Have you tried access control for health data?
#Digitaltransformation has become the new fad of #globalhealth. About 1/3rd of the world’s data volume is contributed by the health sector alone. Today every exposed surface of your body can have a sensor or a wearable device attached with it that can generate data about almost all the critical organ systems of your body that you studied in your biology classes. While that sounds thrilling for a person who now wears an Apple Watch and get his/ her heart rhythms recorded to get early warnings, it also exposes the businesses and individuals to an immense risk of losing potentially everything. Before I dig deeper into the issue, let’s watch a movie scene from one of my favourite movies, Aiyaary (thanks to Reliance Entertainment and Meta).
In #digitalhealth, data protection has two critical pillars–
Data security
Data privacy.
Those, who are new to the domain of #digitalhealth, data security and data privacy may sound synonymous. But, they are as different as the two characters, Major Jai Bakshi and Colonel Abhay Singh are in this movie. Yet, they are as critical for data protection as the two characters are in the movie. To me data security is more policy and system centric attribute of data protection, while data privacy is more related to the use of data.
Technically speaking, data security is the fundamental defense of the digital information against different threats. These threats can be malicious or accidental, internal or external. Data security policies and practices ensure the integrity and appropriate access to data by preventing malicious attacks and ensuring authorized access. In contrast, data privacy is concerned with the appropriate collection, handling, and use of data. In short, data security is related to access, while data privacy is related to exposure to abuse. Before I jump into access control, let’s understand the difference between security and privacy from an example from the healthcare sector.
A study published in 2017 based on the findings from a national survey among staff at HIV outpatient clinics in Vietnam reported,
“most staff had proper measures and practices for maintaining data security”.
However, less than 2/3rd of the respondents reported to have not shared patient information with other trusted healthcare personnel for consultation purposes.
Therefore, inspite of having strict policies as well as policy awareness regarding data security, confidentiality (read as privacy) was not maintained for a large chunk of patients.
Now that you know how different data security and privacy are, let’s understand how they are integrated in data protection methods from the policies and practices of Apple, one of the most powerful enablers of personalized access to information despite encouraging “advanced and open platform to developers”.
Apple terms privacy as a fundamental human right. Earlier this April, Tim Cook pitched against sideloading by explaining the threats it brings to data privacy and security. Sideloading not only reduces the effectiveness of the App Store security, but it can also enable data-hungry companies to avoid its privacy rules. In fact, this can pose an even larger cybersecurity threat. In their article, Building a Trusted Ecosystem for Millions of Apps, published last year, Apple presented a case study of how Goontact, an adult video chat site abused the Apple Developer Enterprise Program to capture compromising videos of targets and stole their contacts to blackmail users for ransom by threatening to release the videos to their contact lists.
Now, as you recognize the complexity of data protection measures while open data and open source systems are gaining momentum and popularity, let’s delve into the concept of access control.
In digital health, access control is a technology that protects medical data from unauthorized access. Simply speaking, access control allows an organization, agency, program, or practitioner to create an environment where patient data remain secure and are not exposed to unauthorized access. While this sounds simple, implementation of access control is no less difficult than winning an F1 racing. Every single brick of your information flow needs to be leak-proof and every single door that allows the transfer of a byte of data should have a gatekeeper as reliable as Kattappa in Bahubali. If you haven’t seen the movie, let’s watch Kattappa for a moment.
Different techniques of access control exist across the globe, such as, Role-based, Policy-based, Attribute-based, Mandatory, Discretionary, etc. However, not a single method is beyond limitation. For example, in role-based access control if one cadre of staff has different roles, it will be extremely difficult to control the access. Think about a situation where you have 100,000 nurses and they have different roles and responsibilities. For example, some are working to protect maternal and child health, while another group is serving HIV patients, and you have similar other groups. In this scenario, it is difficult for the controller to provide access based on the designation. In mandatory access control, a security kernel checks the object classification level and decides on access. This system is so rigid that in large dynamic settings it can never be applied without hiccups. In recent years, several methods of more flexible, yet less vulnerable access control have been developed. You may read the following articles:
A Secure Access Control Model for E-health Cloud
Authentication and Access Control in e-Health Systems in the Cloud
I would like to conclude with two points–
Access control is not a luxury, but a necessity. If you don’t use it, you are making your beneficiaries as vulnerable as Mukesh Kapoor in Aiyaary.
Access control is not simple, you need gatekeepers as trustworthy as Kattappa in Bahubali.
