Hi,
A blockchain[1] <https://en.wikipedia.org/wiki/Blockchain#cite_note-te20151031-1>[2] <https://en.wikipedia.org/wiki/Blockchain#cite_note-fortune20160515-2>[3] <https://en.wikipedia.org/wiki/Blockchain#cite_note-nyt20160521-3> – originally block chain[4] <https://en.wikipedia.org/wiki/Blockchain#cite_note-primer-4>[5] <https://en.wikipedia.org/wiki/Blockchain#cite_note-obmh-5> – is a continuously growing list of records <https://en.wikipedia.org/wiki/Record_(computer_science)>, called blocks, which are linked and secured using cryptography <https://en.wikipedia.org/wiki/Cryptography>.[1] <https://en.wikipedia.org/wiki/Blockchain#cite_note-te20151031-1>[6] <https://en.wikipedia.org/wiki/Blockchain#cite_note-cryptocurrencytech-6> Each block typically contains a hash <https://en.wikipedia.org/wiki/Cryptographic_hash_function> pointer as a link to a previous block,[6] <https://en.wikipedia.org/wiki/Blockchain#cite_note-cryptocurrencytech-6> a timestamp <https://en.wikipedia.org/wiki/Trusted_timestamping> and transaction data.[7] <https://en.wikipedia.org/wiki/Blockchain#cite_note-IPblockchain-7> By design, blockchains are inherently resistant to modification of the data. A blockchain can serve as "an open, distributed ledger <https://en.wikipedia.org/wiki/Distributed_ledger> that can record transactions between two parties efficiently and in a verifiable and permanent way."[8] <https://en.wikipedia.org/wiki/Blockchain#cite_note-hbr201701-8>[not in citation given <https://en.wikipedia.org/wiki/Wikipedia:Verifiability> (See discussion. <https://en.wikipedia.org/wiki/Talk:Blockchain#Edit_misrepresenting_cited_sources>)] For use as a distributed ledger, a blockchain is typically managed by a peer-to-peer <https://en.wikipedia.org/wiki/Peer-to-peer> network collectively adhering to a protocol for validating new blocks. Once recorded, the data in any given block cannot be altered retroactively without the alteration of all subsequent blocks, which requires collusion of the network majority. https://en.wikipedia.org/wiki/Blockchain <https://en.wikipedia.org/wiki/Blockchain> What is Blockchain offering? Bringing data from a to b? Storing data? Securing data? Preventing privacy incidents? Taking care of non-repudiation? Taking care of data integrity? Play a role in logging? Will it prevent hacking of PC’s, Servers? and other attacks such social hacking, pasword sniffing, etc.? At best it serves a role in: non-repudiation, data integrity and logging (access control lists) without the need of a trusted third party service. But one has to rely on safe/secure IT-systems that make use of it. It takes care of a non-health related issue; it takes care of a generic legal issue. Bye the way. NICTIZ’ opinion is: - Certainly it (blockchain) can not be deployed and replace in healthcare the present “proven technology" Het kan zeker nog niet worden ingezet voor vervanging van de huidige “proven technology” in de zorg - It is in the hype-phase. - Many of the potential advantages will have to be proven. Gerard Freriks +31 620347088 gf...@luna.nl Kattensingel 20 2801 CA Gouda the Netherlands > On 15 Nov 2017, at 21:14, Bert Verhees <bert.verh...@rosa.nl> wrote: > > There are so many privacy breaches in medical data, hacked accounts, > data-leaks, wacky account rules, social hacking, temporary personal from > employment agencies, no logging on access to systems, systems standing open > and the nurse doing something else. > A GP can call a specialist, it is very common to call a specialist, and say > that information is needed on patient So and So. This happens so many times. > He does not need to prove that he is the GP for that patient. A specialist > does not have time for that kind of verifications. > > And when you talk about these kind of things to clinicians, the all denying, > but they all know better. > And when you talk about these kind of things to software companies, they > start denying too, their software is oke! > But it isn't, because a doctor does not pay for security, but for nifty > software. On security no money can be earned. > >> So unless you are talking about the openEHR system being actively hacked, I >> don't think this is a real use case. If we are talking about the openEHR >> versioning being hacked, then a) they had to hack RAID 10 storage, DB >> persistence mirroring, daily backups, b) the data centre has singificant >> security, c) some security analysis will have been made in advance (it will, >> won't it?!), and depending on the perceived threat, there may be e.g. >> hashing + notary, or signed hashes + notary, which requires the hackers to >> be of a superior variety. > > No one ever hacks a RAID-system, they hack the software. The RAID system is > to the software like a single disk, if you remove data from software, then > the RAID system will remove it too, it follows the software. The DB > persistence mirroring is the same story. Daily backups are never rolled back > (only in disaster scenario), because you will lose all newly entered data. > > A friend, a journalist was taking track of all illegal data-leaks in medical > context, he has done that for over ten years. > It must have been millions of patients whose data are leaked, stolen > notebooks with copies of databases, lost USB-sticks, hacked accounts, every > day there is something. It happens in the best secured organizations like the > army. A container full with paper-patient-dossiers was standing on the street > in a big city. Harddisks are not always cleaned up when sold to second hand > computer-shops. I once got (so was said) a brand new server-hard-disk from > HP-reseller, it wasn't new, there were data on it. > > Mostly this news is from the USA because there they is the obligation to > report data leaks to the public. In the Netherlands this is not so, and guess > who is against such a law? > https://www.google.nl/search?q=data+leak&source=lnms&tbm=nws > <https://www.google.nl/search?q=data+leak&source=lnms&tbm=nws> > >> >> It's a fair bit of work to invisibly hack a properly implemented versioned >> DB implementation within a secure facility, which is what is needed for a >> medico-legal claim based on data to fail. >> >>> How about a patient who discovers its employer has knowledge of private >>> medical data? People often think about psychiatric circumstances, but it >>> can be other things in this time of revival of religions, f.e. a woman who >>> hides the fact she has had an abortion and is now teaching on a christian >>> school. >> >> ok, now that's privacy, so we are talking data theft, not integrity or >> non-repudiation of authorship. > > Yes, that is, and maybe it is just paranoia, everybody has the right to be > paranoid. Special in small communities data can leak very easy. Social > hacking, you can call that. Happens all the time. But that kind of leaking > cannot always be avoided with blockchain, unless the leaking GP is looking at > someone else his system over a secured logging communication-network. Then it > should be that the looking into data will be in a transaction, because it is > interchanging medical data, which must guaranteed to be complete, unaltered > and logged at receiver and sender. > >> >>> >>> Also interesting in this discussion is how to handle deletion of medical >>> data (the patients right to be forgotten). >>> Can it be that data refer to data on other systems, or may they only refer >>> to data on the same system, copies of data from other systems? >>> Do these copies need some accountable reference to where they come from? >> >> these are I agree, important questions, and we've tried to cover some of it >> with openEHR e.g. via FEEDER_AUDIT >> <http://www.openehr.org/releases/RM/latest/docs/common/common.html#_feeder_system_audit>, >> URI datatype, and more recently some thinking in a new REPORT type >> <https://openehr.atlassian.net/wiki/spaces/spec/pages/92358988/Reports> >> being considered for the RM (I've added a note to this to cover the >> requirement to safely refer to / ?copy content from external systems). >> >> We need to consider these kind of reference questions more carefully and >> provide more comprehensive solutions for sure. > > It is a very complicated subject, and I did not expect any action taken on my > initial question, yesterday morning. But there was discussion, I also learned > from it. > > Huge ICT companies are implementing blockchain-applications, and the medical > world will for sure be one of the targets. They are ready to implement and > sell it. They will convince governments that it is needed. In the > Netherlands, Nictiz is on their side. Nictiz is the only information-source > for the government. > > My question is, can this be transparent, (like RAID 10 is to a system), or is > there an architectural change needed on the logical layers? Or is there an > architectural layer desirable? Do medical software architects want to > influence decisions? Then they need to take positions. > > It is not something for today or tomorrow, or the day after tomorrow. But > next year? In two years? > > IBM is selling blockchain-technology: > https://www.ibm.com/blockchain/nl-nl/get-started/ > <https://www.ibm.com/blockchain/nl-nl/get-started/> > > Today I was reading about Mastercard going to use blockchain, they patented > an own implementation (sorry, in Dutch) > https://www.agconnect.nl/artikel/mastercard-legt-eigen-blockchain-vast > <https://www.agconnect.nl/artikel/mastercard-legt-eigen-blockchain-vast> > > > The patent > http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=/netahtml/PTO/search-adv.html&r=1&p=1&f=G&l=50&d=PG01&S1=20170323294.PGNR.&OS=dn/20170323294&RS=DN/20170323294 > > <http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=/netahtml/PTO/search-adv.html&r=1&p=1&f=G&l=50&d=PG01&S1=20170323294.PGNR.&OS=dn/20170323294&RS=DN/20170323294> > > Best regards > Bert > ________
_______________________________________________ openEHR-technical mailing list openEHR-technical@lists.openehr.org http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
