Increasing Healthcare Security with Blockchain Technology
Integrity and the
History of Data Security
an academic perspective, security has historically been classified into three distinct
tenets – confidentiality, integrity and availability (CIA). Ask security
professionals to describe these components and you will receive a uniform
response for confidentiality and availability, however integrity (what it means
and how to address it) is much more abstract, and will typically generate a
much wider variety of answers.
Thinking in terms of patient records then an availability
attack would represent a denial of service attack, losing access to a patient’s
online records, a confidentiality attack would represent the exfiltration of
those records. An integrity attack however would represent a malicious manipulation
of those records, either to cause harm,
cover up negligence or conduct fraud such as backdating to ensure insurance
coverage. It is important to note that the scope of integrity should not
limited to just records. In reality the definition of integrity is much
broader, encompassing systems, processes and operations.
We are now seeing data breaches health-care institutions with
alarming regularity. It’s clear that existing perimeter and signature based
security controls are simply not working effectively. The attacks led to a loss of confidential
information, but importantly the attacks were initiated by malware that compromised the integrity of the systems it infected.
Put simply, the breaches were the result of an integrity attack. We believe
that you cannot have confidentiality without integrity. Indeed confidentiality
is what you get if your systems have integrity.
For the health-care domain we can also include medical
devices as “systems”, whether MRI scanners or pacemakers they all consist of
software and firmware components whose integrity is a paramount to the correct
functioning of the device. An integrity guarantee here would mean proving the
provenance and integrity of every software component all the way back to the
manufacturers code base with end to end verification and legal recourse in the
event those devices fail.
One of the major failings of the US health-care system is
the lack of interoperability and it is almost universally seen as a major
obstacle to effectively using and meeting the potential of health IT.
Transferring data from one institution to another is expensive and
standards are so loosely defined that they wind up becoming interoperability
barriers instead of enablers. This is a process or supply chain problem and if
you can guarantee the integrity of the process with end to end chain of custody
for information you a very effective means of eliminating the hurdles to
interoperability. It may have been be impossible for a bad actor to manipulate
information to cover their tracks but if the integrity of the supply chain can
be verified then those actions can be detected and importantly, the who, what
and how can be verified without the need for lengthy and uncertain forensic
The actions of Edward
Snowden were an operational integrity problem as he operated outside of the rules
of the system he was tasked to administer. Today Medicare fraud through
improper payment is estimated at 50 billion dollars per year. This is an
enormous sum and a significant percentage of which could be reduced if there
was a means to verify the integrity, provenance and history of the documents
being used to create those fraudulent claims. Phantom billing, kickbacks and
unbundling are all examples of a breach of operational integrity which have
been effectively eliminated in Estonia through end to end verification of
In summary if we define integrity in a similar
fashion to the human quality as “the absence of compromise” it becomes clear
what its value is for the security of health care systems. If you can guarantee
integrity then you can guarantee the absence of compromise, which leads to a
very different security model.
Why Integrity has Historically
Despite its increasing importance integrity has largely been
overlooked from a security perspective and this is primarily for historical
Firstly – for the first years of the Internet, security was synonymous
with confidentiality of data in motion, with the presumption that features such
as access control and firewalls were more than adequate for protecting data at
rest. This was a natural consequence of how organizations operated, as isolated
networks that assumed a hardened perimeter, and securing ecommerce or information
exchange necessitated the need for secure messaging.
the advent of cloud computing, mobile networks, and the Internet of Things has
severely challenged this approach, as well as an increasing awareness from
diverse thought leaders across the security community, including researchers such
as Bruce Schneier, NSA
Director Admiral Michael S Rogers and Director of National Intelligence James Clapper,
and there is now emerging consensus that in reality system integrity is the
biggest threat in cyberspace, not confidentiality of data in motion.
As an example consider the relative importance of
confidentiality and integrity in the health care domain:
Figure 2: Integrity Breach vs Confidentiality Breach in Healthcare
Secondly – integrity was widely considered to be a ‘solved problem’
after the invention of Public Key Infrastructure (PKI). The impetus behind PKI
was key-exchange across an insecure channel and it was quickly recognized that
it could also be used for digital signatures and verifying integrity of system
components.. Although cryptographers may consider it a solved problem in
reality PKI has a number of hidden challenges that mean in practice it is far
from ideal in addressing this use case. The complexity and cost of key management
alone make it very challenging to implement correctly especially for long term
data retention. Indeed Rob Joyce, head of the NSA Tailored Access Office,
highlighted recently how the NSA approach network exploitation first by targeting
the credentials of the system administrators. Once a credential has been
compromised then an attacker will have unfettered access to the internals of a
network, achieve persistence (by modifying firmware, key configuration
parameters etc) which then leads to data exfiltration. PKI has other problems,
not least of which are complexity, and then the reliance on trust anchors
called Certificate Authorities (CAs), and we know from well publicized events
that certificates can and have been exploited in the past, which brings the
whole question of trust into focus.
Using PKI as a Swiss army knife for both
confidentiality and integrity is indicative of the lack of innovation around
integrity technologies and until recently we simply have not found the right
technology. An important insight as to
why this approach fails is the observation that integrity and confidentiality
are diametrically opposite problems. Consider for example a crime in the
physical world: the more people who witness a crime the stronger the integrity
of the evidence, yet the less confidential the evidence becomes. For integrity
we want more witnesses, for confidentiality we want less.
Assumptions and Trust
Ask a security professional for what tools do they use to
address the integrity of the systems they are tasked to protect and you will
get a wide range of responses but typically include. “We have procedures in place
operated by trusted insiders to ensure the proper handling of data”, or “We
encrypt our data at rest and rely on key management operated by trusted
As already indicated, this is a fallacy; encryption cannot
solve the integrity problem – you simply cannot encrypt firmware, software or
configuration files running on a machine, and rely on PKI to maintain state. Key
management simply moves the trust anchor to a credential of the administrator
of the keys, and we have to suspend healthy skepticism and trust certificates from
an upstream CA. This points to the reason why modern security continues to fail
at an epic scale; you cannot empirically
Put another way when building security systems if you have
an assumption that includes trust (in keys, in human administrators) then with
sufficient time you will be compromised with probability 1.
This is the promise of blockchain for cybersecurity – if you
can eliminate the need for trust then you can build security systems that don’t
rely on a single authority and create a paradigm shift in security. Instead of
searching for vulnerabilities, equivalent to searching for a needle in a
haystack, you can have mathematical certainty for every digital asset that
constitutes the system you want to protect.
What is a Blockchain?
In a nutshell a blockchain is a distributed database, shared
and maintained by multiple parties. Records can only be added to the database,
never removed, with each new record cryptographically linked to all previous
records in time.
New records can only be added based on synchronous agreement
or “distributed consensus” of the parties maintaining the database. By
cryptographically linking the records it is impossible for one party to
manipulate previous records without breaking the overall consistency of the
Figure 3: The Blockchain Fundamentals
Using the Blockchain
as a Trust Anchor
There are two key steps in using a blockchain as a trust
anchor for security: registration and verification.
Who do you Trust?
In mathematics, a proof is based on fundamental assumptions
(or axioms). In security these assumptions are called trust anchors. So what
are the assumptions behind any statement on security? For a CISO trying to protect an organization,
whether a regional hospital or a Fortune 500 company there will be a long list
of assumptions, almost certainly including the trustworthiness of the
administrators of the system and the security of the keys that they manage.
Using a blockchain to verify integrity it is no longer necessary
to maintain secrets or keys – verification is based only on publically
available information. Contrast this with Public Key Infrastructure (PKI). In
PKI the trust anchor is the security of the keys that must be managed by the
signing entity, for the entire lifetime of the component. In some compliance
regimes this means many years.
Experience tells us that key management is extremely hard to
do well, and the major insight of blockchain-based security is that for
integrity it is also completely unnecessary. Using the blockchain as a trust
anchor makes evidence widely witnessed – anyone who has a copy of the
blockchain can verify the absence of compromise without reliance on secrets,
keys or administrator credentials.
Estonia – One Million
Health Care Records on the Blockchain
In 2007 the Estonian Government was the victim of what is
considered the first instance of a state-sponsored cyberattack that paralyzed
the government for a period of days. There were many lessons learned from this
attack not least of which is the importance of resiliency, the ability to
recover, or roll back, to a known good state, and relying on secrets to guarantee
that state is a dangerous strategy.
Under the auspices of the Estonian Government a team of
scientists set out to build a security technology that could eliminate the need
for trusted humans or insiders in this verification process. Today the
technology they developed is known as a blockchain and is a core technology and
underlying security substrate for government information systems. Every
health-care record modification and access, every financial transaction and
every security event in cyberspace is registered in the blockchain, producing a
level of security, transparency and auditability which has never been possible
By deploying blockchain on a large scale the Estonian Government can
ensure that every access to health-care records, every change in health-care
records and the supply chain for digital data is verifiable using the
blockchain guaranteeing system, process and operational integrity.
Although 100% crime prevention is impossible it is now possible to have
100% detection, accountability and auditability across highly complex systems. Where
human motivation and behavior must to be verified in conjunction with effective
security controls and integrity of systems and processes – think blockchain.
This content was originally published here.