7 minute read
Data Protection in the HSE: a Case for Blockchain Technology
Data Protection in the HSE: a Case for Blockchain Technology
By Ursala McDonnell, JS Law and Political Science
Advertisement
As conservators of patients’ sensitive medical information, healthcare systems require a unique level of security and privacy. Healthcare providers enter information into special databases that are structured to improve patients’ privacy rights. Nevertheless, in the wake of the cyberattack on the Health Care Executive (HSE), the current systems in place are not sufficient to carry out this function. This article seeks to investigate the implications of adopting blockchain to tackle the cybersecurity issues within the HSE to prevent future crises.
The Health Service Executive operates as the primary national public health system in Ireland. Under the General Data Protection Regulation (GDPR) and the Data Protection Acts 1988-2018, the HSE is obliged to safeguard the privacy rights of patients with respect to the regulation and processing of personal information. Such a duty was severely impaired by the aggressive cyberattack which targeted their IT infrastructures in 2021.
On 14 May 2021, the HSE’s IT systems were infiltrated using Conti ransomware, causing all of their systems to fail. Conti usually forces a ransom payment by stealing files and encoding IT systems and workstations to prevent access. In instances where the ransom is not discharged, the Conti hackers will sell or publish the misappropriated information to public websites they administer themselves. In the case of the HSE, Conti gained access to its IT infrastructure by sending an email to a user of an HSE workstation. This email contained a malicious Microsoft Excel file which the user opened, thereby granting access. After securing access, 80 per cent of the HSE’s IT systems were encrypted. In addition, the hackers blocked access to diagnostics and medical records, released the private data of thousands of recipients of the COVID-19 vaccine, and exfiltrated uncoded data such as protected health information. After the initial access, the hackers operated in the system for two months before the ransomware detonation occurred in May. The event has been regarded as the most significant cyberattack on an Irish state agency and further, the largest known cyberattack against a healthcare service computer system. One question remains:
How could a cyberattack of such nature be operated on what was supposed to be a highly safeguarded system?
It may be argued that the HSE neglected its duty to protect the private data of individuals in its failure to develop an adequate cybersecurity strategy. Indeed, in the Independent Post Incident Review on the HSE’s operational and technical preparedness for the crisis, it was found that the healthcare provider had a low level of cybersecurity maturity and as a result was insufficiently equipped to deal with the hacking. This cyberattack has revealed a stark need for the healthcare system to re-evaluate its cybersecurity strategies in order to prevent the future occurrence of a similar infiltration.
Indeed, an attack of this nature is not unique to the Irish healthcare system. According to the FBI, more than 400 healthcare networks have fallen victim to similar attacks worldwide. Researchers have identified alternative methods of protecting the private data of patients in order to prevent cyberattacks on medical databases, with some underlining the usefulness of blockchain technology to address these cybersecurity challenges in healthcare.
services such as traceability, security, and non-repudiation as a result of its advanced technological features that can store information in a private and secure manner. A blockchain operates by collecting and holding together ‘blocks’ of information in a database known as a ‘digital ledger.’ These blocks have specific storage capacities that close and link to the previous complete block when filled, assembling a chain of information known as a ‘blockchain.’ This network is irreversible and is administered in a distributive and decentralised manner so that it is managed collectively by multiple anonymous accountants, unlike other databases where one party controls who can change data entries, providing a high degree of security as each transaction in the ledger is verified by different accountants, safeguarding it from corruption.
Blockchain technology is commonly known for facilitating the use of cryptocurrency. However, among other industries, it may be able to address security issues in healthcare systems, particularly in the HSE, which currently requires a full remodelling of its cybersecurity system. Blockchains can enable greater authentication of medical records and other patient information in comparison to other databases on account of the verification mechanism embedded in its technology. This mechanism also authorises alternative methods of identity verification beyond governmental ones. Crucially, these verification mechanisms allow healthcare networks to better detect fraud and identify data corruption, which is clearly lacking in the HSE. Indeed, it is suggested that had the HSE employed blockchain technology in May 2021, the file which triggered the entire cyberattack would have been identified as malicious and consequently, the attackers would not have been able to enter its IT infrastructure. In light of its advantages, there is a clear case for the HSE to implement blockchain technology as they advance their cybersecurity strategies in the wake of the 2021 crisis.
Nonetheless, the issues associated with the use of blockchain technology must also be acknowledged. As a new and developing technology, additional research is required to evaluate its application to the healthcare industry. More specifically, the legal implications of implementation must be analysed. As the HSE is required by law to comply with the provisions of the General Data Protection Regulation, the implementation of blockchain technology could potentially conflict with its patient data obligations. For example, blockchain technology facilitates interoperability within healthcare systems because its decentralised system separates ledgers from one main server to numerous other servers. While this lessens the difficulties encountered by hospitals when sharing and accessing medical records, it fails to comply with Article 6 of the GDPR which provides that healthcare providers must ensure that patient information is only used for a specific purpose. Another issue is the fact that blockchains are irreversible, contrary to Article 17 which requires that patients have the right to delete their data.
At the same time, Article 12 of the GDPR requires healthcare systems to provide patients with information about how their data is collected, processed, who has access to it, and how it is secured. This could facilitate the legal adoption of blockchain technologies by the HSE if it is adequately communicated the purpose of its implementation in their database or if they use permissioned blockchain, that is, only a closed network of designated parties may participate and verify transactions.
In the absence of relevant case law, it is difficult to conclude whether the adoption of blockchain technology by the HSE would be wholly incompatible with the GDPR. Indeed, the European Parliament’s 2019 report on ‘Blockchain and the General Data Protection Regulation’ was inconclusive on the incompatibility issue, deeming that the main problem does not appear to be the technology as a whole, but rather specific points of tension that need to be examined on a case-by-case basis. The meaning of ‘erasure’ in Article 17, concerns about anonymous data pursuant to Recital 26, and no definition provided by Article 22 for a ‘data controller’ were some of the specific tensions highlighted by the Parliament that make it difficult to conclude how the technology can be applied, if at all. Nevertheless, it is evident that a highly secure, decentralised network would improve the current cybersecurity strategies undertaken by the HSE to safeguard patients’ privacy rights. As the HSE is in the process of completely reimagining its current cybersecurity structures, it is submitted that it should consider modernising in the direction of blockchain technologies in order to adequately perform its duty to protect private information.
