Blockchain-based apps used to store COVID-19 data may not be as private as they seem.
New procedures are being implemented as the world slowly begins to reopen amid the ongoing COVID-19 pandemic. While temperature checks and mandatory face masks have become the new normal, the world is also witnessing the rise of digital health apps, or “health passports.”
Many of these applications serve as a solution to trace individuals’ whereabouts or to store COVID-19 test results, which can then be presented to officials during travel or gatherings to show proof-of-health. While innovative, privacy and regulatory concerns have been expressed with digital solutions designed to trace contact or store user data via smartphones.
Blockchain ensures privacy
In order to solve this problem, IBM Watson Health — a data, analytics and technology partner for the health industry — has launched a privacy-based application that will enable individuals to safely travel or return to physical locations upon showing COVID-19 test results and temperature scans. Known as the “IBM Digital Health Pass,” this platform leverages IBM blockchain technology to ensure user data remains private when shared with organizations that require a verified health pass.
Eric Piscini, vice president of blockchain for IBM Watson Health, told Cointelegraph that the Digital Health Pass platform specifically uses blockchain to establish self-sovereign identity, along with verifiable credentials:
“Privacy is extremely important here, which is the reason we use blockchain to verify credentials and allow individuals to control their identity without the intervention of administrative authorities. Individuals with credentials like COVID-19 test results can present these to verifiers, such as airlines, without exposing their medical information.”
According to Piscini, three layers are built into the Digital Health Pass platform. The first layer is made up of the issuers of credentials, which include testing labs and hospitals. The second layer is the platform itself, which serves as the ruling engine. Finally, there are verifiers on the platform, like airlines, that are interested in knowing if individuals are safe to engage with. “Most of these players run a node on the IBM blockchain network, which uses sophisticated cryptographic techniques so that data exchange can be verifiable and trusted,” he added.
Piscini further mentioned that medical data isn’t stored on the platform, comparing the Digital Health Pass to a credit score. In this case, the blockchain ledger captures an individual’s health score, but organizations, or the verifiers, have no visibility into the user’s personal data. Verifiers only see a “green light” once a QR-code is scanned on a smartphone to show if an individual is healthy. The verifiers then decide whether or not to engage with individuals based on their own policies.
Although the Digital Health Pass solution is still being piloted, Piscini noted that a number of companies have expressed interest in leveraging the application once it becomes publicly available.
Similar to IBM’s Digital Health Pass, distributed ledger technology platform Hedera Hashgraph has struck an agreement with Safe Health Systems, a partner of Mayo Clinic, to build a digital health ID system. Known as “HealthCheck,” a COVID-19 testing and health status solution built on the SAFE digital health platform.
Ken Mayer, the CEO of Safe Health Systems, mentioned during a recent Hedera Hashgraph webinar that Digital health IDs are created for individuals. Sensitive data is kept private, as this is stored and verified on the Hedera Consensus Service. Mayer said that many enterprises are signed up to use the HealthCheck app, including Delta Airlines and several universities:
“We have partnered with the largest buying co-op for U.S. universities that have about 5,000 members. We also just partnered with the largest employee benefits marketplace who is starting to push this out, starting with employers and schools. Basically, the solution is a white-label mobile app.”
Privacy concerns remain
While both Digital Health Pass and the HealthCheck app leverage blockchain and distributed ledger technology to secure and privatize user data, concerns remain. Jonathan Levi, CEO of enterprise blockchain solution HACERA and co-founder of MiPasa — a blockchain-based platform that standardizes, normalizes and authenticates data sets for open-source use — told Cointelegraph that it’s critical for users of these applications to understand their entire data workflow:
“From somebody taking a screenshot or a scan of their medical results to using a proprietary mobile application, it’s important for users to know what’s being stored on a blockchain, who runs the nodes, how users and nodes interact with the ledger, including who has access to the logs.”
Even though Digital Health Pass and HealthCheck are regulatory compliant, Levi explained that understanding the data flow is important to ensure that an individual’s data is never compromised. “We all remember the concerns raised by the U.K. NHS contracts that allowed unprecedented transfer of health data on millions of U.K. citizens to private tech companies,” he said.
During the Hedera Hashgraph webinar, Mayer did mention that HealthCheck has data integrations and partnerships with Quest, LabCorp and Mayo Clinics Labs, along with several other smaller medical labs that automate the process of returning results quickly for users. Understanding what those labs will eventually do with that data is critical.
Related: IBM executive says blockchain becoming a useful ‘real business tool’
Levi further explained that MiPasa — which was deployed on the IBM blockchain platform to collect and validate COVID-19 data for the World Health Organization — is similar to IBM’s Digital Health Pass in that both platforms are consent-based. The main difference according to Levi, though, is that the Digital Health Pass platform records the consent of users who are logged into the mobile application and then scans their medical test results to show proof-of-health.
MiPasa, however, simply seeks to provide an employer and an employee (or a user and a verifier) with data and analytics tools, allowing both sides to decide the best course of action.