Davey Winder: Is blockchain hope or hyperbole for NHS data security?

  • 4 April 2019
Davey Winder: Is blockchain hope or hyperbole for NHS data security?

Davey Winder has something of a reputation for fortune telling. Recently he’s been asked whether blockchain could solve healthcare’s security woes. His verdict? Unconvinced.

No other security incident has left its mark on the NHS user psyche quite like WannaCry. It even inspired recently-broadcast episodes of TV dramas Casualty and Holby City, the fictional hospitals struggling to cope with the sort of cyberattack which cost an estimated £92m in the real world.

With my best future-gazing hat on I actually predicted a couple of days before WannaCry hit that an incident such as this was inevitable. Perhaps that why I’ve recently been asked to don my Mystic Meg costume once more, this time on the issue of cyber-resilience. Two GPs, independent of each other, have asked me if I think blockchain could play a role in securing healthcare.

My knee-jerk reaction was a solid “hell no”. But since knee-jerking isn’t particularly helpful, I thought I’d entertain the notion in a little more depth.

When looking at blockchain, in no matter what context, there’s a danger of expending all your energy on trying to explain what it is and how it works. I’m not going to fall into that trap and will instead point the technically-interested reader to the Wikipedia entry, which gives in-depth background.

That said, the tl;dr definition is that we are talking a decentralised database that can be distributed across physical locations while allowing all users to access the same shared data wherever they are. And, importantly, they can have that access secure in the knowledge that the events in that ledger cannot be changed.

One of the main arguments for blockchain in the health arena, from the cyber-perspective at least, is that this decentralisation would mean it would be too time consuming for any attacker to successfully ‘infect’ such a system. The reasoning goes that accessing all the nodes would be too resource intensive to appeal to cyber criminals.

Here’s the thing…

But here’s the thing, or rather two things. Thing one is that criminal organisations have a lot more by way of financial and technical resources than many give them credit for, and time is considered well spent if the potential payload is profitable enough. Given the value of patient records, the health data payload certainly ticks the profitability box.

Thing two is whether a decentralised public ledger model of the blockchain variety is a solution worthy of NHS investment. A quick poll of the cybersecurity Twitterverse on this very subject produced about as much consensus as seen when asking parliamentarians about Brexit.

https://twitter.com/ballantine70/status/1107245299238662145

https://twitter.com/hosseiniam128/status/1107260326549049344

I’m inclined to agree with all the above, strange as that may sound. A distributed ledger system does have the potential to enhance security through implied trust – albeit at the most basic level – as well as eliminating the single point of failure weakness of existing databases.

Expensive and challenging

Yet decentralising the patient record store like this, across a highly fragmented NHS landscape, wouldn’t come cheap and nor would it be easy to implement. Given that, and historical precedent when it comes to budgeting and rolling out such technologically-driven and all-encompassing changes, I’m inclined to think such a move would not end well.

Blockchain implementation relies upon all aspects of the system being securely assembled, and that’s far from being a given from the technical perspective. Where that implementation contacts the real world – and by that, I mean software, custom apps and, yes, humans – the potential for failure starts to stack up.

I recently had a very interesting conversation with Saif Abed, a founding partner at AbedGraham Healthcare Strategies, regarding this very subject. “For me, one of the key messages I have been trying to share with the health IT community is to start planning for scenarios where cyberattacks focus on clinical data integrity rather than only availability, so blockchains are an attractive concept,” he said, adding that the notion of patient data being immutable, or tamper proof, is clearly very powerful.

The implementation question – or questions

However, he agreed that, as with any technology, the big stumbling block is likely to be that implementation question. Questions were very much in the foreground of our conversation, as we wrestled with the notion of how any blockchain project could get off the ground in a healthcare system so undoubtedly complex as the NHS. Here are the questions that emerged:

  • How will a blockchain be setup and maintained?
  • Does a private blockchain maintained by the NHS have the same benefits as a public blockchain?
  • How will individual trusts be convinced to transition to using a national blockchain platform?
  • What about existing healthcare IT suppliers, which can be somewhat intransigent?
  • Will we enable blockchain based healthcare applications and will they introduce new security problems?
  • Do existing regulations need to change?

Dr Abed suggests that “a phased approach through a series of local pilots” would be the way to start answering these questions, and that it “would need strong leadership and multi-disciplinary collaboration to determine blockchain technology’s potential for the NHS”.

I must admit I’m certainly not convinced, right now, that a blockchain-driven approach to NHS cybersecurity offers more hope than hyperbole. So, why not start that multi-disciplinary collaboration right here at Digital Health by getting the thoughts of our readership on the matter? Here’s your chance to answer the questions above and convince me that I’m wrong on the broader ‘hope or hyperbole’ position – or not as the case may be. I am sure that I won’t be the only person truly interested in what you have to say…

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

How to equip NHS staff with cyber security skills they will use

How to equip NHS staff with cyber security skills they will use

Too often, cyber security training is a seen as a burden. But it is possible to make it relevant and useful, writes Nasser Arif.
Cheshire and Merseyside ICS selects cyber security platform

Cheshire and Merseyside ICS selects cyber security platform

Cheshire and Merseyside Integrated Care System has selected a healthcare cyber security platform from Cynerio to strengthen its defences.
How to find your inner ‘cyber defender’

How to find your inner ‘cyber defender’

A "back to basics" and "honest" approach to personal cyber security can help NHS staff make larger improvements at work, writes Nasser Arif.

1 Comments

  • Hi…. would be good to compare notes and the work we have already done on PoC and Pilot within the NHS in conjunction with all parties.

Comments are closed.