Data protection using blockchain: blessing or curse?
With over 2.5 quintillion bytes of data being produced daily, we all face the challenge of managing and storing this information efficiently. Protecting this data from ending up in the wrong hands is an even bigger concern. This especially applies to data in the life sciences industry, which is all about data integrity. For obvious reasons, data manipulation or even theft can potentially ruin pharmaceutical companies. Over 8o% of executives in life sciences expect that blockchain technology, which is already in use to protect cryptocurrencies, will come to the rescue in a matter of years.
Security Through the Crowd
Blockchain, a kind of distributed database, offers immutable data storage, cutting-edge cryptographic security, and the use of decentralized and distributed systems. These are hosted on peer-to-peer networks and are continuously updated. Bad news for hackers, but good news for everyone else, is that blockchains are not stored in a single place, cannot be altered using a single computer, and do not have one, single point of failure. A blockchain comprises blocks of information that are joined by a chain. Each block is a transaction and is connected to both the earlier block and the one after. To hack the system, each block has to be changed, which means changing all the blocks that make up a particular blockchain. Though this might look simple and easy to accomplish, it is in fact difficult and almost impossible. Cryptography is used to secure blockchain-based records and transactions. Members of a peer-to-peer network have unique digital signatures assigned to transactions made on a blockchain.
Generally speaking, algorithms produce the same output when given the exact same input file, making it useful for verifying the file’s authenticity. Any change in the input file, however slight, results in a dramatically different ‘fingerprint’. Once any part of a record or transaction is altered, members’ signatures become invalid, notifying the entire blockchain of a breach. Some of the potential applications in the life sciences and health care sectors include:
- Medical records
- Protection of intellectual property (IP). Proof of existence platforms are being developed to provide innovators with a tamper-proof way of storing encrypted information, enabling companies to verify the date on which they created intellectual property, such as patents. The time-stamped documents can then be used as incontrovertible evidence that an inventive step occurred at a particular time and before anyone else.
- Collection of clinical data. The blockchain, coupled with other technological advances including wearable tech and data analytics, will enable pharmaceutical companies to securely collect ever more detailed medical information about patients in real time.
- Supply chain
- Product safety
- Regulatory compliance
- Sterilization processes or cold storage, and transport of biologics.
The introduction of blockchain brings a new set of complex opportunities and challenges relating to storing and managing the increasingly distributed and diverse R&D data. After all, companies still need to ensure that what they deliver to market is safe and complies with all the regulatory requirements. Previously, all data and knowledge was stored inside the castle walls. Nothing was allowed out and it was managed centrally – safe, secure, retrievable (to some degree) and protected. IP was secured and defensible, which is particularly important since patents have been the lifeblood of pharmaceuticals for decades. Now, with more stakeholders involved, data and knowledge is originating in multiple locations, multiple organizations and multiple research domains. This represents a new order of collaborative networks charged with delivering results, and highlights the evolving set of challenges facing R&D – a blend of old and new hurdles the industry must overcome.
Immediate business needs
Working within a collaborative network means opening up the knowledge of what is going on to many more people. It requires that security and access permissions are defined and managed in a simple and dynamic way that does not interfere with the business process. Just consider the implications of a company’s collaborations reaching 200 other organizations, each with five to ten people in them. That is 1,000-2,000 users of systems who do not have an internal ID, do not have internal active directory accounts, do not have internal emails and have not signed the internal IP and data security contract. On top of that, the nature of these collaborations can be transient and the business needs immediate. The way collaborators are engaged, contracted and their data gathered must be simple, secure and, above all, managed inside the business by the researchers – not by research informatics or core IT. This, in turn, raises questions such as: Who is allowed to join collaborations? And: How does an organization share the data? How are ideas protected and managed with respect to intellectual property (IP)?
Blockchain and GDPR
The collaborative IP must be aggregated with the internal IP so that it can be leveraged and managed. The collaborators will also want to know that any joint IP is protected effectively and can be repatriated back to their organization, should it be required. The externalized work is worthless if the IP is not captured and managed effectively. Also, special attention must be given to how proposed applications for blockchain will comply with data protection laws, including healthcare-specific requirements. For example, as the technology currently stands, information stored on a blockchain cannot be amended or deleted. This will be problematic with regard to GDPR regulations giving individuals the rights to be forgotten, erase data and correct data. The same applies to the obligation to hold personal data no longer than is necessary. Some solutions may try to deal with this issue by storing the personal data “off ledger” where the data can be deleted as required rather than holding the data on the ledger itself.
Similarly, another feature of blockchain is that information can be encrypted so as to ensure that the information stored on the blockchain is secure. It is likely that the encryption applied to a blockchain today will be made obsolete as more sophisticated encryption techniques are developed. It remains to be seen how regulators will respond to the challenge of reconciling some of the inherent features of blockchain with existing data protection laws. While technological solutions may help to address some of these challenges, it remains likely that regulators will need to address the unique challenges presented by blockchain technology.
Blockchain brings complex opportunities and challenges relating to storing and managing the increasingly distributed and diverse R&D data