Blockchainsandelectronichealthrecords

BenYuan,WendyLin,andColinMcDonnell

1
 TableofContents

1Introduction 3

1.1TheBlockchain 3
1.2CurrentStateofElectronicMedicalRecordsintheUS 4

2DataStructureEnumeration 5
2.1RelevantQualitiesofDataStructures 5
2.2CandidateDataStructures 6

3DataStructureAnalysis 7
3.1Scorecard 7
3.2AnalysisofCandidateSolutions 8
3.2.1DataStructureswithoutChangeTracking 8
3.2.2Traditional,CentralizedDataStructure 9
3.2.3DistributedDatabasewithChangeTracking 10
3.2.4PrivateBlockchains 11
3.2.5PartiallyopenBlockchains 11
3.2.6Public,OpenBlockchains 12

4RecommendationsandConclusion 13

5Bibliography 16

6Appendices 17
6.1AppendixABlankscorecard 17
6.1AppendixBScorecardfortraditional,centralizeddatabase 18
6.3AppendixCScorecardfordistributeddatabasewithchangetracking 19
6.4AppendixDScorecardforprivateblockchains 20
6.5AppendixEScorecardforpartiallyopenblockchains 21
6.6AppendixFScorecardforopen,publicblockchains 22

2
1Introduction
1.1TheBlockchain
SincethecreationofBitcoinin2009anditscontinuedrelativelywideadoption,considerable
interesthasdevelopedintheconsensusmechanismsunderpinningthecryptocurrency.
Bitcoinssuccessstemsinlargepartfromtherobustnessofthesemechanisms,whichprovidea
meanstoachievedecentralized,trustlesscurrencyissuance,transactionvalidation,and
transactionsettlementremovingtheimplicitcentralizationrequirementforthesetasks.

Bitcoinsconsensusmodelcentersaroundtheblockchain,adatastructureandsetof
algorithmsdesignedspecificallyforachievingByzantinefaulttolerantconsensusaroundthe
stateofaglobaltransactionledger.Thekeyprinciplesoftheblockchaindatastructureasused
inBitcoinmaybesummarizedthus:

Transactionsarebundledintoblocks.Forablocktobevalid,allitsconstituent
transactionsmustalsobevalidaccordingtotheglobalstartstate.
Blockshaveparentblocks.Theglobalstartstatecorrespondingtoanygivenblockmay
bereconstructedbyreplayingallofitsancestorblocksinnormalchronologicalorder.For
ablocktobevalid,allofitsparentblocksmustalsobevalid.
Blocksalsocarrycertaindatausedtoprovethatacertainamountofcomputationpower
wasexpendedinitscreation.Forablocktobevalid,itsproofofworkdatamustbevalid
accordingtotheschemebeingused.
Consensusamongcorrectparticipantsrequiresthattheyeventuallyallconvergeonthe
samehistory.Bitcoinparticipantstakeasthemostrecentblocksomevalidblockfor
whichthetotalestimatedworkoftheblockanditsancestorsisgreatest.Aslongas
blocksarealwaysbeingaddedbycorrectparticipantstotheblocktheybelieveismost
recent,andthecorrectparticipantsoutnumbertheincorrectparticipantsintermsof
computingpower,thecorrectparticipantsdotendtoconvergetothesameglobalstate.
Correctparticipantsaregivenanincentivetocontinuecreatingblocks.InBitcoin,this
incentivetakestheformofcurrencyissuanceasuccessfulblockcreatorcanissueitself
currencyaccordingtoagreeduponrules.

Theresultisadurabletransactionledger,securedbyconsensusamongmultipleparties,that
doesnotobligatorilyrelyontrustinanysinglepartytofunctionnosinglepartycanalteror
removeanyportionofthecanonicaltransactionrecordwithoutperformingaverylargeamount
ofwork.Atransactionledgerthatisgloballyaccessible,easytoverify,anddifficulttomodify
providesevidentbenefitswhenusedastheunderpinningofadigitalcurrency:itallowsanyone
toverifythatagivenunitofcurrencybeingspenthasnotalreadybeenspentinthepast,and
preventspasttransactionsfrombeingarbitrarilyretracted.However,atamperresistantledgerof
thisformcanbeusedforpurposesotherthancurrency,whereverarequirementfor
censorshipresistant,repudiationresistantdatapublicationexists.Weexaminetherelative

3
potentialapplicabilityofthisparticularaspectofblockchaintechnology,incomparisonto
alternativesolutions,withrespecttoelectronicmedicalrecords.

1.2CurrentStateofElectronicMedicalRecordsintheUS
Electronicmedicalrecords(EMRs)todayarefragmentedacrossmyriadhospitals,private
practices,labs,pharmacies,and,increasingly,privatecompaniescollectingdatafromwearable
devices.Thisfragmentationwillonlyincreaseasmorefrequentjobchanges,greatermobility,
andtheriseofspecialtycaredrivemorechangesininsuranceplans,greaterrelianceon
multiplehealthcareproviders,andtheneedtoaccesshealthcareservicesfromahighernumber
ofoutlets.

Itiswellacknowledgedsincethe1990sthatreducingthisfragmentationbyincreasingtheease
withwhichEMRsareaccessedandtransferredacrossorganizationswillimproveourhealthcare
system.However,attemptstoimplementsolutionshaverunintobarriers,asaddressedinVest
andGammspapertitledHealthinformationexchange:persistentchallengesandnew
strategies1 [7],including:

healthcareprovidershesitationtosharewhattheyperceivetobeproprietarydata
patientconcernsaboutsecurityandprivacy
lackofstrongpoliticalwillfromregulators
historicallycostlytechnologicalsolutions,whosecostsoftenfalltohealthcareproviders
butwhosebenefitsoftenaccruetopatients,payers(e.g.insurancecompanies),andthe
healthcaresystemasawhole[5]

VestandGammsmodelreducesthespaceofhealthcarestakeholderstopayers,providers,
patients,andgovernmentalentities.Wefounditdifficulttohypothesizeabouthowagiven
stakeholderwouldreacttoaproposedchangeorincentivestructurewithoutmodelingthe
landscapeingreaterdetail.Belowisadiagramrepresentingtheheterogeneityofthe
stakeholdercategoriesinVestandGammsmodel,aswellasthespaceofinteractionsbetween
thesepartiesand,whererelevant,themiddlementhatmediatesuchinteraction.

Itswithinthiscomplexsystemofincentivescurrentlyinfluxthatwewillattempttoderivean
optimaldatastructureforEMRsthatwilladdresskeyproblemsofthestatusquo.Inevaluating
thesestructures,wewillassessbothcostsandbenefitstotheprimarystakeholdersofthe
healthcaresystempatients,(healthcare)providers,payers(includingMedicare/Medicaidand
privateinsurance),andregulators.Forcosts,wewillassessbothfinancialcostsaswellasthe
mentalcostassociatedwithbehaviorchangerelativetothestatusquo.Forbenefits,wehave
identifiedthekeygoalseachstakeholderhasforanEMRsystemandwillassesshowwell
differentdatastructuresaddressthesegoals.

1

http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2995716/

4

Figure1:
Amapofstakeholdersandinteractionsinthehealthcareecosystem.

2DataStructureEnumeration
2.1RelevantQualitiesofDataStructures

Wetrytodefinethespaceofhealthcaredatamanagementsolutionsbyidentifyingtherelevant
propertiesofinterestandconsideringeachpossiblecombinationoftheseproperties.

Whentryingtoenumerateimportantorrelevantpropertiesofdatamanagementsolutionsfora
complexindustrylikehealthcareitsimportanttounderstandthespecificneedsofthe
stakeholdersinvolved.Inhealthcare,threefactorsareparticularlyimportant:data
lineage/integrity,datasecurity,andinteroperability.Weconsidereachofthesethreebriefly.

1. Ensuring datalineageanddataintegrity
isabigone.Ifyourehandlingresearchdataor
testresultswhoseintegritycandirectlyinfluencepeopleshealth,thenyouwanttoknow
thatthatdatahasntbeentamperedwithsincecreation.Assuch,itsinthepublic
interestforanyonetoverifythatresearchdataissecuredbyasolidchainofcustody
frombirth.Similarly,ifyourehandlingmedicalrecordsyouwanttoknowthatthose
recordsweregeneratedbyacrediblesource.Unfortunatelyadoctorinanotherstate
mayormaynotfallintothatcategory.
2. Ensuring datasecurityisanotherobviousconcernweneedtoensurethatrecords
cantberetrievedbypeoplewhoareunauthorizedtoviewthem.Ontheothersideofthe

5
 coin,allpartieswhoareauthorizedtoviewthemshouldbeabletoviewtheminahassle
freeway,includingemergencymedicalpersonnel,thePCPofapatient,thepatient
herself,andanyoneelsethepatientwishestobringintotheloop.Notonlythat,butthe
processofaddingorsubtractingaccesspermissionsshouldbepainlessand
instantaneous.
3. Ensuring datamobility,integration,andinteroperability
isthefinalpieceofthepuzzle.
Whatsthepointinhavinglegalaccesstoamedicalrecordifyouhavetoflyacrossthe
countrytoexercisethatright?Medicalrecordsshouldbecapableofmovementbetween
providerswithaminimalamountoffriction.Thecurrentprocessisafarcryfromthisit
frequentlyinvolvesphonecalls,paperwork,andFedEx.Evendigitalrecordsare
frequentlyincompatiblebetweentheelectronicssystemsofdifferentproviders.

Buthowdoweconvertthesespecificationsintoasmallsetoffeaturesorpropertiesthatwecan
usetoenumeratecategoriesofdatastructures?Wesettledonthreepropertiesthatcollectively
encompasstheabovespecifications:changetracking,decentralization,andproofofwork.
Changetrackingreferstotheabilitytoseethestateofthesystemanditscontaineddataatan
arbitrarypointinthepast,asopposedtomerelythemostrecentversionofthedata.Thisof
courseachievesthespecificationofdatalineageandintegritymentionedabove.
Decentralizationreferstoadistributionofcontroloftheactualserversanddevicesstoringthe
dataamongmanydiscreteautonomousentities,whichhelpsguaranteedatasecurityand
requiressomedegreeofinteroperability.Proofofworkreferstothepuzzlesolvingexecutedby
Bitcoinminersthatenablesthemtocollaborativelymineblocksandachieveconsensus
surroundingaversionofhistory.Thispropertyalsohelpsmaintaindatasecurityandintegrity
whilenecessarilyinvolvinganagreeduponinteroperableblockstructure.

2.2CandidateDataStructures

Welookatallpossiblepermutationsofthesethreepropertiesbelowanddescribeafeasibleand
reasonabledatastructurethatfallswithinthatcategory.Ingeneral,weassumea
wellimplementedsystembasedonsoundtechnologyandonlycritiqueeachproposalbasedon
itsinherentpropertiesandpropensitytodemonstratevariousvicesandvirtues.

Themostsignificantbitrepresentsproofofwork.Themiddlebitrepresentsdecentralization.The
leastsignificantbitrepresentschangetracking.

000 atraditional,centralizeddatabaseadministeredbyoneentity,likelyaprovider
oragovernmentalorganization

001 atraditional,centralizeddatabasewithchangetracking

010 adistributedpeertopeerencrypteddatabase,perhapsemployingdistributed
hashtableswithmanyredundantcopiesofdata

6
 011 adistributedversioncontrolsystemsuchasGit

100 notconsidered(asproofofworkdoesnotmakemuchsenseinisolation)

101 aprivateblockchainwithallnodescontrolledbyasingleentitywith
proofofworkrequiredtoimplementachange

110 adistributeddatabasewithoutchangetracking,sharedamongmany
stakeholders,andrequiringproofofworktoimplementachange

111 ablockchainwithproofofwork,ofwhichweconsidertwomajorvariants:
federatedblockchainswithasharedbutcontrolledownershipofmining
nodesamongasetofshareholders,includingthegovernment,
providers,payers,andvendors
pure,publicblockchainssuchastheBitcoinblockchain,withno
centralizedorfederatedcontrolonminingpower

Weevaluatealloftheseoptionsinturnforviabilityandsituationalaptitude.

3DataStructureAnalysis
3.1Scorecard
WecreatedascorecarddisplayedinTableAforevaluatingspecificproposalsregardingthe
administrationofEHRdatamanagement.ItisderivedfromthemodeldescribedinVestand
Gammspaperaswellasananalysisofthemostimportantissuestoeachstakeholder.Weuse
thisscorecardtoanalyzeeachofthesolutionsenumeratedabove.

Patients Providers Payers Regulators

Mental/
Behavioral
Costs

Financial

Patienthas Easyandfastto Costsarelower,i.e. Easeofenforcingregulation,

accesstoown accessrecords? fewerneedless i.e.careisauditable?
complete procedures?
record?

Benefits
Patientcontrols Easyandfastto Costsarelower,i.e. Qualityofcareisimproved?
privacyof modifyrecords? diseaseprevention,
record? compliance?

7
 Securityof Qualityofcareis Makesfraudmore Easytomonitorpublic
patientrecord improved,i.e.fewer difficult? health,epidemics,health
assured? preventablemistakes? trends?

Patientscan Increasedsafetyfrom Doesnotjeopardize

discerninsights malpracticecases? customersormakeit
fromtheirdata, easiertoswitch?
i.e.itissensible?

Doesnotjeopardize
customersormakeit
easiertoswitch?

TableA:
AscorecardusedtoevaluateEHRproposals.

3.2AnalysisofCandidateSolutions

3.2.1DataStructureswithoutChangeTracking(000,010,100,110)
Ensuringaccurateandcompleteprovenanceofrecordsisanimportantgoalinhealthcare.
Whenapatientreceivesacopyofhisorherownhealthrecord,orwhenadoctororpayer
receivesahealthrecordfromadistantoffice,therecipientwouldliketoensurethattherecordis
completeandcorrect.Patientsandproviderswantassurancethatnoimportantmedicalhistory
factshavebeenunknowinglyalteredorwronglyintroducedpayersneedaccurateinformation
onproceduresandtreatmentsperformed.

Anysystemthatmanageselectronichealthrecordsshouldprovidesomemechanismbywhich
changestoagivenrecordmaybetrackedandverified,atleastbyanyonewiththecapabilityto
readtherecord.Anauditorwhomaybeapatient,oradoctor,orapayer,oraregulator
shouldbeabletodeterminewhenaparticularvalueforaparticularattributewascreated,as
wellaswhatvalueswerepresentbefore,subjecttoanyusefulandreasonableprivacy
restrictionsapatientmaywishtoplaceonthisinformation.

Withagoodchangetrackingmechanism,datarecipientscanbeassuredthatthedatatheyare
receivingistheproductofasensiblerecordkeepingprocessandiftheobservedchange
historyisingreatconflictwiththepreviouslyobservedhistory,orotherwiseindicatesbehavior
outsidereasonableexpectations,thenthedatarecipientisjustifiedindemandingan
explanation.Anysystemwithoutrobustchangetrackingcannotprovidethiscrucialproperty,
sinceitbecomesmuchmoredifficultforadatarecipienttoascertainthelegitimacyofanydata
receivedespeciallywhenthatdatadoesnotconformtoexpectations.

8
Wethusdonotconsidersystemswithoutauditablechangetrackinginourdiscussionof
electronicmedicalrecords.

3.2.2Traditional,CentralizedDataStructure(001)
Afullycentralizedmodelassumesthatclientsrelyonthewordandworkofa singleauthority
for
theworldstate.Thissingleauthorityperformsallauthentication,authorization,dataprocessing,
anddatastorage.AnexampleistheUSSocialSecurityAdministration,whichisthesingle
authorityononeofthekeyidentifiersandmeanstoaccessgovernmentbenefits.

Inhealthcare,themostcredibleandpowerfulcentralauthorityisprobablytheCentersfor
MedicareandMedicaid(CMS).Asthelargestpayer,theCMSsetsthegroundrulesforhowand
whichhealthproceduresgetreimbursed,whichthenreverberatesacrosstheindustry.

Thetroubleisthathealthcareisnotacontainedsystemlikethatofsocialsecurityandmany
partiesmustfrequentlyreadandwritetotheEMRdatabase.Thus,thenaturalevolutionofusing
atraditional,centralizeddatastructurehasleadtotodaysworldwheremanyentitiesmaintain
theirownworldstatesbasedonthelimitedinformationtheyhavefromthedatatheyhave
accessto.Thereisnocommonworldstateacrosstheseorganizations,andpatientsand
providersmustdothelegworktoreconcileandunifytheseworldstatesininstancesofpatient
mobilityorcollaborativedeliveryofcare.

Evenifgovernmentmustersupthesubstantialpoliticalforceofwilltocentralizealldataunder
theCMS,thischangewilllikelyrequireamultibilliondollargovernmentproject,usingthemuch
simplerHealthcare.govs$500+millioncostasabenchmark.Inthisrealizationofafully
centralizedsystem,regulatorswillhavetobearallofthefinancialandmentalcost,requiring
relativelylittlebehaviorchangeorfinancialcontributionfromotherstakeholders(thoughonecan
arguethatultimatelythepatientsastaxpayingcitizensbearthefinancialburden).A
benevolent,enlightened,andsophisticatedgovernmentwouldthenbeabletohelpeach
stakeholderrealizehisobjectives.Morerealistically,centralizeddatabasesleadustowherewe
aretoday,wherebywegeneratenoadditionalmentalorfinancialcosts,butmustacceptits
failuretoaddressalloftheaforementionedgoalsofanoptimalEMRsystem.

Toprotectthesensitivityofthisdataacrossmultipleparties,thegovernmentintroducedHIPAA,
theHealthInsurancePortabilityandAccountabilityAct.Anyorganizationthatdealswith
protectedhealthinformationmustensurethatallrequiredphysical,network,andprocess
securitymeasuresareinplaceandmustabidebyprivacyrulesthataimtoinvolvepatient
signoffandsharingthebareminimumofdatatoachievegoals.Withouttheabilitytoachieve
thesegoalsthroughothermeans,HIPAAusesseverecivilandcriminalfinestopenalizebad
actorsafterthefact.

AcompletedscorecardcanbefoundinAppendixB.

9
3.2.3DistributedDatabasewithChangeTracking(011)
WenowconsideradistributeddatamanagementsolutionthattracksallchangestotheEHR
overtime.Weareassumingabestcasescenariowithrespecttothetechnology.Itshouldbe
entirelypossibletoimplementasecuredistributedversioningsystemthatallowsfinegrained
permissioningofbothreadandwriteaccess.Therecordshouldbesecureandprivate.It
shouldideallybepossibleforvariousorganizationstoreceivestatisticsrelatingtomedical
recordswithoutaccessingtherawdataitself.

Onecanimagineadistributedsystemofserversthattrackalargeamountofdataovertime,
andiscapableofrollingbacktoanypreviousstateofthesystem.Changestotherecordare
representedassetsofadditionsandsubtractionsfromthepreviousstateofthesystem.The
systemcanbemadetamperresistantwithchainedhashpointersandsignaturedependencies
topreventanyclandestinemodificationoftherecord,inasimilarmannertothemethodby
whichsomesoftwareversioncontrolsystemsensurechangelineageandintegrity.

Theparalleltoversioncontrolsystemsmayalsoprovideausefulmetaphorforunderstanding
theuserexperienceoftheproviders.Onecanhaveamasterbranchofthepatientsrecord
thattheproviderchecksoutwhenprovidingcaretothepatient.Intheprocessofdiagnosing
andtreatingthepatient,theprovidercanaugmentitslocalbranchoftherecord,thenmerge
thechangesintothemasterbranchwhenaconclusionordiagnosishasbeenreached.This
letstheproviderrunappropriatefollowuptestsbeforepublishingpotentiallymisleadingor
mistakentestresultstoapatientsrecord.Therecanbepoliciesinplaceregardingthe
frequencyofmergingrecordchangesforinstance,itmightbenecessarytopublishchanges
beforeprescribingapharmaceuticaloraftercertaintypesoftests.

Oneimportantquestionaffectstheperformanceofanyproposalinvolvingadecentralized
versioncontrolapproachtoEHRmanagement:whophysicallycontrolsthedata?Someoptions
includethestategovernment,thefederalgovernment,thepatientsthemselves,a
nongovernmentaltrustlessnetworkofservers(similartotheBitcoinnetwork,minusproofof
work),providers(perhapsthatmeetagivensizeaccordingtosomemetric),insurance
companies,oranycombinationoftheabove.Anyoftheseoptionsmaybeviable.Historically,
theburdenforhostingsimilardatahasfallentomedicalprovidersandtothegovernment.An
incentiveschemethatsomehowmotivatedinsurancecompaniesorpatientstoputforthtime
andmonetaryresourcestohostdatawouldvastlyimprovethechancesofasolutiontakingoff.

Iftherequirementforalwaysonlineaccesstothemostrecentdatabyanyauthorizedpartymay
bedropped,thenevensimplersolutionsfordatastoragemaybepossible,whileretainingthe
systemstamperresistanceandauditability.Onecanimaginethepatientcarryingawriteonly
memorydevice,perhapsintheguiseofaninsurancecardorsimilar,towhichsignedchanges
tothepatientsrecordarewrittenateachprovidervisit.Takingthedataofflineinthiswaydoes
seemtohinderpayerandregulatoraccess,asthecanonicalcopywouldexistonadevicethat

10
spendsmostofitstimedisconnectedfromtheworld.Oneshouldofcourseensurethatthe
storagedeviceusedisofacommonlyreadabletypeandusesaneasilyreadabledata
encoding,sothatpatientsretaintheabilitytoeasilyreadtheirownrecords.

AcompletedscorecardcanbefoundinAppendixC.

3.2.4PrivateBlockchains(101)
Privateblockchainsareabadideaingeneral.Theyeliminatethebenefitsofadecentralized
networkcapableoftrustlesstransactionsandrobustconsensus.Ablockchainwhoseentire
miningpooliscontrolledbyasingleentitydegeneratestoatraditionalcentralizedsystemwitha
bitofcryptographicauditabilitysprinkledontop.Whatsmore,thisauditabilitycanbeachieved
throughothermeansbesidesthemechanismsusedinblockchains.ToquoteVitalikButerin,
thereisnoreasontobelievethattheoptimalformatofsuchauthenticationprovisionshould
consistofaseriesofhashlinkeddatapacketscontainingMerkletreeroots generalizedzero
knowledgeprooftechnology providesamuchbroaderarrayofexcitingpossibilitiesaboutthe
kindsofcryptographicassurancesthatapplicationscanprovidetheirusers.[1]

However,thisproposalmaynotbeentirelywithoutmerit.Therearevanillaimplementationsof
blockchainsthatarepresumablyeasierforahospitaltogetrunningthanimplementingsecure
zeroknowledgeproofprotocol.Additionally,ifthedataformatoftheseprivateblockchainsis
somehowstandardizedearlyintheprocess,thentheadoptionofprivateblockchainsbythe
administeringstakeholdermayimprovedataportabilityandinteroperability.However,this
standardwouldlikelyhavetobemandatedbyastateorlocalgovernment,whichwouldbe
betteroffsimplymandatingastandarddataformatforconventionalrecords.

AcompletedscorecardcanbefoundinAppendixD.

3.2.5PartiallyOpenBlockchains(111)
Afederatedblockchainconsistofseveralpartiesthatjointlycreatetheworldstateandattempts
toreplaceBitcoinsdistributednetworkofvoluntaryminerswithproprietarycomputersbelonging
toapprovedusersthatprocesstransactions.Operationsonthisworldstatemayaffectmultiple
partiessimultaneously,andafederatedblockchainwouldforcethenetworktoshare
responsibilityovereachothersdatabases.

Inthecaseofhealthcare,suchagroupwouldlikelyincluderegulators,providers,andpayers.
Federationsarelikelytobeorganizedbysystemsofcare,mostlikelyidentifiedbygeography,
suchascommunityorstate.Patientsareassumedtostaywithinthesesystemsofcarethat
crossorganizations.Mostlikely,afederatedblockchainwillbeappliedontopofanexisting
healthinformationexchangecommunityasawaytofurtherreducecostsandhelpthe
communityreachfinancialsustainability.

11
Currentsharingofdataacrossthesesystemsofcareexistwiththecombinationofcentralized
datastructureswithineachindividualorganizationandHIPAAcompliantdatatransmission.
Withtheblockchain,organizationscancometogetherandjointlycreateapublic(tothe
federation)truththateachorganizationcanmodifywithrequisiteproofofwork.Becauseminers
aredistributedacrossorganizations,eachorganizationcheckseveryotherorganizations
databasemodifications.

Suchasystemismoresecurethanthestatusquo,asorganizationsareabletoaggregate
computingpowertosecuretheblockchain.Also,dataisredundantacrossorganizations,
avoidingsinglepointsoffailure.Fewerpartiesmeansitsquickertomodifythesystemscode
andrevertactionsnodesarewellconnectedandmanualinterventioncanquicklyfixalotof
faultsandenablefasterconfirmationtimes.Actionsonthechainarealsocheaper,requiring
lesswastedproofofwork.Itissimpletorewritetherules,especiallyregardingread
permissions,whichisausefulpropertyinthecontextofEMRs.However,manyofthesegoals
canalsobeachievedwithoutproofofwork,whichisanexpensiveformofsecurity.

Additionally,removingpatientsfromthepictureremovesoneofthekeybeneficiariesofamore
liquidEMRsystemandendsupleavingmostlyantagonisticpartiesatthetable.Givenasolution
likethisrequiressystemwidebuyin,itsunlikelythatwithoutpatientsatthetablepushingfor
thissolution,otherpartieswillreachconsensusinadoptingafederatedblockchain.

AcompletedscorecardcanbefoundinAppendixE.

3.2.6Public,OpenBlockchains(111)
Consideringthepotentialissueswithdeployingandensuringacceptanceofmoreclosed
systems,weturnourattentiontothepossibilityofbuildinganelectronicmedicalrecordsystem
usingapublic,openblockchainasatrustanchor.Itisofcoursenotdesiredtoplacemedical
recordsdirectlyonsuchablockchain,asanyinformationcommittedtoanopenblockchainis
naturallygloballyvisiblethispropertywouldimmediatelyintroduceseriousprivacyconcernsfor
thepatientsdescribedbytherecordsbeingkept.Additionally,ifapublicblockchainlikeBitcoin
istobeused,therestrictionsondatastorageforthehostblockchainmustberespectedBitcoin
itselfonlypermits80bytesofuserchosendatatobeaddedtotheblockchaininagiven
transaction[2],sofullmedicalrecordscouldnoteasilybestoreddirectlyevenifprivacywerea
nonissue.

However,ifwepermitasecondarydatastoragemechanism,e.g.adistributedhashtablewith
openparticipationandcustomaccesscontrolmechanisms,thenwemayhavethetoolsneeded
tobuildasensibleprivacyrespectingelectronicmedicalrecordsystem.TheEnigmaprotocol[9]
describesaprivacyrespectingprogrammablesubstrate,usingsecretsharingandsecure
multipartycomputationtoachieveTuringcompletecomputationoverprivatedata,andusingan
openblockchaintoperformidentitymanagement,accesscontrol,andauditing.Enigmais
constructedsuchthattheoffchainnetworkpermitsandincentivizesopenparticipation,allowing

12
anyonetoparticipateinkeepingtheEnigmasystemrunning,andsuchthatthepublic
blockchainstoresauditrecordsofoffchainactivity,allowinganyonetoverifythattheoffchain
networkisoperatingcorrectlywithoutbeingabletodiscoverprivatedata.

SinceEnigmaishighlyprogrammable,wecanconstructourEMRsystemessentiallyhowever
wewish.Itneednotfollowparticularlycomplicatedrulesasanexample,bydefault,agiven
patientsmedicalrecordcanbereadableonlybythepatient,andonlyuponrequestbya
providerand/orpayer(signalledbye.g.asmartphoneapplication)doestherecordbecome
accessibleandwritableasnecessarybytherespectiveparties.Suchanarchitecture,
instantiatedcorrectly,givesthepatientaccessandcontrolovertheirowncompletemedical
recordwithoutimposingthesingularburdenofstoringortransmittingit,whileallowingallparties
toparticipateinandverifycorrectoperationofthenetwork.

Ifpatientsarewillinginpracticetodisclosethenecessarydata,thenbeingabletocomputeover
completemedicalrecordsbringsadvantagestoproviders,payers,andregulators.Providers
andpayerscanassessthemedicalneedofanygivenprocedureinthecontextofapatients
entiremedicalhistory,potentiallyenablingotherwiseunavailableinsightsandpotentially
reducingtheincidenceofmedicallyunnecessarywork.Regulators,withoutneedingtohandle
theactualrecords,arestillabletocomputetrendsovermedicalrecordsinaggregate,
potentiallygivingthemthetoolsneededtodiscoverpublichealthtrendsessentiallyasthey
happen.

Thelargestissuewithanysuchsystem,supposingthepiecesworkasadvertised,istheissue
ofkeymanagement.IdentityinanyEnigmabasedsystemistiedtoprivatekeysshouldthese
keysbelostorotherwisecompromised,controlofthecorrespondingidentityislost.Thiscanbe
especiallyproblematicifapatientlosescontrolofthekeyowningacorrespondingmedical
record,asdirectcontrolofthemedicalrecordislost.Thissituationisnotentirelyimpossibleto
recoverfromforinstance,thekeyitselfmaybedistributedbyasecretsharingmechanismto
multiplepartiallytrustworthyparties,andakeyrecoverymechanismderivedfromthat,orthe
entiremedicalrecordmayberetrieved(ifdisclosedinsuchformintherecentpast)fromthe
patientslastvisitedproviderandreissuedunderanewkey.Anysystemusingprivatekeysas
identitiesmustconsiderthekeyrecoveryissue,butitisespeciallyimportantinthecaseof
medicalrecordmanagementaslossofanentiremedicalrecordwouldbeproblematicforthe
correspondingpatient,inthecontextoffutureandongoingmedicalcare.

Becauseinthisarchitecturethepatienthasfinalcontroloverwhatdatagetsdisclosedtowhom,
providersstillfacetheprospectofhavingtodisclosedatatheymayperceiveasproprietaryto
partiesthatmaybepotentialcompetitors.Aswithanypersonalhealthrecordsystem,providers
mustbeconvincedthatthenetbenefitsofcontributingcomprehensiveinformationtoapatients
recordoutweighthenetbenefitsofconcealinginformationperceivedproprietary.

AcompletedscorecardcanbefoundinAppendixF.

13
4Recommendation,Observations,andConclusion
Givenouranalysis,webelieveblockchainbasedtechnologyisaviablechoiceforEMR
management.Notably,thelackofanysingleentitythateveryonetruststorunacentralized
systemindicatesthatadecentralizedonemightbefavorable,andtheminimizationofrequired
trustrelationshipsseemslikeagoodfitforsuchanenvironment.Theweaknessesthat
blockchaintechnologycurrentlypresents,suchaslackofhighvolumeprocessinganddifficulty
handlingprivatedata,canincreasinglybeaddressedwithadvancementslikeEnigmaand
BitcoinNG,andwebelievethehighamountofdeveloperattentionontheblockchainwill
continuetoresolveotherweaknessesthatemerge.

However,whileblockchainsare a
goodchoiceforthisapplication,considerationmuststillbe
giventoalternativesthatachievethesamegoalofenablingcomplete,auditablepatientowned
personalhealthrecords.Arguably,alternativesbuiltondecentralizedchangetracking
databasescanbecomparablyeffectiveatenablingcompleteness,auditability,anddatacontrol
ifwellengineered.Tosettlethequestiondecisively,itmaybecomenecessarytoinstantiate
morecomprehensivesystemdesignsandconductmoredetailedcostbenefitanalyseswiththe
morecompletedesignsinhand.

ThebiggerquestionishowtogetthehealthcaresystemtoadoptanynewEMRmanagement
system,giventhecomplexandoftencompetinginterestsinvolvedintheecosystem.The
benefitstopatientsofhavingownershipofacomprehensivehealthrecordareappealing,but
patientsarehistoricallyalsothemostdisempoweredofthestakeholdergroups.Achievinga
successfulimplementationofpatientcontrolledEMRsrequiresacompellingenoughmessage
tomobilizepatientsandpatientadvocacygroupstojumpstarttheinitiative.Previousinstances
haveshownthatregulatorsrarelyhaveurgencyininitiativeswithoutsufficientcitizenattention,
anotherreasonformobilizingpatients[3].

Then,givenachangelikethisrequiressystemwidesupport,itmakessensetoimplementthis
firstinacontainedhealthcommunity,ideallyonewhere

therearemanysmallproviderswhoareonfragmentedEMRsystemsbutdonthavethe
abilitytoprovideallhealthcareservicesalone.Thissolutioncanallowthemtobecome
partofaphysicallydistributed,fullserviceprovider.Thisargumentbecomesmore
compellingashealthcareproviderscontinuetospecializeandfragment,asindicatedby
theriseofminuteclinicsandUberstyledoctorsondemand.Additionalkeyarguments
includecostsavingsversusthecurrentmethodofexchanginginformation(fax,security,
highcostHIPAAcomplianttechnologysolutions)andtheinevitablemarchofhealthcare
paymentstowardsapayforperformancebasis,whichrequirescoordinatedcare
thereisoneortwopayers,toreducethenumberofpartiesfromwhomwemustget
buyin
thereisaforwardlookingregulatorwhowillprovidesupportifthesolutiongainstraction

14

Somegoodcandidatesforinitialcommunitiesareonesthathaveestablishedhealthcare
informationexchanges,suchasthe UtahHealthInformationNetwork.

Foranalysisregardingotherpotentialapplicationsoftheblockchain,wesuggestasimilarinitial
approachofmappingoutthestakeholdersinthespaceandidentifyingtheirkeybehavioral/
financialcostsandmotivators.Alackoftrustacrossparticipatingpartiesineachotherorone
centralentityisagoodinitialindicationthatablockchainmaybeaworkablesolution.One
shouldconsiderwhethertheconstraintsoftheapplicationmaypermitadistributeddatabase
solutionwithoutcouplingtoaproofofworkrequirement.Then,giventhatanynewsolutionof
theseformsoftenrequiressystemwidechange,oneshouldassesshowdifferentpartiesinthe
systemareimpactedandwhichpartiesarelikelytoprovidetheprimarythrustforadoption.

15
5Bibliography

EthereumBlog
[1]Buterin,Vitalik."OnPublicandPrivateBlockchains." .N.p.,07Aug.2015.Web.16Dec.2015.

[2]"ChangetheDefaultMaximumOP_RETURNSizeto80BytesbyFlavienPullRequest#5286Bitcoin/bitcoin."
GitHub.N.p.,n.d.Web.16Dec.2015.

[3]Cordina,Jenny,RohitKumar,andChristaMoss."DebunkingCommonMythsaboutHealthcareConsumerism."
McKinseyandCo.,Dec.2015.Web.16Dec.2015.

[4]"HealthCareFraudandAbuse."(2009):n.pag.CenterforMedicareandMedicaidServices.Web.

HHS.gov
[5]"HealthInformationPrivacy." .USDeptofHealthandHumanServices,n.d.Web.16Dec.2015.

WashingtonPost
[6]Kessler,Glenn."HowMuchDidHealthCare.govCost?" .TheWashingtonPost,24Oct.2013.
Web.16Dec.2015.

[7]Vest,J.R.,andL.D.Gamm."HealthInformationExchange:PersistentChallengesandNewStrategies."
Journal
oftheAmericanMedicalInformaticsAssociation17.3(2010):28894.Web.

[8]"WhatIsHIE(HealthInformationExchange)?"HealthIT.gov,n.d.Web.

[9]Zyskind,Guy,OzNathan,andAlexPentland."Enigma:DecentralizedComputationPlatformwithGuaranteed
Privacy."(n.d.):n.pag.Web.

16
6Appendices
6.1AppendixA
BlankScorecard

Patients Providers Payers Regulators

Mental/
Behavioral
Costs

Financial

Patienthas Easyandfastto Costsarelower,i.e. Easeofenforcingregulation,

accesstoown accessrecords? fewerneedless i.e.careisauditable?
complete procedures?
record?

Patientcontrols Easyandfastto Costsarelower,i.e. Qualityofcareisimproved?

privacyof modifyrecords? diseaseprevention,
record? compliance?

Securityof Qualityofcareis Makesfraudmore Easytomonitorpublic

patientrecord improved,i.e.fewer difficult? health,epidemics,health
assured? preventablemistakes? trends?
Benefits

Patientscan Increasedsafetyfrom Doesnotjeopardize

discerninsights malpracticecases? customersormakeit
fromtheirdata, easiertoswitch?
i.e.itissensible?

Doesnotjeopardize
customersormakeit
easiertoswitch?

17
 6.2AppendixB
Scorecardfortraditionalcentralizeddatabase

Patients Providers Payers Regulators

None None None High
musttakeon
Mental/ burdenofsettingupand
Cost Behavioral maintainingcentralized
database

None ,potentially None None Highpotentially

Financial additionaltaxes multibilliondollarinitiative

Patienthasaccessto Easyandfasttoaccess Costsarelower,i.e.fewer Easeofenforcing

owncompleterecord? records? needlessprocedures? regulation,i.e.careis
auditable?

Highcentralized Highcentralizeddatabase High centralized Highcontrolsdatabase,

databasecreatesone createsonesourceof databasecreatesone socanauditatanypoint
sourceofcomplete completerecords sourceofcomplete
records,provided records,socandecrease
governmentgrants
patientsaccess
likelihoodofredundancy
oractionsbasedoff
incompletedata

Patientcontrolsprivacy Easyandfasttomodify Costsarelower,i.e. Qualityofcareis
ofrecord? records? diseaseprevention, improved?
compliance?

Lowtonone unless Medium dependsonhow Low noadditionalability Highcentralized
therearepolicy regulatorimplementsrulesof toinfluencepatient databasecreatesone
changes,theregulator database complianceorprevention sourceofcomplete
controlstherecord unlessthisisan records,soeasierto
Benefits additionalfeaturebuilt coordinatecareanddata
intodatabase acrosshealthcarerelated
parties

Securityofpatient Qualityofcareisimproved, Makesfraudmore Easytomonitorpublic

recordassured? i.e.fewerpreventable difficult? health,epidemics,health
mistakes? trends?

Lowonedatabaseto High centralizeddatabase Low requirescentral Highcontrolsdatabase,

hackintowithallEMR createsonesourceof authoritytopoliceagainst socanauditorrun
data?yes,please! completerecords,socan fraud,thusrequiringalot analysesatanypoint
decreaselikelihoodof ofresources
redundancyoractionsbased
offincompletedata

Patientscandiscern Increasedsafetyfrom Doesnotjeopardize

insightsfromtheirdata, malpracticecases? customersormakeit
i.e.itissensible? easiertoswitch?

Unclear dependson Medium likelytohelp Low dataportability

ifregulatorbuildstools prevent
unfounded makesiteasierfor
forotherstodevelop malpracticecases patientstoswitchto
analysisontopofdata anotherprovider..Can
limitthisthrough
agreeduponrules.

Doesnotjeopardize
customersormakeiteasier
toswitch?

Lowdataportabilitydoes
makeiteasierforpatientsto
havelowercosttoswitchto
anotherparty.Canlimitthis
throughagreeduponrules

18
 6.3AppendixC
Scorecardfordistributeddatabasewithhistorytracking

Patients Providers Payers Regulators

None High,providersmust High,payersmust Low,makestheirlivesmuch

digitizeallrecordsin digitizeallrecordsin easier
Mental/ standardformatand standardformatand
cedeownership cedeownership
Behavioral

None Mediumshortterm: Mediumshortterm: Low,potentiallycostsaving
therewillbetransitioning therewillbe

Costs costs transitioningcosts

Lowlongterm:easierto Lowlongterm:easier
Financial accessrecords, toaccessrecords,
distributedIT distributedIT
maintenancecosts maintenancecosts

Patienthasaccessto Easyandfasttoaccess Costsarelower,i.e. Easeofenforcingregulation,i.e.

owncompleterecord? records? fewerneedless careisauditable?
procedures?

High,recordis High,nomorechasing High,previoustest High

coherentandunified downrecords resultsetcareall
availabletoproviders


Patientcontrols Easyandfasttomodify Costsarelower,i.e. Qualityofcareisimproved?
privacyofrecord? records? diseaseprevention,
compliance?

High,assuminggood High,assuminggood Medium High
implementation implementation

Securityofpatient Qualityofcareis Makesfraudmore Easytomonitorpublichealth,
recordassured? improved,i.e.fewer difficult? epidemics,healthtrends?
preventablemistakes?
Benefits
High,assuminggood High,thisshouldfollow Medium,thereis High
implementation naturallyfromeasy moreoversightto
accesstomedical changestomedical
records recordbutmany
fraudtypesarestill
possible

Patientscandiscern Increasedsafetyfrom Doesnotjeopardize

insightsfromtheir malpracticecases? customersormakeit
data,i.e.itissensible? easiertoswitch?

High,thisshouldfollow High,fullauditability Low,thiswouldlower

naturallyfromhaving barrierstoswitching
accesstoacomplete insuranceproviders
record

Doesnotjeopardize
customersormakeit
easiertoswitch?

Medium,thissystem
wouldlikelymakeit
easierforpatientsto
changeproviders

19
 6.4AppendixD
Scorecardforprivateblockchains

Patients Providers Payers Regulators

High(assuming High(assumingpayers Low(willhavetoretrainto

Mental/ None providersadministera administera accommodatenewdata
Behavioral blockchain) blockchain) management
system)


Medium(requires Medium(requiresinitial Low(willhavetoretrainto
Costs None initialcoststosetup, coststosetup,but accommodatenewdata
butprivate privateblockchainscan management
blockchainscanreach reachnearoptimal system)
Financial nearoptimal efficiency...no
efficiency...no expensivePoW)
expensivePoW)

Patienthasaccesstoown Easyandfastto Costsarelower,i.e. Easeofenforcing

completerecord? accessrecords? fewerneedless regulation,i.e.careis
procedures? auditable?

Nochangefromstatusquo: Dependsondegree Low,thereisno Medium,blockchainslikely

therecordisstillfragmented andqualityof guaranteed enforceaminimumquality
acrossorganizationsand communication improvementincare. standardondata
maystillbedifficultto betweenadministering management,andhave
synthesize. entities.Likelylow. builtinchangetracking

Patientcontrolsprivacyof Easyandfastto Costsarelower,i.e. Qualityofcareis

record? modifyrecords? diseaseprevention, improved?
compliance?

Medium:thisshouldbe Highisblockchainrun Low,thereisno Low,thereisno
possibleassuming locally.Lowif guaranteed guaranteedimprovement
wellimplementedprivate blockchainrunbygovt improvementincare. incare
blockchains,butpatientust orpayer.
trustadministeringentities

Benefits Securityofpatientrecord Qualityofcareis Makesfraudmore Easytomonitorpublic
assured? improved,i.e.fewer difficult? health,epidemics,health
preventablemistakes? trends?

Yes,theformfactorofa Low,recordsarenot Low,institutionshave Low,onlytotheextent

blockchainnecessitates muchmoreaccessible completecontrolover thatswitchingto
bettersecuritythanmany thantheyarenow. theirinternalreporting blockchainsimprovesdata
conventionalsystems system. portability

Patientscandiscern Increasedsafetyfrom Doesnotjeopardize

insightsfromtheirdata,i.e. malpracticecases? customersormakeit
itissensible? easiertoswitch?

Nochangefromstatusquo. High,theformfactor Low,onlytotheextent

ofablockchain thatswitchingto
necessitatedgreater blockchainsimproves
auditabilitythanmost dataportability
currentsystems

Doesnotjeopardize
customersormakeit
easiertoswitch?

Low,these
blockchainswouldbe
managedbyindividual
providers,justasEHR
databasesarenow.

20
 6.5AppendixE
Scorecardforpartiallyopenblockchains

Patients Providers Payers Regulators

None Highchangecurrentdata Highchangecurrent Highchangecurrent

Mental/ transferbehaviorsand datatransferbehaviors datatransferbehaviors
Behavioral createrolesforminers andcreaterolesfor andcreaterolesfor
miners miners

Costs None Mediumcostofminers Mediumcostofminers Mediumcostofminers
Financial andmining,offsetby andmining andmining
cheapdatatransfer

Patienthasaccessto Easyandfasttoaccess Costsarelower,i.e.fewer Easeofenforcing

owncompleterecord? records? needlessprocedures? regulation,i.e.careis
auditable?

MediumtoHigh as Highaslongasthe High aslongaspatient Medium mustauditall

longaspatientstays recordiswithinthe iswithinfederation, federations,buttheactof
withinfederationand federation,thisshould coordinatedcareshould auditingismucheasier
federationallows improvedramatically beeasierandreduce asorganizationsare
needlessprocedures clustered

Patientcontrols Easyandfasttomodify Costsarelower,i.e. Qualityofcareis

privacyofrecord? records? diseaseprevention, improved?
compliance?

Low nochangesin Medium withinthe Low noadditionalability Highwithinthe
privacycontrolswithin federation,thisistrue toinfluencepatient federation,itwillbemuch
federation bureaucraticallybutdifficult complianceorprevention easiertocoordinatecare
computationally,asit anddataacross
requiresproofofwork organizations

Benefits Securityofpatient Qualityofcareis Makesfraudmore Easytomonitorpublic
recordassured? improved,i.e.fewer difficult? health,epidemics,health
preventablemistakes? trends?

Medium any Highaslongasthe Medium anyattemptby Medium insteadof

attemptsbymembers patientremainswithinthe membersofthe trackingacrosseven
totakeimproper federation,itwillbemuch federationtocommit morefragmented
actioncanbe easiertocoordinatecare fraudcanbequickly database,onlyneedto
identifiedbyrestof anddataacross identifiedbyrestof trackdownthedata
groupandcorrected organizations federationandcorrected acrossdifferent
inabsenceofcollusion federations

Patientscandiscern Increasedsafetyfrom Doesnotjeopardize

insightsfromtheir malpracticecases? customersormakeit
data,i.e.itis easiertoswitch?
sensible?

Low nochanges, Medium likelytohelp Low dataportability

thoughdataorganized prevent
unfounded doesmakeiteasierfor
acrossafederation malpracticecases patientstohavelower
systemmighthelp costtoswitchtoanother
patienttoseeholistic partyinthefederation.
pictureofhealthupon Canlimitthisthrough
accessingowndata federationagreedupon
rules

Doesnotjeopardize
customersormakeit
easiertoswitch?

Low dataportabilitydoes
makeiteasierforpatients
toswitchtoanotherparty
inthefederation.Canlimit
thisthroughfederation
agreeduponrules

21
 6.6AppendixF
Scorecardforopen,publicblockchains

Wefirstdescribethishypotheticalsolutioninmoredetail.WeareconsideringanEMRmanagement
systemusingtheEnigmasystemasabackend.Thissystemisimplementedassuch:
Enigmausesapublicblockchaintostoreproofsofcorrectexecution,andanoffchain
networkforaccomplishingsecuredistributeddatastorageandmultipartycomputation.
Apatientmaintainsownershipauthorityoverhisorherownmedicalrecord.
Inasimplersystem(treatingthisblockchainbasedsystemasadatabasenode),thepatient
canchoosetodisclosecertainelementsoftheirrecordtoaproviderorpayerondemand,
andtheupdatedrecordendsupintheprovider/payersystem.
Inamorecomprehensivesystem(implementingtheentiresysteminEnigma),thepatient
mayalsobeabletochoosetorevokevisibilityoncertainelementsoftheirdata.
Thisishard
toensurewithoutregulatorysupportandcarefulauditing,andmaynotactuallybepractical.
Enigmachargesfeesforcomputationandstorage.

Patients Providers Payers Regulators

Medium/High Medium/High Medium/High Key Medium/High Key

Havetodokey Recoveryfromkey theftisstillavector theftisstillavectorfor
management compromiseis fordangerousdata dangerousdata
Mental/ somehowto hard.Keytheftis compromise,sobest compromise,sobest
Behavioral maintainaccessto stillavectorfor practicesmustbe practicesmustbe
records.Recovery dangerousdata followed. followed.
fromkey compromise
compromiseis (thoughdetection
Costs hard. maybeeasier).

Medium If Medium Medium Payers Medium Regulators

patientsowntheir Providersmaybe maybeliablefor maybeliableforcosts
data,theymaybe liableforcosts costsrelatedto relatedtocomputation
Financial liableforthe relatedtoaccess accessofpatient overpatientdata.
storagecosts. ofpatientdata. data.Somecosts Somecostsmaybe
Additionally, Somecostsmay mayberecoupedby recoupedby
increasedcostsfor berecoupedby participationinthe participationinthe
providerand participationinthe Enigmanetworkon Enigmanetworkonthe
payersmaybe Enigmanetworkon thecomputeside. computeside.
passeddown thecomputeside.
throughhigher
insuranceand
medicalbills.

Patienthasaccessto Easyandfastto Costsarelower,i.e. Easeofenforcing

owncompleterecord? accessrecords? fewerneedless regulation,i.e.careis
procedures? auditable?

HighEnsurableby Notknown High Aslongas HighAslongasthe

design,with dependentonthe patientagreesto necessaryprocesscanbe
appropriateclient performanceofthe discloserelevant encodedinanEnigma
support. Enigmaoffchain recordstoproviders, smartcontract.Trivially
Benefits network.Historically,
computationon
andprovidersarewilling
totrustrecords.
doableinthesimple
modelifdatarevocationis
encrypteddatahas notaconcern.
beenslowinpractice.

22
 Patientcontrols Easyandfastto Costsarelower,i.e. Qualityofcareis
privacyofrecord? modifyrecords? diseaseprevention, improved?
compliance?

HighEnigma Notknown High Aslongas Potentiallyhightothe

enablesfinegrained dependentonthe patientagreesto degreetowhichcomplete
accessanddisclosure
controltobe
performanceofthe
Enigmaoffchain
discloserelevant
recordstoproviders,
medicalrecordsare
actuallyprovidedand
implementedina network.Historically, andprovidersarewilling contributetoqualityof
smartcontract. computationon totrustrecords. care.
encrypteddatahas
beenslowinpractice.

Securityofpatient Qualityofcareis Makesfraudmore Easytomonitorpublic

recordassured? improved,i.e.fewer difficult? health,epidemics,health
preventable trends?
mistakes?

HighBydesignif Possiblyhigh as High Withappropriate Potentiallyhigh
theEMRsystemis longasprovidersare systemdesign,veracity Dependentonwhether
constructedproperly. willingtoprovide
usefuldatainthe
ofclaimscanbeaudited
againstmedicalhistory,
patientsarewillingto
sharethisdatainpractice.
sharedmedical ifpatientagreesto Enigmacontractlanguage
record,providerscan disclosethenecessary allowsaggregate
considercarein data. computationwithoutgiving
Benefits context. regulatorsaccesstoraw
data,butthismustbe
understoodbypatients.

Patientscandiscern Increasedsafetyfrom Doesnotjeopardize

insightsfromtheir malpracticecases? customersormakeit
data,i.e.itis easiertoswitch?
sensible?

Possiblyhigh Notknown .Allows High,itislikelythatan

Dependentonany provingthatcertain openuniversaldata
clientsoftwareto datawasusedand systemwilldecrease
presentpatientrecord thatcertain barrierstoswitching
inasensibleway. procedureswere insurancecompanies
followed,butdoesnot
eliminatehuman
factorsentirely.

Doesnotjeopardize
customersormakeit
easiertoswitch?

High,itislikelythat
anopenuniversal
datasystemwill
decreasebarriersto
switchingproviders

23