Applying blockchain to healthcare - part 8 (accounts)

Ethereum utilizes public key cryptography to secure the blockchain.  Public key cryptography uses a pair of keys: a private key which is kept secret (like a password) and a public key which can be shared with anyone.  A private key is created using a random number generator and the public key is generated from an algorithm that takes the private key as input.  The algorithm only works one way - the public key can always be derived from the private key, but the private key cannot be derived from the public key.  Ethereum takes this cryptographic key pair one step further by generating an Ethereum address from the public key.  This algorithm is also one way - an address can be derived from the public key, but not vice versa.

The ethereum network only knows about addresses - it does not store private keys or public keys.  When a user wants to make a change to the ethereum network, it creates a transaction.  Each transaction must be paid for using ether - the currency of the ethereum network.  Each ethereum account has an associated balance of ether that is used to pay for transactions.  To ensure that the private key associated with the account paying for the transaction has authorized the transaction, each transaction includes a digital signature produced by the  elliptic curve digital signatures algorithm (ECDSA).  Ethereum checks the digital signature and will not process transactions unless they are valid.

In the prior blog post, you may recall metamask prompting you to confirm a transaction:



Metamask is a browser extension that provides secure and user friendly management of ethereum security.  Metamask lets you as a user create ethereum accounts and presents confirmation dialogs for you to approve spending any of your ether.  In the example above, the name I gave this ethereum account "Coinbase (local)" which corresponds to an account in my ethereum private network.  You will also see some of the characters of the ethereum account - "5DEFE02...2fcc".  Next you will notice the ether balance of the associated account - in this case "216675.000" ETH and the value in USD "4191279.82 USD".  You will also notice it telling you that it is creating a new contract "New Contract" and the maximum amount of ether it will cost to execute the transaction "0.094000 ETH".  Given that the EVM which runs smart contracts it Turing complete, it is not possible to determine the cost of a transaction ahead of time so an upper bound is specified when creating the transaction.  After the transaction is executed, the actual cost is dedicated from the account.

Ethereum's approach to security is important to understand as it is the foundation of how identity and trust is managed which is what everyone is so excited about.  Ethereum's private keys provide a universal way for end users to be identified.  Digital signatures provide a way for ethereum to verify identities.  This is actually quite profound as it allows end users to interact directly with the ethereum blockchain without having to trust any intermediaries.  This is completely different than almost every application we work with today.  Today, we have to prove who we are to the applications usually by logging in using a password.  This works great, but requires that we fully trust the application we are logging into.  In the case of ethereum, there is no application layer to trust.  We as end users can directly assert who we are and what we want changed in the blockchain and no intermediate application layer is required. An end user therefore has full control over any data they put on the blockchain and no human, government or corporation can change it.

What does this mean for healthcare?

It means a patient can put their medical records on the blockchain and control it directly.  They can choose who can see it and who can't.  They can choose who can add to it, and who cannot.  It eliminates the need for patients to trust applications (such as patient portals), the administrators of those applications (system admins), or the corporations (hospitals) that control their data.

It means a physician can obtain access to a patient's medical records by interacting directly with that patient.  The layers of security currently in place are not needed.  Hospitals would not have to have connections with an HIE or other hospitals.  The EMRs from different hospitals do not need to interoperate.  IT does not need to be involve.d  The physician would be able to directly access the information they need, all it requires is the patient to approve it.

Suppose a patient is on vacation and suddenly faints.  The patient is admitted to the local hospital emergency department and since the hospital has no record of this patient, has no knowledge of this patients medical history.  The patient might be able to provide some of his medical history verbally - but how accurate is it?  The hospital can try to obtain the medical records from the patient's hometown hospital - but can it be obtained fast enough and can it be imported into the local hospitals information systems?  Storing medical records on the blockchain can solve these issues and it all begins with identity.  End users simply need ethereum accounts and access to the public blockchain.

Next up is using ethereum accounts to implement access control on the patient record.