Applying blockchain to healthcare - part 9 (access control)

In my last blog post, we explored how ethereum accounts and digital signatures are used to implement a new form of identity and trust.  In a prior blog post, we used the following Patient smart contract:

pragma solidity ^0.4.2;

contract Patient {

  string public name;
  string public dateOfBirth;
  string public gender;

  // Event that is fired when patient is changed
  event PatientChanged(string what);

  // FAMILY^GIVEN^MIDDLE
  function SetName(string _name) {
    name = _name;
    PatientChanged("name"); // fire the event
  }
  // YYYYMMDD 
  function SetDateOfBirth(string _dateOfBirth) {
    dateOfBirth = _dateOfBirth;
    PatientChanged("dateOfBirth"); // fire the event
  }
  // M,F,U,O
  function SetGender(string _gender) {
    gender = _gender;
    PatientChanged("gender"); // fire the event
  }
}

While this smart contract allows anyone to access the data, it also allows anyone to modify it.  Once this smart contract is published, anyone can see the patient's name, date of birth and gender.  Anyone can also change these properties.  Cleary this does not meet the need for privacy or control.  While access is a major privacy concern - it isn't something we will explore in this post (but will in the future).  In this blog post, we will be exploring how to implement access control on modifications to smart contract instances.  We will do this by using a new smart contract named PatientAllergies which manages a list of allergies for a patient.  Access to allergies is an important part of patient safety as giving a patient a medication they have an allergy to can kill them.  Here is the PatientAllergies smart contract:

pragma solidity ^0.4.2;

contract PatientAllergies {
    // the address of the owner (the patient)
    address public owner;
    // address of physician that can add allergies
    address public physician;
    // name of the patient LAST^FIRST
    string public name;
    // array of allergies this patient has  
    string[] public allergies;

    // constructor that sets the owner to the address creating
    // this smart contract
    function PatientAllergies() {
        owner = msg.sender;
    }

    // allows owner to change the patient name
    function SetName(string _name) {
        // only allow the owner to change the patient name
        if(msg.sender != owner) {
            throw;
        }
        name = _name;
    }

    // allows physician to add an allergy
    function AddAllergy(string _allergie) {
        if(msg.sender != physician) {
            throw;
        }
        allergies.push(_allergie);
    }
  
    // allows owner to set the physician that can add allergies
    function SetPhysician(address _physician) {
        if(msg.sender != owner) {
            throw;
        }
        physician = _physician;
    }
}

You may recall that an ethereum transaction includes a digital signature that ethereum uses to make sure that the account that created the transaction is who they say they are.  The transaction therefore includes the account information and is exposed to smart contracts via the msg.sender property.  msg represents the message (or transaction) being send to the smart contract.  msg.sender is the address of the account that sent it.  We can implement access control by checking msg.sender in functions to see if the caller (user) is able to perform specific operations.  In this case, we assume the account that created the smart contract is the patient and store it in the owner property.  Once this is done, we can add an access control check in the SetName() function so only the owner (patient) can change his name.  We also add a function SetPhysician() that the owner (patient) can invoke to set the address of a physician who is trusted to update the list of allergies.  The AddAllergy() function checks that the account trying to modify the list of allergies is in fact the address the owner(patient) has allowed.

What does this example mean to healthcare?

For patients, it means they can manage their medical record online and control who can make changes to them.  In this case, the patient is the only person who can change the patient name.  The physician that the patient chooses is the only person who can add to the allergy list.

For physicians, it means they can obtain access to the patients list of allergies by interacting directly with the patient.  The patient just needs to give the physician the address of the smart contract and the physician can see the allergies.  The physician does not have to wait until his EMR is integrated with some other EMR, the hospital is connected to an HIE or IT has the right VPN in place.  Trust and access is managed directly between the patient and the physician.

Please keep in mind that this example is overly simplified to illustrate how access control can be implemented with blockchain.  A real application would be much more complex allowing multiple physicians to manipulate the allergy list, the ability to revoke physicians from the access control list and provisions of changing the owner in case the owners private key is compromised.

Next up is how to protect private keys with wallets