Decentralizing The Patient Identity: The Next Generation in Privacy and Consent:
Jim St. Clair
Chief Trust Officer at LUMEDIC
Keywords: Healthcare, security, privacy, digital identity, data access
Presentation Description: In global healthcare, the focus on delivering services to the patient have been built around centralized healthcare systems collecting and managing all patient information. This has led to challenges in protecting the security and privacy of patients in a centralized repository or institution, as well as difficulties for the patient to maintain data access and consent. This has been exacerbated in the period of the COVID 19 pandemic, where more patients seek telehealth services and may be seen at caregivers other than their primary location. The time has come for a decentralized, “patient-centric” approach to health data management, that embodies privacy and consent while orchestrating data access remotely and/or amongst multiple providers. This is coupled with a growing need for a digital identity that can be credentialed when vaccination and immunity becomes a prerequisite for a return to work or travel. This presentation will discuss the foundations of decentralized identity and a standards-based framework to develop and adopt them.
Biography: Jim is the CTO of The Dinocrates Group, a Maryland-based boutique strategy and advisory firm, and the founder of the Institute for Healthcare Financial Technology. As CTO, Jim leads the Dinocrates Transformational Technology Services to assist public and private sector clients understand and adopt the latest advances in Blockchain, artificial intelligence (AI), robot-ic process automation (RPA) and cloud technologies. Given the dramatic changes in technology and healthcare delivery, Jim recently founded the Institute for Healthcare Financial Technolo-gy, which upon inception will be a non-profit organization dedicated to improving the healthcare value chain to reduce costs and streamline access and delivery of healthcare. IHFT builds on the innovations of financial, insurance and healthcare technology, especially in such concepts as dis-tributed ledgers, blockchain, Robotic Process Automation (RPA) and Artificial Intelligence (AI).
Jim is a 2019 FedHealth IT 100 winner, and is also active in the Healthcare Committee for the Government Blockchain Association, and co-lead of the HIMSS Healthcare Blockchain Work-ing Group. He is an advisor to multiple healthcare Blockchain start-ups, and guest lectures on Blockchain and technology at Universities and Industry. Jim is a veteran and former naval officer, having served in both active and reserve capacity.
Welcome
22-Jan-2021
Decentralizing The Patient Identity: The Next Generation in Privacy and Consent
Speaker: Jim St. Clair
Chief Trust Officer at LUMEDIC
Video Transcript: Fantastic. Thank you very much. A pleasure to be with you and I appreciate everyone’s flexibility today around the world of virtual meetings in making the schedule. My name is Jim Sinclair and as mentioned I am the chief’s trusts officer for the LUMEDIC exchange. I’d be happy to elaborate on that a bit for LUMEDIC. LUMEDIC is a health tech company based in Seattle, Washington as part of Providence Health Systems and we are focused on a range of products and technologies to support both providers and patients in their health information management. Specifically my concern is around the LUMEDIC Exchange which is the first platform in healthcare to be able to exchange verifiable credentials which we’ll talk about in detail for health-related transactions and patient-centered health information exchange.
Introduction
First just to talk about the concept of decentralized identity this is still Relatively new for most people but it is still a revolution of the work of the last 5 years in blockchain in centralized ledgers. It is the concept that your attributes can be embedded into shareable but secure methods of being able to facilitate transactions. In the same way that we talk about privacy and zero trust in a technical architecture these days. The concept that your identity is your own, of course is very much banked into GDPR and other similar legislations. It’s becoming more of a concept within the U.S. and things in health information and accountability act or HIPAA.
The concept architecturally is that you use blockchain or distributed ledger to be able to securely share things in a collaborative environment as part of transactions as I’m sure many folks in the audience are aware of. The level decentralized identity you actually have specific blockchain architectures that create what we call decentralized identifiers or support transactions for verifiable credential so that you share attributes of your identity as part of interactions with other parties that first of all help support the attestation of who you are and what you’re trying to do. Like for instance registering with your doctor or prove that you have a vaccination certificate but at the same time also allow you to control what is shared as part of that transaction.
First Point
Case in point most of us are used to presenting their driver’s license and some other documentation. If they’re coming in to see the doctor, those are all various elements of your identity in your privacy that you’re sharing, in many cases, repeatedly sharing. Going to a bar and proving that you’re over age 21 and have them produce your driver’s license. Physically presenting your driver’s license, there’s multiple attributes of your identity there on that driver’s license when the only key aspect is, can I verify in some means or present of means in some verification that it says I’m the legal age to be allowed to be in here in the first place. I shouldn’t have to share my name, my date of birth, my address, blood type, and everything else that’s on a driver’s license simply for the sake of gaining entry into a facility where it’s a yes or no check process.
So by using things like the W3C standards for verifiable credentials in conjunction with the distributed ledger, managing the transactions in the secure manner you can create credentials and present them digitally in your own for most of mobile wallet that allows you to meet certain criteria between the issuer’s about credential whoever that issuing party is. A verifier that is agreed to for the framework for that credential issuance and verified that you’re presenting the proper credentials to share information, gain access, or prove a certain status all while keeping that information under your control.
Another aspect to consider with it is how you can then leverage buying in that verifiable credential and managing that information with your wallet with other additional information. Nowadays we are in a digital health type world where more and more of our health information resides in electronic fashion on electronic healthcare records. Those electronic health care records require various levels of access from providers and other systems and then the challenges that you have multiple instances of those out there record systems that perhaps one doctor you have to see is in one facility with one VHR system and your referred to a doctor at another facility with another VHR systems and you have to exchange that information back and forth. There’s a great deal of effort to take away the last 10 years and in the last couple of years in particular to establish new methods of interoperability.
To be able to exchange that information freely and securely to support your ability to see the doctor that you need to see or have that information made available. Then most importantly the latest trend in legislation is being able to make sure that you have access to that data so that you can see the information that is being stored about you and share it with 3rd party apps such as Fitb
it, Google Health, or other applications for remote monitoring diabetes control, etc. Tying that all together of course you know calls out the need for a decentralized patient identity time capability where you’re at the center for the decisions for how your information is being shared who you’re sharing it with and then extensively what type of consent is associated with that.
Second Point
In healthcare they have the Standard Spa known as Hl7 with the newest Hl7 interoperability standard known as FHIR which stands for FHIR – fast health information resources. So the future friend will be your ability to manage your identity and connect that to those FHIP transactions and share Healthcare information between one or more points or with other applications and systems that you have deam consent and authorization to use for managing your own health.
This represents a new trend as Telehealth becomes more popular and virtual care becomes more popular or you have more control over your information up front for your own applications in connection with Telehealth and virtual care engagements with your doctor. This decides how to be able to share that in a virtual information as a virtual encounter or to shame that information between one or more virtual encounters with individuals that leads to a number of standards efforts that are being developed as mentioned Hl7. Already within the identity community, there’s a range of Standards contributing organizations in standard development organization. I’m sure everyone is familiar with the ISO International Standards Organization in Tripoli.
There’s a range of work groups and organizations there that have all been developing standards for decentralized identity and blockchain management and governance. Decentralized identity itself while I’m part of the trust over IP Foundation and the trust over IP Foundation consist of about a hundred members representing different organizations and companies that are contributing to an architectural stack for what we consider to be decentralized identity and trust principles. So those consist of a developing governance framework and ecosystems models which are built around regulatory requirements and frameworks of local governance constraints. In ecosystems where you have issues as credentials verifiers of credentials, the holders as the individual credentialing and identity users in the legal framework that controls what the information must contain, how that information to be protected etc.
Below at the next player you have all are three which is the technical aspects of a verifiable credential itself. The verifiable credential is represented as I mentioned W3C, the World Wide Web Consortium. It’s standard bodies for the credential group is also part of that is the Decentralized Identity Foundation which is developed to centralize identifiers and other protocols for use with verifiable credentials for exchanging information. Then below that at the bottom layer is really what we call our layer one technology, our foundation and that consists of one or more blockchain standards. The greatest prevalence is around hyperledger standard specifically hyperledger Indies and hyperledger Aries but there are other standards that leverage things such as aetherium variations of Bitcoin, blockchain structures, etc that are contributing to the central identity type foundations that can be plugged in there as well.
Third Point
Most important thing that we feel from a trust over IP Foundation stem point is that architectural stack and developing standardized approaches so regardless of the particular variety of blockchain that you’re using, their standard for how does blockchain for interoperability and support the overall architecturals. Requirements to work with verifiable credentials and supports the governance and the regulatory requirements of a particular ecosystem.
Obviously my ecosystem focuses heavily on patient identity and healthcare information. So that includes regulations within the healthcare industry nationally and internationally, participation for insurance companies, Healthcare Providers, Healthcare organizations, and other Healthcare technology companies. We also work with organizations such as ID 2020 or My Data Global if you’re familiar with those which set some principles and standards associated with the identity in general and Healthcare identity specifically to help support and guide what that ecosystem framework is like and contribute to thoughts about the technology and the architecture.
So patient identity as I mentioned is changing very rapidly is an area that is beginning to also expand with consideration such as artificial intelligence as artificial intelligence is used more and more in the healthcare environment. There has to be greater consideration for how information is shared with AI in the same way that you’re officially used to sharing it with the doctor or your clinical environment. What decisions are AI making that are constrained within the algorithms, the machine learning model that are outside of your control, or don’t involve human judgment, and human oversight? Are there ways in which you control your identity and controlling the information that you share with AI helps govern that AI bias that governs the AI model with the AI contributing to the patient engagement and the considerations for what kind of treatment you receive or what your virtual care plan might be? That’s another important point.
As I mentioned also world things like third-party apps and remote patient monitoring, I’m sure many people are aware of or concerned about the fact that large technology companies such as Google, Apple, Facebook, and others have been involved in collecting user data for a long time and are there concerns about how they apply there AI model of their big data model for information days collected? So looking at the ability to insert the individual to manage their individual data and extend that consent models be able to grant consent for how their data is used even in a big global scale is considered very important because this now allows you again like in the GDPR model to extend your consent to say, I know where my data is and how my data is authorized to be used and make decisions about how your data is protected or decide that your data is not to be used in something like a data analysis were or an AI.
Remote patient monitoring means third-party electronic equipment and things that may be supporting information around your medical conditions are being monitored that represents another network where your data is being collected and analyzed and included as part of your clinical care which is great but you also have concerns to make sure that that doesn’t go beyond the boundaries or perhaps sharing with your doctor or your help your organization and being able to extend your consent is part of that decentralized model. Becomes very important for considering how your data is collected long-term or what longitudinal health data is being assembled by one or more electronic components in that remote patient monitoring architecture.
Fourth Point
Lastly things like the third-party Health apps that I mention like Google and Fitbit, you know those are very helpful. I got one on my wrist right now but the ability to not only share more health day with them which is what the interoperability rules allow for but also the ability to control what data is shared and how that data share with those applications helps you enforce granular consent and privacy to be able to to make sure the only data that you want the app to see you and that you will allow it to see is considered. At the same time also be able to control how long that data is available to the application or make sure that application doesn’t behind the scenes share it with another application that you’re not aware of.
The adoption of this sort of technology is still very new. It is really something that I think will be coming along in the course of 2021-2022. I’m sure many of you have read various articles about vaccination credentials or health passports which is an active effort underway. Some more concerns, in the community of course, is making sure that things like verifiable credentials are applied to that and that we aren’t just creating new databases of individuals and information to add all of the summary data, summation of data, and that is being collected on everyone on a daily basis.
The other important thing is the ability to use distributed ledger as part of that to ensure that the data is the right data. Healthcare has a challenge in terms of patient matching and patient verification to ensure that if Jim St. Clair is presenting himself today that I’ve matched up his identity with the correct record to verify medication allergies, known medical conditions, things that have to be looked out for. There is a tremendously high percentage of errors that occur on a regular basis because identity verification hasn’t been completed properly so not only are we concerned about just protecting patient privacy and the patient’s identity, but also bolstering the aspects of that identity characteristics and attributes to help make sure that you verify the right person each time. That will only get more complex when you have the ability to share your information with other apps or have those apps share the information back to your electronic health records in making sure that the data integrity is in place that correlates the right data with the right person to the right records and doesn’t complicate the ability for doctors and clinicians to do an analysis and understand their healthcare.
Other considerations are being able to meet International HealthCare issues in international legal standards around privacy and data I’ve mentioned GDPR and become more of a global society. The ability for someone in one country operating under one legal framework to have a mechanism in place to share their identity and extend consent of the information with the operating in another country. Conversely if someone is receiving healthcare treatment someplace else in another country, that information is collected and stored in ways that maybe in a different legal framework than what you’re used to or what your home country is. As a result you want to have the ability to extend your consent model for the legal framework that fits you both culturally and legally to once you’re entitled to as a citizen of that country into how the information is being used in that system.
Conclusion
Lastly, considerations for more advancements in clinical research and clinical trials. If you consider that there’s a number of big data and clinical analytics efforts underway obviously to be able to understand the novel coronavirus, covid-19, and of course know what’s related to vaccination credentials and the information for vaccinating people themselves. There’s going to want to be more clinical analysis and research done on both the disease itself out a disease manifests itself, the effectiveness of the vaccine, long-term observation of vaccinated citizens to be able to see if there’s any changes in health, or adverse reactions to manifest itself. This means a whole new longitudinal selection of data that has to be collected and analyzed which of course brings privacy concerns and challenges because no one wants to have their data collected in the database for some place for the next 20 years simply because of the association with the vaccination.
As result the ability to tag that data and associated with the consent model where you’re sharing specific parts of the information that are useful for clinical and research purposes but at the same time being able to protect your identity and have the clinical research effort come back and request consent or authorization from you if there’s additional information that they’re seeking as part of a research effort. Then ultimately connecting that perhaps with a compensation strategy or some sort of incentivization strategy to participate in a clinical trial or further research efforts. All of that can be built into part of that decentralized identity information model using schemas and programming framework around the elements of dated themselves as you can say, no disc disease elements of data I’m comfortable with sharing these elements. I want you to come back and ask permission or I won’t share until you request permission for and all of that is a very effective framework for being able to govern your information over a longer period of time than the simple sort of notice of consent and disclosure that were that were used to now in the clinical research world.