patient, requestor (e.g., healthcare provider, in- surance company, researcher etc.), governing body (e.g., government), data custodian and the smart contract(s) (or more generally the blockchain itself). While other research efforts have focused on creating a network without a governing body [12, 13] – we believe that this role is still crucial. We do not argue that a blockchain implementation without governing body cannot be accomplished, we believe however that the technol- ogy is still too immature and lacks an overall adoption in current society. Hence, we propose a blockchain-based information system that is highly dependent on a governing body in order to be operational and to be adopted by healthcare providers and patients. Below, we will discuss the role, actions and tasks of each actor of our design in more detail. Figure 1 gives a general overview of the different interactions that take place between the users and the system. Additionally, we will describe the main value exchanges that take place between the different parties participating in this ecosystem through the e3value model shown in Figure 2. As an early requirement engineering technique, e3value modeling is used to study the business ecosystem in which a new IT system is to be implemented. The technique has been used before to help analyzing whether blockchain-based systems build a sustainable business case for the ecosystem parties [14]. The value analysis focuses on how the blockchain-based system will affect (i.e., enable, facilitate, auto- mate, optimize, etc.) the creation and delivery of value within the ecosystem. 18 Governing Body Requests Provides Verification Verification Smart Forwards Access Updates Contract Request Permissions Accepts/Rejects Consults Access permissions Patient Data Custodian Requests Accepts/Rejects Access Access Requestor Figure 1: User interactions of the Blockchain-based EHR Permission Management System Patient A patient will have full control over his or her patient record. As can be viewed in the value model in Figure 2, a patient requests privacy and traceability over his/her EHR data while giving or denying permission requests that are being handled by the smart contract. More specifically, a patient will be able to do more than only accept or decline the request. A patient can specify the access of a certain healthcare provider (or health insurer for that matter) by deciding if the access provided should only be read, or if the requestor can also modify the record – for instance to add additional information to the record concerning a certain treatment. Moreover, a certain time frame can be assigned to any healthcare provider that requires access (e.g., ranging from a day to a year). Through querying the ledger of the blockchain, a patient will have at any time a full overview of all the healthcare providers that have access to their record, and when healthcare providers have viewed and/or adapted their record. The access to a patient’s record can also be revoked at any moment. Since permissions are managed by a smart contract on the blockchain, we need a unique identifier in order to be able to assign the record to the right patient. While in many countries’ persons are identified through for example their national identification number or social security number, it would be ill-advised to select a patient’s social security number as the unique identifier for our blockchain-based EHR system. In the case where a blockchain is public, its contents can be viewed by anyone. Adopting social security numbers or other national identifiers would therefore result in consider- able privacy issues. A unique digital identification principle is therefore lacking. Hence, in our design we will adopt the unique identification properties of blockchain cryptog- raphy by assigning every patient their own pair of public and private keys. Permission 19 requests from healthcare providers will be sent by the smart contract to the public key of the respective patient. A patient can always verify that they are the owner of the public key through their private key. Access requests will also be confirmed or denied through a signature of the private key. To safeguard a patient’s digital identity, the pub- lic key of a specific patient will be linked with their social security number by the gov- erning body, for instance the national government or another supervising institution. As such, whenever a patient would lose control over their private key, a new private key can be assigned to this patient and linked accordingly to their social security num- ber through the governing body. This principle will be further explained also in the sections ‘Governing Body’ and ‘Smart Contract/Blockchain’ below. Requestor The requestor is the party that desires access rights to the patient’s health record. In most cases this will be a healthcare provider such as a hospital or general practitioner, but the requestor could as well be an insurance company or research institution. As represented in the value model, a requestor then uses the medical data in order to per- form the healthcare tasks that are required and updates the patient record if required and if permitted. Hence, a requestor can request access to a patient’s record with either read and/or write permission and can indicate a certain time frame to which the reques- tor would like to have access to the record. The requestor is notified by the smart con- tract when any requests have been accepted or denied by the patient. A requestor will also have an overview of all the requests that have been accepted (including read/write permissions and assigned time frame) and the requests to records that have been denied. This overview can be generated by querying the ledger of the blockchain. Similar to a patient, a requestor will have its own unique digital identity in the form of a public/pri- vate key pair. A request to a patient’s record will thus be signed by a requestor’s private key in order to allow the smart contract to verify that the requestor is genuine (and not an imposter). Again, the digital identify of a requestor will be linked with its national identifier by the governing body in order to keep track of the digital identity of for instance recognized healthcare providers. Governing Body In our design, the governing body maintains all essential information about patients, requestors and data custodians (see section below). Its primary responsibility is to serve as the objective and reliable source of information for the different actors interacting with the blockchain-based EHR system. We believe an institute such as the national government of a country is the most evident choice to assign as governing body since a national government already stores and verifies these essential data. However, any type of institution that is capable of performing these tasks can of course be assigned as governing body (e.g., when rolling out the system on a supra-national scale, an in- ternational institution may assume the role of governing body). An important remark considering our design is that the governing body is also the creator/owner of the smart contract(s). It is therefore the governing body that can create, destroy or redeploy a 20 smart contract. As also represented in the value model in Figure 2, the smart contract(s) supported by the EHR data management system that runs on information systems of the governing body, perform the value activity of EHR access control and permission management. The smart contract(s) thus complements the existing information and da- tabase management systems that would typically manage current information on pa- tients, healthcare providers etc. Blockchain technology is therefore adopted in our de- sign to leverage its strengths in facilitating and automating certain tasks such as per- mission management of EHR health records in combination with the strengths of exist- ing information and database management systems. As also already mentioned above, when discussing patient and requestor, the gov- erning body is responsible for managing and linking the digital identities of these actors (including also the data custodian) with their national identities (e.g. social security number). First, this is important to compensate for the loss or theft of a private key. In this case, a patient can notify the governing body of the loss of control over the pub- lic/private key pair to which the governing body can respond by no longer recognizing the public key as a valid digital identity of that patient. The patient can then create a new private key by him- or herself and then share the new public key with the governing body. The governing body can then verify if the newly generated public key actually does belong to that specific person - similar to the case where a person would lose his or her identification documents. Hence, our design incorporates that a patient will al- ways choose (and consequently control) their own private key and only share their pub- lic key to third parties such as the governing body. A patient can thus through the gov- erning body easily link a new digital identifier to him- or herself and does not lose access to the patient record in case control would be lost over the private key. Finally, a second advantage of the management of digital identities by the governing body re- lates to the detection of illegitimate requests to a patient record. Since every healthcare provider has to register to the governing body in order to practice healthcare, the smart contract(s) can easily verify that a public key corresponds to a recognized healthcare provider. Data custodian The data custodian is the actor responsible for the storage and security of the healthcare records of patients. Currently hospitals are responsible for the management and security of the healthcare records of their patients. This has become an arduous and expensive task, even more with legal governance increasing their focus on the protection of indi- vidual’s data and privacy (e.g. GDPR). We believe that implementing and maintaining highly secure data management systems for every single hospital and healthcare pro- vider is not a sustainable design choice. Therefore, we argue that specialized data cus- todians focus solely on the secure storage of patient’s health records, which is repre- sented as a value activity in our value model. Additionally, by having one actor main- taining patient records, there is only one structure in which the data is being stored and distributed. This strongly improves the current situation on interoperability, where now hospitals each have their own type of databases and data structure for storing records. 21 Similar to patients and requestors, a data custodian has to be recognized by the gov- erning body that it is capable and trustworthy of performing this task. The data custo- dian receives permission updates from the smart contract(s) when access has been given to or revoked from a certain healthcare provider for a specific patient record. Addition- ally, the data custodian can always consult the smart contract(s) for the different per- mission given by patients to healthcare providers. Finally, the patient record will always be mapped to a fixed-size value with a hashing function (e.g. SHA-3). Any change in the patient file will therefore always result in a different hash value for that record. This allows the system to carefully trace all the changes that have been made in a patient record by a certain requestor at a specific time. Smart Contract/Blockchain In our design the smart contract(s) automate permission management of patient’s healthcare records. The contract(s) are written and controlled by the governing body2 and can thus be seen as an extension of its information systems. It is for this reason that the smart contract is not represented as a separate actor in the value model. The smart contract(s) manage incoming requests to patient records from requestors and verify their identity with the information of the governing body of recognized healthcare pro- viders (through an API). Requests are then sent to patients, who can decide to grant or deny the request to their patient record. When a request is accepted, the data custodian that stores the respective record is notified by a smart contract to add read/write rights for the respective healthcare provider to the granted patient record. A requestor is also informed by a smart contract if the request was accepted or declined by the patient. Figure 2: E3value model for a blockchain-based EHR permission management system 2 Of course, outsourcing this value activity to another new ecosystem actor or market segment is a possibility, though outsourcing to parties in the role of EHR Data Requestors and Data Cus- todians should be avoided. 22 3 Conclusion & Future Research The recent emergence of distributed and blockchain technology facilitate certain ad- vantages such as traceability, transparency and enhanced security. Given this new tech- nology’s distinct advantages, several research efforts have already been proposed to leverage the unique properties of blockchain technology to manage authentication, con- fidentiality, accountability and data sharing of EHRs. This paper aims to offer an alter- native design to manage EHRs with blockchain technology. More specifically, the em- phasis of our design focuses on adopting blockchain and smart contracts as a permission management database and engine. We provide a general overview of the architecture of our blockchain-based EHR permission management system and describes the value exchanges that take place between the different parties participating in the EHR eco- system in which our blockchain-based system is to be implemented. Additionally, we aim to leverage the strengths of each actor or technology within our design, allowing every actor to focus on their specific responsibilities and core tasks. In future research efforts, we will leverage this design into an actual implementation of this blockchain- based information system and evaluate this system to existing EHR management sys- tems. References 1. Jha, A.K., Doolan, D., Grandt, D., Scott, T., Bates, D.W.: The use of health information tech- nology in seven nations. International Journal of Medical Informatics. 77, 848–854 (2008). https://doi.org/10.1016/j.ijmedinf.2008.06.007. 2. Chaudhry, B., Wang, J., Wu, S., Maglione, M., Mojica, W., Roth, E., Morton, S.C., Shekelle, P.G.: Systematic review: impact of health information technology on quality, efficiency, and costs of medical care. Annals of internal medicine. 144, 742–752 (2006). 3. Wang, S.J., Middleton, B., Prosser, L.A., Bardon, C.G., Spurr, C.D., Carchidi, P.J., Kittler, A.F., Goldszer, R.C., Fairchild, D.G., Sussman, A.J., Kuperman, G.J., Bates, D.W.: A cost- benefit analysis of electronic medical records in primary care. The American Journal of Med- icine. 114, 397–403 (2003). https://doi.org/10.1016/S0002-9343(03)00057-3. 4. Walker, J., Pan, E., Johnston, D., Adler-Milstein, J., Bates, D.W., Middleton, B.: The Value Of Health Care Information Exchange And Interoperability: There is a business case to be made for spending money on a fully standardized nationwide system. Health Affairs. 24, W5- 10-W5-18 (2005). https://doi.org/10.1377/hlthaff.W5.10. 5. Hillestad, R., Bigelow, J., Bower, A., Girosi, F., Meili, R., Scoville, R., Taylor, R.: Can Elec- tronic Medical Record Systems Transform Health Care? Potential Health Benefits, Savings, And Costs. Health Affairs. 24, 1103–1117 (2005). https://doi.org/10.1377/hlthaff.24.5.1103. 6. Matthias, W., Christian, J., Rainer, R.: Secondary Use of Clinical Data in Healthcare Provid- ers; an Overview on Research, Regulatory and Ethical Requirements. Studies in Health Tech- nology and Informatics. 614–618 (2012). https://doi.org/10.3233/978-1-61499-101-4-614. 7. Sahama, T., Simpson, L., Lane, B.: Security and Privacy in eHealth: Is it possible? 5 (2013). 8. Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system. 1–9 (2008). 23 9. Antonopoulos, A.M.: Mastering Bitcoin: Programming the open blockchain. “ O’Reilly Me- dia, Inc.” (2017). 10. Staples, M., Chen, S., Falamaki, S., Ponomarev, A., Rimba, P., Tran, A.B., Weber, I., Xu, X., Zhu, L.: Risks and opportunities for systems using blockchain and smart contracts. Data61 (CSIRO), May. (2017). 11. IBM Institute for Business Value: Healthcare rallies for blockchains. (2017). 12. Azaria, A., Ekblaw, A., Vieira, T., Lippman, A.: MedRec: Using Blockchain for Medical Data Access and Permission Management. In: 2016 2nd International Conference on Open and Big Data (OBD). pp. 25–30 (2016). https://doi.org/10.1109/OBD.2016.11. 13. James, C., John, A.: Enabling Patient Control of Personal Electronic Health Records Through Distributed Ledger Technology. Studies in Health Technology and Informatics. 45–48 (2017). https://doi.org/10.3233/978-1-61499-830-3-45. 14. Poels, G., Kaya, F., Verdonck, M., Gordijn, J.: Early Identification of Potential Distributed Ledger Technology Business Cases Using e3value Models. In: Guizzardi, G., Gailly, F., and Suzana Pitangueira Maciel, R. (eds.) Advances in Conceptual Modeling. pp. 70–80. Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-030-34146-6_7. 24