Guest Column | February 10, 2020

Why Blockchain Technology Isn't The Answer To The Patient Identity Challenge

By Mark LaRow, Verato

Blockchain & The Pharma Supply Chain — Beyond DSCSA Compliance

Two years ago, the College of Healthcare Information Management Executives (CHIME), an organization created to serve the professional development needs of CIOs working in the healthcare industry, launched a challenge in the healthcare tech space. The goal was to find new and innovative ways to integrate a National Patient ID system into healthcare technology and effectively address patient identity resolution. Two of the finalists were blockchain solutions, but CHIME chose to not award these companies any prize money to continue R&D because they obviously concluded that blockchain could not solve the problem.

While we don’t know the specifics of their analysis and decision making, I’ve got some of my own thoughts on why blockchain isn’t the answer.

Imagine there was a blockchain of patient identity. The idea would be that each of us would be responsible to update or correct his/her identity information, and those updates and corrections would be replicated to all blockchain servers across the country without error. Every hospital system, payer, pharmacy, and health system vendor would access their local blockchain server to get the single correct PII package for every patient in the US. There would be no more ambiguity about our identities – name, address, date of birth. Nothing would ever be out of date. There would be no more misspellings or nicknames or second home addresses or twin mix-ups or name inversions or spouse overlays. The data would finally be perfect and everyone would have access to the correct data. Patient matching should become perfect, right?

But let’s dig a little deeper and see where this breaks down from a practical perspective. The first challenge is making sure that only Mark LaRow updates Mark LaRow’s blockchain identity. That means we first need to establish a 100 percent watertight “authentication and proofing” system to ensure that Mark LaRow is really Mark LaRow before he begins changing Mark’s data or reading his medical records. We would need a universal username/password system or biometric system that guarantees Mark is Mark. Have you ever seen such a universal authentication system on a national scale? And how would you be sure Mark is Mark when you first distribute the password? Would you trust that your password would never be hacked? The beauty of using blockchain in cryptocurrency is that no one has to prove who they are. They are anonymous when they set up a crypto account and remain anonymous. They can set up as many crypto accounts as they like and no one will ever know who they are or how many accounts they have. Blockchain for patient identity would be the exact opposite of this – the blockchain system must positively know who each person is to give them control of an identity and must limit them to only one identity on the blockchain. This seems like a recipe for medical fraud and in such a way that it would be next to impossible to detect or prevent.

But let’s say the nation succeeded in inventing and distributing a universal authentication and proofing system that could be used for the blockchain of patient identities. The elephant in the room would become the massive distribution of everyone’s PII across thousands of blockchain servers. In the crypto world, we want our crypto balance scattered over hundreds of servers. That prevents anyone from changing our balance and besides, who cares if anyone reads the crypto balances, it’s all anonymous anyway? Would you want your PII data stored in thousands of servers under the control of hospitals, pharmacies, etc.? I certainly wouldn’t, because blockchain is not inherently secure. Wait, what? Of course, blockchain is secure, that’s why it’s used for cryptocurrency so effectively, isn’t it? Actually, blockchain is only secure in the sense that no one can alter the data except through a valid process. The distributed nature of the databases makes it too difficult to change, so it cannot be changed. But that’s not say that someone cannot gain access to a blockchain server and “read” what is in there – remember it’s anonymous so who cares. But the bad guys don’t want to “change” identity information, they want to steal it, and you steal identities simply by reading them.

And, if we did solve the universal password challenge, and solved the security challenge of thousands of databases with the entire U.S. population, we would still have problems of latency (takes hours or days to clear a blockchain transaction), cost (who pays for all these servers), and there are now hundreds of thousands of health IT systems that don’t know how to use blockchain and billions of medical records that are not coded with a blockchain hashcode for the individuals.

In the end, the strengths of blockchain lend themselves very well to banking, but hardly at all to patient identity management. As an industry, we all have to be careful not to spend another 6 months or 2 years pursuing shiny objects like blockchain, we have a real patient matching problem right now and there are innovative technologies that can easily address this challenge, already available. I believe that it is essential that the industry focus on adopting newer, proven, technologies to solve this problem now.

About The Author

Mark LaRow is the CEO of Verato.