Monday, March 6, 2017

Applying blockchain to healthcare - part 9 (access control)

In my last blog post, we explored how ethereum accounts and digital signatures are used to implement a new form of identity and trust.  In a prior blog post, we used the following Patient smart contract:

pragma solidity ^0.4.2;

contract Patient {

  string public name;
  string public dateOfBirth;
  string public gender;

  // Event that is fired when patient is changed
  event PatientChanged(string what);

  // FAMILY^GIVEN^MIDDLE
  function SetName(string _name) {
    name = _name;
    PatientChanged("name"); // fire the event
  }
  // YYYYMMDD 
  function SetDateOfBirth(string _dateOfBirth) {
    dateOfBirth = _dateOfBirth;
    PatientChanged("dateOfBirth"); // fire the event
  }
  // M,F,U,O
  function SetGender(string _gender) {
    gender = _gender;
    PatientChanged("gender"); // fire the event
  }
}

While this smart contract allows anyone to access the data, it also allows anyone to modify it.  Once this smart contract is published, anyone can see the patient's name, date of birth and gender.  Anyone can also change these properties.  Cleary this does not meet the need for privacy or control.  While access is a major privacy concern - it isn't something we will explore in this post (but will in the future).  In this blog post, we will be exploring how to implement access control on modifications to smart contract instances.  We will do this by using a new smart contract named PatientAllergies which manages a list of allergies for a patient.  Access to allergies is an important part of patient safety as giving a patient a medication they have an allergy to can kill them.  Here is the PatientAllergies smart contract:

pragma solidity ^0.4.2;

 contract PatientAllergies {
    // the address of the owner (the patient)
    address public owner;
    // address of physician that can add allergies
    address public physician;
    // name of the patient LAST^FIRST
    string public name;
    // array of allergies this patient has  
    string[] public allergies;

     // constructor that sets the owner to the address creating
    // this smart contract
    function PatientAllergies() {
        owner = msg.sender;
    }

     // allows owner to change the patient name
    function SetName(string _name) {
        // only allow the owner to change the patient name
        if(msg.sender != owner) {
            throw;
        }
        name = _name;
    }

     // allows physician to add an allergy
    function AddAllergy(string _allergie) {
        if(msg.sender != physician) {
            throw;
        }
        allergies.push(_allergie);
    }
  
    // allows owner to set the physician that can add allergies
    function SetPhysician(address _physician) {
        if(msg.sender != owner) {
            throw;
        }
        physician = _physician;
    }
}

You may recall that an ethereum transaction includes a digital signature that ethereum uses to make sure that the account that created the transaction is who they say they are.  The transaction therefore includes the account information and is exposed to smart contracts via the msg.sender property.  msg represents the message (or transaction) being send to the smart contract.  msg.sender is the address of the account that sent it.  We can implement access control by checking msg.sender in functions to see if the caller (user) is able to perform specific operations.  In this case, we assume the account that created the smart contract is the patient and store it in the owner property.  Once this is done, we can add an access control check in the SetName() function so only the owner (patient) can change his name.  We also add a function SetPhysician() that the owner (patient) can invoke to set the address of a physician who is trusted to update the list of allergies.  The AddAllergy() function checks that the account trying to modify the list of allergies is in fact the address the owner(patient) has allowed.

What does this example mean to healthcare?

For patients, it means they can manage their medical record online and control who can make changes to them.  In this case, the patient is the only person who can change the patient name.  The physician that the patient chooses is the only person who can add to the allergy list.

For physicians, it means they can obtain access to the patients list of allergies by interacting directly with the patient.  The patient just needs to give the physician the address of the smart contract and the physician can see the allergies.  The physician does not have to wait until his EMR is integrated with some other EMR, the hospital is connected to an HIE or IT has the right VPN in place.  Trust and access is managed directly between the patient and the physician.

Please keep in mind that this example is overly simplified to illustrate how access control can be implemented with blockchain.  A real application would be much more complex allowing multiple physicians to manipulate the allergy list, the ability to revoke physicians from the access control list and provisions of changing the owner in case the owners private key is compromised.

Next up is how to protect private keys with wallets
Posted by at

5 comments:

  1. Ned PolianAugust 23, 2017 at 5:45 AM

    thank you for a great post.
    Snippets

    ReplyDelete
  2. AnonymousOctober 9, 2017 at 12:58 AM

    Draglet is among the leaders in developing tailor-made blockchain applications for financial and business purposes.

    ReplyDelete
  3. UnknownApril 21, 2018 at 12:59 AM


    Heyy, Awesome Post .. Keep It Up!

    Want to invest in Crypto Currency, Invest in STECH coin Now, one of the best cryptocurrency to invest. Our reliable and robust social network allows the seamless transfer of cryptocoins within no time! Easy to use, purchase and trade. Grow your investment upto 200%. To check click or visit: https://www.stechcoin.com/

    Stech coin contact | Cryptocurrency Exchange | Stech coin Distribution | Digital Cash Cryptocurrency

    ReplyDelete
  4. UnknownJuly 8, 2018 at 10:14 AM

    Hi Chris,
    First of all congratulation on your blog, I is amazing and the first real useful clear understandable source of information regarding Blockchain and its possible usage in Healthcare.
    I’m an HI System integrator since many years and trying to understand possible usages benefits in implementing this technology. One of the major problems when integrating different medical systems is the lack of agreed standards that can be used to,exchange the informations. Standards like DICOM and HL7 help us, however I be never found any reference to any of these systems when looking into Blockchain systems advertised as Healthcare options. Do I miss something, or even if you would use Blockchain to store/share medical records I should still have a standard to reference the passed informations (e.g. a DICOM public dictionary telling me how my patient Module looks like, or what my allergy section can/cannot contain?). Thank you for your input and please continue explaining more about Blockchain in Healthcare as it is very informational!

    ReplyDelete
  5. Akshay JoshiJuly 17, 2018 at 12:06 AM

    thanks for sharing the link, i read many blogs on blockchain during my research but no one put such deep thought on blockchain in healthcare sector. in past i came across similar kind of blog so you can refer that for ur future references. https://bit.ly/2MWnva7

    ReplyDelete

Subscribe to: Post Comments (Atom)