Several problems in health care come from the complex network of intermediaries. Currently, medical health data is fragmented and isolated, there are communication delays and workflow tools are different due to lack of interoperability, which negatively affects research and health services. For these reasons, health entities and their patients need to securely protect their data. However, for the privacy of patients, the danger of having such information on the network and due to the vulnerability of traditional authentication systems, a reference model is proposed to manage the health data security based on Blockchain. Blockchain allows access to complete medical records that are stored in fragmented systems anonymously and securely. Our reference model uses the concepts of an information security management system such as: policies, risks and controls. This allow private or public entities in the health sector to implement Blockchain. On the other hand, our reference model was developed by researching and comparing existing Blockchain platforms in the health sector, with the purpose of guiding qualified information security personnel when they decide to implement Blockchain in a health sector organization.
The health industry is one of the largest industries in the world, since it consumes more
than 10% of the gross domestic product (GDP) of the most economically developed
countries with a high standard of living [
Copyright c 2020 for this paper by its authors. Use permitted under Creative Commons
Blockchain can solve this problem with the exchange of health information by acting
as a secure decentralized database. Blockchain is a revolutionary technology that can
help solve the challenges of medical care by providing security and trust. Access to a
patient's medical history can be enabled for all health care providers prior to patient
registration and authorization. The access control system in Blockchain puts patients in
control of their data; consent and access rights may be granted to third parties to a subset
of your medical records. It is possible to write custom laws and agreements through
smart contracts which are equivalent to real-world contracts [
Smart contracts can be used in various processes within medical care, including billing and insurance, which helps automate the process and reduce costs. To unify the compression of Blockchain technology and its security, a reference model is proposed that allows us to provide a series of controls based on possible risks that may occur within the Blockchain platform and affect the privacy of patient health data. For this reason, we investigate the different Blockchain platforms for the health sector where it was decided what properties we consider for our analysis. We will use the information collected and analyze the similarities and differences between the platforms. 2 2.1
This research is carried out from the perspective of health care to build our reference
model and, therefore, we are considering the following property. Platforms: We are
considering Blockchain technology implementations that introduce different
approaches to privacy and smart contracts [
Blockchain technology platforms can be divided into two groups, as illustrated in Table 1. For our study, we have selected a Blockchain platform from each group.
They can be characterized as follows:
MediChain: It is a Blockchain solution for the storage and distribution of medical data
that allows patients to have control over their own medical information [
MediBloc: It is the combination of a social need with a technological enabler, it is a
system that prioritizes patient data, providing a transparent and accessible view of the
medical history [
Patientory: It is a distributed application based on Cybersecurity Blockchain that
provides users with access to their health data. Creates smart contracts that can be executed
in relation to the continuous cycle of medical and patient care. Centralize all patient
medical data in one place to manage, share and track medical care [
Medicalchain: It allows doctors, hospitals, laboratories, pharmacists and health
insurers to request permission to access a patient's record-to-record transactions in a
distributed ledger [
Reference models are reusable representations of abstract knowledge for a given
application domain. Also, they are relevant representations for a purpose of an information
system designed through a construction process. They provide a useful means to reduce
the information modeling effort. They are developed with the objective of being reused
for different scenarios of similar applications and are used as a starting point for the
construction of specific project models [
It is one of the technologies behind Bitcoin, an open peer-to-peer value transfer network
(p2p). Cryptocurrencies are analogous to money currencies such as the USD or the EUR
that facilitate the exchange of value but use cryptographic protocols as the basis of
governance instead of relying on a central authority such as banks [
A smart contract represents a piece of self-executing, self-verifiable and
tamper-resistant code with a programmable programming application logic that resides and runs
on Blockchain [
The management of health data that includes storage, access control and data exchange
is an important aspect of the health industry. Proper management of health data
improves results and allows a comprehensive view of patients, personalized treatments
and efficient communication. Confidence problems and lack of profit incentives are the
main obstacles to the exchange of health data [
The model was implemented in a clinic specialized in providing health care services for institutions and companies (public or private), has a large team of specialized professionals, with extensive experience in health and medicine. The local clinic did not carry out risk management on a continuous basis, due to the time it may require and because it did not have a specialized information security staff to carry it out. 4.2
The implementation of the reference model is carried out in the medical history registration process, since it is the central process of the clinic, in which all information related to this must be protected. The selected work team is composed of the process owner, the head and coordinator of the systems area, as well as the authors of this article.
Phase 1: Validation of the risk matrix: We need the clinic information and IT information as inputs. Following our proposed model, in phase 1, for the traditional scenario, ten risks were found, classifying them as two High risks, eight Medium risks and zero Low risks. This meant that there are certain deficiencies on the part of the systems area, as they did not contemplate such risks that could affect the integrity of the clinic. Once the traditional system scenario has been analyzed, the risk matrix prepared based on the analysis that was made using the Ethereum platform consisting of a decentralized Blockchain is shown, finding a series of risks that could occur outside the Blockchain where a total was found. Of 11 risks classifying them as 0 High risks, 8 Medium risks and 3 Low risks.
This means that there is still a risk on users who have to adapt to use this technology, since within the Blockchain the information is secure; the problem comes when it is outside of this. Finally, the risk exposure of the traditional system is compared to a scenario using Blockchain technology. For this, a heat map was made where the codes of the risks found are placed and classified according to the result obtained.
The results obtained were calculated based on the sum of the metrics of the risks found and classified on the maximum metric (90). Obtaining a risk level of 67% (Fig. 1.) in a traditional system scenario and 41% (Fig. 2.) in a scenario where Blockchain technology is used. concluding that there is a higher risk exposure in a traditional system, while using Blockchain technology the risk exposure is reduced by 26%.
ment of the identified risks have been obtained, the SoA template is used as a reference for the implementation of information protection measures, as well as to verify that no necessary security measures are being set aside.
They had not been considered inside the clinic. Next, we will see the results obtained in the traditional system scenario where the validation of this document was carried out.
It can be seen that the vast majority of the sections of controls their level of compliance is below 20%, which indicates that there is a large breach of information security quite exposed. The average result obtained gives us 11% compliance, this means that there are no controls established within the clinic to ensure and protect the information of their patients against cyber-attacks.
Once the results on compliance with SoA document controls were analyzed, the same controls were validated, but this time on stage using Blockchain technology. Next, we will see the results obtained using Blockchain technology in any health sector organization.
Most controls meet more than 20% of the criteria necessary to carry out proper management information security. As well, the average result obtained gives us a total of 44% compliance, this means that when using Blockchain technology, the controls established within the clinic are more robust and meet the criteria necessary to carry out a correct management of information security, in order to guarantee and protect patient information against possible attacks.
Once the analysis of both scenarios is completed, a graph is prepared with the results obtained to make a comparison and see the compliance status for each of the sections proposed in the SoA template. The results obtained indicate that there is a 33% improvement in overall compliance when using Blockchain technology compared to a clinic with a traditional system.
measured by the criticality obtained by its final classification level where the confidentiality presented 9 high level, 16 medium level and 0 low level. On the part of the integrity, 6 of high level, 11 of medium level and 8 of low level were presented. Finally, I present 5 high level, 16 medium level and 4 low level availability.
Finally, together with the total distribution by the classification of the levels and turning it into a percentage, the following results were obtained: High Level = 32%, Medium Level = 52%, Low Level = 16%. With these results we can conclude that the highest percentage of classification is given by the average level, which indicates that the information assets are mostly of medium to high importance for the clinic where the classification of the inventory of information assets. The model was validated at a local clinic (Lima, Peru) and compared in a simulation scenario using Blockchain technology. In the results of the implementation of the model, it is observed that the level of risks would be reduced by 26%, compliance with the controls would increase by 33% when the proposed controls are applied in a scenario with Blockchain.
The proposed reference model will allow knowing the status of compliance with policies and controls based on the ISO / IEC 27799: 2016 standard of any health center. Based on the results obtained, the clinic was shown that it is ideal to have knowledge about its risks, controls and assets that are the most critical and to consider a risk analysis to make decisions about the safety of each of them.
With the implementation of the reference model, the health centers will have a detailed vision about the possible risks that could occur, avoiding legal problems such as lawsuits imposed by patients or financial sanctions by the regulatory entity.
The costs of implementing mitigating controls are high compared to using a Blockchain technology that mostly minimizes security breaches. When using Blockchain technology, a new risk appears which is: the use of the private key, consider that if a user loses their private key, they automatically lose all their information stored in the Blockchain.
Our future plans regarding the research carried out is to be able to help hospitals and clinics to choose the best Blockchain platform alternative, since at the end of the day migrating the medical information of their patients to Blockchain will be a reality in the future that benefit the health sector.