How to Will Be Peer Review Design Document to Verify Functionality and Validate Operational Use
Healthc Inform Res. 2020 Jan; 26(one): three–12.
Application of Blockchain to Maintaining Patient Records in Electronic Health Record for Enhanced Privacy, Scalability, and Availability
Dara Tith
Institute of Innovative Enquiry, Tokyo Found of Technology, Yokohama, Nihon.
Joong-Sun Lee
Constitute of Innovative Enquiry, Tokyo Institute of Applied science, Yokohama, Japan.
Hiroyuki Suzuki
Constitute of Innovative Research, Tokyo Institute of Applied science, Yokohama, Nihon.
Due west. M. A. B. Wijesundara
Constitute of Innovative Enquiry, Tokyo Institute of Engineering science, Yokohama, Nippon.
Naoko Taira
Constitute of Innovative Research, Tokyo Plant of Technology, Yokohama, Japan.
Takashi Obi
Establish of Innovative Research, Tokyo Plant of Applied science, Yokohama, Nihon.
Nagaaki Ohyama
Constitute of Innovative Research, Tokyo Institute of Engineering, Yokohama, Nippon.
Received 2019 Sep 13; Revised 2019 November 8; Accepted 2019 November 29.
Abstract
Objectives
Electronic Health Tape (EHR) systems are increasingly used every bit an effective method to share patients' records among different hospitals. Withal, information technology is still a challenge to access scattered patient data through multiple EHRs. Our goal is to build a system to access patient records easily among EHRs without relying on a centralized supervisory system.
Methods
We utilise consortium blockchain to compose a distributed arrangement using Hyperledger Fabric incorporating existent EHRs. Peer nodes agree the aforementioned ledger on which the address of a patient record in an EHR is written. Individual patients are identified by unique certificates issued by a local certificate authorities that collaborate with each other in a channel of the network. To protect a patient's privacy, we use a proxy re-encryption scheme when the information are transferred. We designed and implemented various chaincodes to handle business concern logic agreed by member organizations of the network.
Results
We adult a prototype system to implement our concept and tested its performance including chaincode logic. The results demonstrated that our organisation tin be used by doctors to discover patient'southward records and verify patient'due south consent on admission to the data. Patients too can seamlessly receive their past records from other hospitals. The access log is stored transparently and immutably in the ledger that is used for auditing purpose.
Conclusions
Our organisation is feasible and flexible with scalability and availability in adapting to existing EHRs for strengthening security and privacy in managing patient records. Our research is expected to provide an effective method to integrate dispersed patient records among medical institutions.
Keywords: Wellness Information Exchanges, Electronic Wellness Records, Patient Information Privacy, Reckoner Security, Decentralization
I. Introduction
Electronic Health Record (EHR) systems [1] accept been increasingly used as an effective method to share patients' records among dissimilar hospitals. Yet, information technology is still a challenge to access scattered patient information through multiple EHRs considering existing EHRs are regionally express or belong to affiliated hospitals. Based on the report published by the Office of the National Coordinator for Health Information technology (ONC) [2], the main barrier to access patient records lies in the difficulty to detect provider'due south addresses. So far, there have been several projects to overcome these problems; all the same, the solutions they have produced are difficult and involve redesigning or upgrading of existing EHR systems, which would crave substantial expenses. Among them, 1 of the nigh actively ongoing programs is run by CommonWell Wellness Alliance [3] in the United States, a nonprofit association. They support EHRs, intendance providers, and healthcare information engineering (Hit) vendors to connect to their nationwide interoperability network via certified integration platforms and intermediaries. They use a centralized system that allows patients and doctors to search for a patient's scattered medical records [4]. Such a centralized architecture has some drawbacks that it may confront the risk of single-bespeak-of-failure and bottleneck of information flow when the system becomes larger.
In an EHR organization, when patient records are accessed for some reason, the history of all such events must exist recorded in a log file for afterwards audit on admission histories. The log file is used for reconstructing the by state of medical records, and it can exist represented as a legal document [5,half-dozen,seven]. Thus, we should firmly protect the log file from illegal access and make it immutable if possible.
In this paper, we propose a decentralized organisation to address problems in sharing patient records amidst EHRs without relying on a loftier-end centralized organization. Our system has 3 major features: (1) a trusted directory of patient data in EHRs which guarantees admission too as the integrity of the data itself, (2) strengthened security in dealing with patient data by utilizing a particular encryption scheme and providing a transparent and undeniable audit trail based on an immutable access log, and (3) providing scalability to embrace multiple existing EHRs of regional or cadre hospitals with the least modification and availability of the system without relying on a centralized supervisory system.
We design the system following the Health Insurance Portability and Accountability Human action (HIPAA) technical safeguard [8] and ISO/TS 18308 [5] for the interoperability, data integrity, auditability, and availability of the arrangement. To accomplish our goals, we adopt blockchain technology, especially the permissioned consortium type [ix], using the Hyperledger Textile (HLF) platform. Multiple hospitals gather to form a consortium having a private peer-to-peer network, and permission to join it is adamant based on consensus among the members.
HLF is an open up-source platform that has many essential components available in some programming languages. In addition, it provides the Byzantine fault tolerant consensus protocol [ten] for ordering transactions to a block. Moreover, it allows end-to-end [11] throughput of more 3,500 transactions per second. It is a projection [12] hosted by the Linux Foundation, and contributions to the projection are made by Digital Asset and IBM.
Ii. Methods
1. Hyperledger Textile
In HLF, there are several cardinal components (Table 1) that play pivotal roles in the system. In addition, it provides three phases of consensus (Table 2) to validate transactions before uploading them to the ledger. HLF provides a variety of special designated chaincodes called organization chaincodes to perform certain privileged tasks. Examples of system chaincodes are Configuration, Life Wheel, Query, Endorser, and Validator organisation chaincodes. In our study, we designed several prerequisite chaincodes and implemented them in our prototype system.
Table one
Components of the Hyperledger Fabric
Table 2
Three phases of consensus to validate transactions in the Hyperledger Fabric
2. System Conceptual Blueprint
Nosotros congenital a private subnet of an HLF network where the same ledger is shared among the hospital members (Figure 1), which is called a aqueduct. Organizations or departments within them can establish independent channels with relevant ledgers according to their needs. In practice, medical information is usually too large to handle direct in a ledger; therefore, data is kept in an EHR, and just the address is recorded in the ledger. Such storage type is called on-chain or off-concatenation co-ordinate to whether the data is in a ledger or not [fifteen]. A ledger as well contains the hash values of data. This guarantees data integrity because once a slice of data is written in a ledger, it becomes immutable, and this allows the user to cheque whether the information has been altered or not.
Channel of network amid medical institutions with the same ledger. EHR: Electronic Wellness Record.
In our system, we assume that a client of HLF (Table 1) is a dr., nurse, or clerk who helps patients to upload or share their medical records. Clients from medical institutions issue various types of transactions and shop them in a ledger. The ledger consists of patient metadata, including demographics, and these data are used for retrieval requests to find transactions related to a specific patient during a specified period of timestamps of blocks in the ledger. Thus, the ledger functions as a registry of patient IDs for doctors to search for their patient's records stored in other EHRs. In addition, each transaction contains the client's request metadata, chaincode execution results, and medical tape metadata, such as infirmary ID, hash of medical records stored in an EHR, and so forth. In consequence, these data will be used for auditing purpose.
For an private patient, the enrolment ID (eID) issued by a membership service provider (MSP) is used every bit the channel patient ID in the system. Each transaction in the ledger contains an eID, which is hashed later beingness concatenated with a random data so called salt [19] in the format as shown beneath:
$n $salt $hash (salt + eID).
This format is almost the same as how the Linux arrangement stores its user's hashed passwords with salts. Hither, "$" is used as a delimiter between neighboring fields; "north" represents hash algorithm type; and 1, v, and 6 correspond to MD5, SHA-256, and SHA-512, respectively. Salt is a string of random alphanumeric characters up to 16 letters.
3. Cryptographic Scheme
Before patient information is uploaded to the EHR organization with the patient's consent, the data is encrypted using an acceptable symmetric key. Then the symmetric key is asymmetrically encrypted using the patient'due south public central and attached to the encrypted information. This hybrid encryption makes the procedure efficient in terms of both speed and convenience because the encryption of large information can be done faster by symmetric-key than asymmetric-central, while the latter is more convenient in the encryption of small-scale-size cryptographic fundamental.
To read patient information, a proxy downloads it from the relevant EHR and sends it to the receiver. Still, in case the receiver is different from the patient, the encrypted symmetric fundamental at the information should exist transformed, and then that it tin be decrypted by the receiver'southward private key. To practice this, we use a proxy re-encryption scheme (Figure 2) in which the patient generates the proxy re-encryption primal by mathematically combining their private key and the receiver'due south public key using the AFGH algorithm [20,21]. After receiving the newly fabricated re-encryption central, the proxy re-encrypts the symmetric key for the receiver. In that process, the symmetric key is not disclosed to the proxy. Otherwise, the proxy must send the data to the patient to make information technology encrypted using the receiver'southward public key.
Proxy re-encryption scheme.
4. Web-Based Application
Our system provides web-based application for clients in each hospital to make access requests to the ledger or EHR. Web-based awarding is the front-end side application program available in a hospital or clinic. A hospital can have a single peer or many peers according to their scale, while a small clinic functions as a customer without peer. For identifying participants across the system, doctors in each hospital are assumed to take their ECerts.
Web-based application offers web-based user interfaces and essential interactive functions in advice betwixt participants in the arrangement. Patients use information technology to generate cardinal pairs to register and enrol their identities to the organization to obtain ECerts. In addition, they can generate proxy reencryption keys and send them to the proxy. On the other hand, the client uses this spider web-based application to create a transaction proposal and submit it to the blockchain system for the tasks such as identifying a patient's identity and creating, uploading, and sharing medical records, metadata and so forth.
3. Results
1. Developed Chaincodes
In our prototype system, we installed 5 chaincodes with which business logics are performed. Each chaincode has many programming functions in it, and they ordinarily read and update the ledger state with all the business concern logic independent inside functions. In an actual system, each chaincode needs to get understanding among all the member hospitals before beingness deployed in the organisation. Tabular array 3 presents details of the proposed chaincodes.
Tabular array iii
Description of chaincodes installed in the image system
two. Utilise Case Scenarios
Nosotros faux apply cases using the epitome organization. In Figures 3, 4, 5, which describe a practical situation, nosotros assume that a patient, let'southward phone call her Alice, visits Hospital_A for the first fourth dimension. There, Alice is diagnosed with cancer, and her md, Dr. Bob, recommends her to become to the primal hospital to run into a cancer specialist. Dr. Bob uploads Alice's records with her consent to the hospital's EHR. Then Alice moves to the central hospital, and the cancer specialist accesses Alice's data in the EHR that belongs to Hospital_A.
First visit to a hospital.
Uploading record with metadata and consent access. EHR: Electronic Health Record.
Requesting patient's records. CA: document potency, EHR: Electronic Health Tape.
1) First visit to a hospital
Alice makes a first visit to Hospital_A (Figure 3). To enrol in the infirmary, she provides her demographic data or the national insurance number to a clerk. This information volition be used for registering her in the patient identity source of the hospital and issuing an ECert for her. The ECert and private key need to exist stored in a secure storage device, for instance, an IC card or USB retention. After issuing the ECert past local certificate authority (CA), the clerk must store the hash value of Alice's eID and individual patient ID in the ledger.
2) Uploading patient's record with metadata and consent
When a patient'due south records are uploaded to the EHR organisation (Figure 4), Alice provides the medico her consent with weather for sharing her records with other third parties or her relatives. Then, the doctor encrypts Alice's tape using an adequate symmetric cardinal and encrypts the central this time using Alice's public cardinal to attach it with the record. Finally, the doctor uploads Alice's record to Hospital_A'due south EHR system and writes the record's consent and the accost of the information location to the ledger.
3) Requesting patient's record
Alice goes to see a specialist in the central hospital (Figure v), where she registers as a new patient, if needed, and provides her ECert previously issued in Hospital_A. When treating Alice, the doctor wants to become Alice's previous records, and so he sends a transaction proposal of a request to obtain Alice'due south records metadata during a certain menses and the previous hospital's ID. Then, each endorsing peer simulates the transaction proposal executing chaincodes and returns each result of the chaincode to the proxy of the hospital where the client awarding is run past the doctor. The application compares the query results, and if they are all matched, it lets the medico select the necessary records from them to make a list of the patient's records that he wants to obtain. After receiving the list, the proxy asks Alice to generate the proxy reencryption key. Then, the proxy downloads Alice's records in the list from relevant EHRs and re-encrypts every encrypted symmetric key at each record using the re-encryption. After that, the proxy sends Alice's records to the doctor.
3. Prototype System
A prototype system was built on a small scale for testing on a local network with four Window PCs for patients to use the patient spider web application, four Linux PCs for doctors to use the doctor web awarding, and iv proxies for iv hospitals. In addition, nosotros used two Window PCs as EHRs. The HLF platform was run on Docker for executing chaincodes. For EHR records, we dealt with standardized information, such equally HL7/CDA and DICOM image data. Nosotros changed the system configuration with various numbers of PCs to appraise the performance including chaincode logic. Equally a outcome, it took a little more than time with an increasing number of PCs when querying data in a blockchain too every bit encrypting and decrypting the records and transferring files.
The in a higher place prototype is non the same as an bodily working environment. The system and chaincode functionality may crave specific modification to suit consortium privacy policies and the legal requirements set by the governing dominance.
Iv. Give-and-take
In implementation of the system, all the verification steps are essential for security purposes. To protect patient privacy, we adopted the Advanced Encryption Standard (AES) algorithm for symmetric-key encryption of patient information and the Elliptic Bend ElGamal (EC-ElGamal) algorithm for asymmetric-key encryption of the symmetric key in the proxy reencryption scheme. The asymmetric-key pair is also used for the signature on the transaction proposal. However, for the purpose of farther strengthening security, a patient can take some other key pair for a signature dissimilar from the one of the encryptions. The erstwhile is generated by using the HLF role, the latter by importing a function of EC-ElGamal encryption using EC cryptography. When a patient chooses to take two pairs of keys, he or she bears a greater burden to keep them surreptitious. In the case that a patient loses these individual key, a key escrow system is assumed to be used for retrieving the lost keys or symmetric keys from the ECert issuer or the hospital only for decryption of the patient data. After all, retrieved keys must be used temporarily before new keys and a new ECert are issued for the patient.
We hash eID with salt to avoid transactions of the records related with a patient having the same hash value of eID with which the patient records might be traced undesirably forth the ledger. Meanwhile, this technique causes longer processing time to find out a patient in query of the information. To make the process faster, doctors can input many relevant query keywords for obtaining the data. These keywords include not only eIDs but timestamps and hospital IDs.
The proxy'south roles are to connect unlike EHRs through a secured advice network, download the medical records and re-encrypt the patient'south information. This scheme makes the processing time shorter in transferring a patient'southward data securely; otherwise, the data must be sent to the patient to decrypt using the patient's private key and encrypt again using the receiver's public key earlier it is sent back to the proxy and then to the receiver. For proxy re-encryption, nosotros adopt the AFGH algorithm because it uses the receiver's public central rather than the private fundamental as in Bulletin board system algorithm [22], where the receiver'due south private key is created and used transiently only for receiving the data.
To strengthen the privacy in admission to records, patients tin give consent with weather in the transaction of records for sharing them to third political party. Furthermore, the ledger retains events of sharing information and the relevant person'due south information, which facilitates the auditing procedure.
In that location have been several projects to establish a medical information-sharing system based on the blockchain. Among them, MedRec [23] is an early report applying the private Ethereum platform to EMRs. In Ethereum, an executable plan run in the network is called a smart contract instead of a chaincode. Ethereum requires mining mechanisms to sustain the distributed ledger, which is a time-delayed procedure with miners competing in proof of work, although it is not difficult to make a private platform have a brusk block time less 10 seconds. Medical stakeholders, such as researchers, public wellness authorities, so forth, demand to be incentivized to participate actively every bit miners. To address these issues, MedRec 2.0 is currently under evolution [24].
Ancile [13] is some other blockchain-based organization using the private Ethereum platform, which applies a technique that is similar to ours for medical record management, adopting the on-chain and off-chain concept. Ancile uses distributed proxies for re-encryption, called blinding re-encryption, past splitting the ciphertext for re-encryption between multiple nodes.
On the other paw, Dubovitskaya et al. [25] uses HLF in the cloud organization. In this system, the data construction consists of key and value pair. The central is a hash of a combination of the symmetric fundamental and uniquely identifiable information (UII) of the patient, and the value is the record metadata. To reduce the vulnerability of the system, patients encrypt each piece of their information using different symmetric keys. However, this incurs a heavy burden of cardinal direction such that patients need to choose the corresponding symmetric central for generating a key number every time they query for the data.
Our system is a consortium network. If other medical institutions want to admission this network, they must brand a request to register equally a member of this network. Otherwise, a non-member institution can communicate through the member institutions. Peers are the trusted elements from each medical institution. They demand to strengthen their own security to protect peers from illegal access. At the same time, every medical institution needs to hold on the chaincode logic before deploying them in the system. Thus, our blockchain system besides can be run effectively in the cloud organisation even though its fundamental standpoint is opposite in terms of decentralization. Cloud computing can provide a solution to the blockchain size trouble that ledger size gets gradually bigger with time and peers will have difficulty to continue and process it.
In decision, our system can exist used to establish a large-scale EHR system. It is flexibly configurable to be a top layer of existing EHR systems to strengthen security in the management and exchange of medical records. Our system takes on the roles of a patient identifier, a trustee admission log, and registry of patient records. Even though our arrangement does not offer explicit incentives to participants equally other blockchain-based systems do by issuing a cryptocurrency, information technology will benefit users and stakeholders likewise, including healthcare service providers and the authorities. We expect that our research can help patients to find their medical histories more easily when they visit other hospitals. Every bit hereafter work, we are going to test our system in a real hospital environment. We will prepare to deal with not-standardized data in a real-globe field test.
Footnotes
Conflict of Interest: No potential conflict of interest relevant to this article was reported.
References
1. Greenhalgh T, Hinder Due south, Stramer K, Bratan T, Russell J. Adoption, non-adoption, and abandonment of a personal electronic health tape: case study of HealthSpace. BMJ. 2010;341:c5814. [PMC free commodity] [PubMed] [Google Scholar]
2. Pylypchuk Y, Johnson C, Henry J, Ciricean D. Variation in Interoperability among United states of america non-federal acute care hospitals in 2017. ONC Data Brief. 2018;(42):1–fifteen. [Google Scholar]
v. van der Linden H, Kalra D, Hasman A, Talmon J. Interorganizational future proof EHR systems: a review of the security and privacy related issues. Int J Med Inform. 2009;78(3):141–160. [PubMed] [Google Scholar]
7. Walsh T, Miaoulis Due west. Privacy and security audits of electronic wellness information. J AHIMA. 2014;85(3):54–59. [PubMed] [Google Scholar]
9. Xu X, Weber I, Staples M, Zhu L, Bosch J, Bass L, et al. A taxonomy of blockchain-based systems for architecture design; Proceedings of 2017 IEEE International Conference on Software Architecture (ICSA); 2017 Apr 3-7; Gothenburg, Sweden. pp. 243–252. [Google Scholar]
10. Sousa J, Bessani A, Vukolic M. A byzantine fault-tolerant ordering service for the hyperledger fabric blockchain platform; Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN); 2018 Jun 25-28; Luxembourg City, Luxembourg. pp. 51–58. [Google Scholar]
xi. Androulaki E, Barger A, Bortnikov V, Cachin C, Christidis Thou, De Caro A, et al. Hyperledger fabric: a distributed operating system for permissioned blockchains; Proceedings of the 13th EuroSys Briefing; 2018 April 23-26; Porto, Portugal. [Google Scholar]
xiii. Dagher GG, Mohler J, Milojkovic M, Marella Pb. Ancile: privacy-preserving framework for access control and interoperability of electronic health records using blockchain technology. Sustain Cities Soc. 2018;39:283–297. [Google Scholar]
xiv. Roehrs A, da Costa CA, da Rosa Righi R. OmniPHR: a distributed architecture model to integrate personal health records. J Biomed Inform. 2017;71:70–81. [PubMed] [Google Scholar]
xv. Kuo TT, Kim HE, Ohno-Machado 50. Blockchain distributed ledger technologies for biomedical and health care applications. J Am Med Inform Assoc. 2017;24(half dozen):1211–1220. [PMC gratuitous article] [PubMed] [Google Scholar]
16. Manzoor A, Liyanage Chiliad, Braeke A, Kanhere SS, Ylianttila M. Blockchain based proxy re-encryption scheme for secure IoT data sharing; Proceedings of 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC); 2019 May 14-17; Seoul, Korea. pp. 99–103. [Google Scholar]
17. Thakkar P, Nathan S, Viswanathan B. Performance benchmarking and optimizing hyperledger cloth blockchain platform; Proceedings of IEEE 26th International Symposium on Modeling, Assay, and Simulation of Figurer and Telecommunication Systems (MASCOTS); 2018 Sep 25-28; Milwaukee, WI. pp. 264–276. [Google Scholar]
18. Wang S, Ouyang L, Yuan Y, Ni X, Han X, Wang FY. Blockchain-enabled smart contracts: architecture, applications, and future trends. IEEE Trans Syst Man Cybern Syst. 2019;49(11):2266–2277. [Google Scholar]
xix. Preneel B. Cryptographic hash functions: theory and practise. In: Gong Chiliad, Gupta KC, editors. Progress in cryptology – INDOCRYPT 2010. Heidelberg, Germany: Springer; 2010. pp. 115–117. [Google Scholar]
20. Thangam Five, Chandrasekaran Chiliad. Elliptic curve based proxy re-encryption; Proceedings of the 2d International Conference on Information and Communication Technology for Competitive Strategies (ICTCS); 2016 Mar four-v; Udaipur, India. pp. 1–6. [Google Scholar]
21. Grub SS, Weng J, Yang Y, Deng RH. Efficient unidirectional proxy re-encryption. In: Bernstein DJ, Lange T, editors. Progress in cryptology – AFRICACRYPT 2010. Heidelberg, Germany: Springer; 2010. pp. 316–332. [Google Scholar]
22. Ateniese One thousand, Fu K, Green M, Hohenberger Southward. Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans Inf Syst Secur. 2006;ix(1):1–30. [Google Scholar]
23. Azaria A, Ekblaw A, Vieira T, Lippman A. Medrec: using blockchain for medical information access and permission direction; Proceedings of the 2nd International Conference on Open and Big Data (OBD); 2016 Aug 22-24; Vienna, Austria. pp. 25–30. [Google Scholar]
25. Dubovitskaya A, Xu Z, Ryu South, Schumacher M, Wang F. Secure and trustable electronic medical records sharing using Blockchain. AMIA Annu Symp Proc. 2018;2017:650–659. [PMC free article] [PubMed] [Google Scholar]
Articles from Healthcare Informatics Research are provided here courtesy of Korean Society of Medical Informatics
Source: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7010942/
0 Response to "How to Will Be Peer Review Design Document to Verify Functionality and Validate Operational Use"
Mag-post ng isang Komento