Photo by Proxyclick Visitor Management System on Unsplash.

Medical records have evolved from paper to electronic health records. And with an uptick in data breaches, some health technology experts advocate for cybersecurity using blockchain technology.

Brian Horton, CEO of Breadcrumb Cybersecurity in Fresno, estimates the company is helping contain a 300% increase in cyberincidents year-over-year.

Breadcrumb Cybersecurity services clinics and hospitals by reviewing their security posture for preventative measures or helping navigate cyberincidents.

Horton said that he has “dramatically, without a question” noticed an uptick in cybersecurity compromises.

Notable breaches include the Microsoft Exchange Server and SolarWinds breaches. A cyber espionage group, “Hafnium,” breached a Microsoft Exchange Server in early March and hacked more than 30,000 organizations. The group operates from China.

SolarWinds, an information technology company in Texas, fell victim to Russian hackers in late 2020. SolarWinds has high-profile clients, and victims included multiple government agencies.

“The industry as a whole widely feels that the fallout from the SolarWinds breach at the end of 2020 is going to dramatically increase the amount of cyber activity that we’ll see in 2021,” Horton said.

Saint Agnes Medical Center and CalViva Health have also been victims of cybersecurity breaches. Hospitals have been especially vulnerable because of their low budgets for cybersecurity.

“Redirecting funds toward IT and security — that always has to be balanced out with patient care,” Horton said. “That’s normally what it comes down to is not enough dollars.”

Data breaches expose individuals’ personal information, but some cyberincidents can actually keep patients from being treated.

“When you have something like ransomware or malware actually taking down the software and the servers that delivers the patient care, that’s a problem. And we’ve seen that happen,” Horton added.

Many breaches originate from employees who click on fraudulent links and enter passwords on websites they’re not supposed to.

“Before you know it, there’s a threat inside of your organization that’s undetected,” Horton said.

Ally Medina, director of the Blockchain Advocacy Coalition in California, said that using verifiable credentials could be the solution. With this model, patients are the only people with access to information.

Verifiable credentials are the digital form of physical identification. Exchanging health records using verifiable credentials ensures health records have been transferred from doctor to patient. It does not store the record itself, making it an advocated option for new health tech companies.

Third parties holding personal information spark cybersecurity concerns, but verifiable credentials make hacking more difficult. The most recent technology developments are for proof of Covid-19 testing or vaccination.

There was movement in the California Legislature with AB 2004 to implement this technology, but after passing through the Assembly and Senate, it was vetoed by Gov. Gavin Newsom in September due to time and money logistics.

When data is transferred through verifiable credentials, hackers would have to compromise individual data. When records are stored on a third-party platform, hackers breach the platform and access millions of records.

Washington-based Providence Health & Services already has a system like this in the works after it acquired Lumedic, a health tech company in Seattle. It plans to implement a vaccine passport, which is also built on verifiable credentials. The technology is ideal for businesses or travel agencies.

Lumedic CEO Mike Nash started the company in 2018, and in 2019 Providence acquired it.

He described the technology as having “no single database that everyone looks to anymore.”

Information that has been added or taken away from, say, a vaccine card, would only come from an organization that has permission to do so. Privacy and security are the goals.

“We also have a whole wrapping of a governance model that ensures that those are trusted entities. So it can’t be just anybody deciding to give you a vaccine record. It actually has to be a health care provider that we register in the system,” Nash said.

Nash said it’s more secure than a large central system of data. Medina said that the decentralized solution makes it more resilient to hacking.

“All of it is tied back to digital identity,” Medina said, noting this technology is a push for interoperability, or the ability of computer systems to exchange and make use of information.

While Lumedic offers sophisticated data transmission, Nash says there’s not enough data yet to show whether cybersecurity has improved within the health care system.

He said that stolen phones don’t pose a threat of data being compromised.

“It’d actually be more secure than stealing a paper card,” he said, noting that phones still have security and there are biometrics within the phone’s wallet.

Horton says that using blockchain technology is a step in the right direction, but there are holes.

“The problem is that helps solve the security of data while it’s in transit. So if it’s being sent from me to you, an unauthorized third party can’t read that data,” Horton said.

But this doesn’t stop hackers from viewing what’s open on a doctor’s screen, including health records.

“Blockchain at that point doesn’t do anything, because I’m just reading what’s on your screen. So I think blockchain technology has come a long way, I think it’s promising, I think it offers a lot of advantages, but it is by no means a silver bullet on stopping what we’re seeing,” Horton said.

Security posture assessments are preventative measures clinics and hospitals can take. Independent third parties validate the controls and strategies that the company has in place.

Information technology departments often don’t catch these vulnerabilities in their own organizations. But validation of an independent third party brings a lot of merit, he says.

“It’s kind of a cat-and-mouse game. They develop something that can bypass certain antivirus tools, and then the industry catches up a couple months later and stops them and then they go back home and redevelop something else,” Horton said.