Concerns about consent management
With the deployment of more and more eHealth solutions, a critical point is for patients to be able to grant authorized persons a selected, partial or total access to their personal data. This is called consent management and is a key point for e-health. In other domains like agriculture, the need to share some data with different professional or state organizations makes it mandatory to have an efficient consent management system shared among different applications and databases. Another example is in the IoT domain, where it can be necessary for an object owner to delegate rights on his object to other actors (either to grant an access to the data coming from the object or to make it possible for someone else to use the object). Existing solutions pretending to face the related challenges (governance, granularity, traceability) show low suitability due to several disadvantages: confidence based on a single solution provider, consents not being auditable by third parties, respect of privacy being in “all or nothing” mode. Moreover, these solutions are integrated directly in applications, thus making it difficult to cross manage among several applications and/or information systems.
In classical solutions, dedicated records are used: when a consent management function exists, it is managed in silo, by each application, and the user therefore has to define his consents in each of them. Trust is based upon the sole application provider: unique trusted third party.
Moreover, consent is generally given as global access for the whole set of user’s data in the application: user has no way to divide his consent, no way to control the kind of use made of his data.
In the « Orange Consent Management Service » solution we developed, these main issues are solved using a Blockchain based solution, and in addition to that, we also make it possible to share the consent management function among several applications. Moreover the consent is managed in more precise way: the owner of data determines precise rights (read, write, duration of consent validity) for each specific user he grants consent to.
The main features that make Blockchain based solutions relevant for the selected use case are:
- trust improvement, as trust no more relies on a single actor but is distributed among a whole set of actors : approval of records and delivery of access authorization are totally decentralized.
- immutability due to impossibility of ledger falsification: non repudiation is effective because data register are replicated, and once a consent is recorded, it can no longer be modified neither deleted (if a modification is done, another consent is then recorded).
Going to this method provides a huge trust improvement due to a responsibility of consents management ensured and distributed within several actors having different interest. This mechanism is illustrated in Figure 1 below.
Transparency is also provided as auditability of consents by third parties is made possible.
Different kinds of Blockchains exist: public blockchains (access is open with no restriction) like Bitcoin or Ethereum1, and private or consortium blockchains (access to the network is restricted to duly authorized actors). For sensitive data management, a solution of the consortium type has been selected with Hyperledger 2.
In this type of protocol, one must be invited to become a “node” and be part of the transaction and blocks validation process. Hyperledger provides a native security management, a membership service and a modular architecture (customizable consent) and, moreover it is industry oriented.
How does it work
The demonstrator we developed was built with Hyperledger and integrated in a medical data collection chain in a first place. In a second place, it was also integrated in an IoT domain prototype and in an agriculture domain data sharing project as well as in other health related projects. In this solution, the consents are managed in smart contracts (computing programs offering operations such as “Create”, “Remove”, “Use”, “Delete”). A consent consists in defining for a given user which access rights are granted to him on which types of data. In the present prototype, the only access modality provided is a time slot (i.e. the data are accessible between two dates), but this can be extended by integrating other access modalities depending on the use cases.
When a user defines a consent, he interacts with a consent smart contract to create a new transaction, which is first memorized and then subsequently recorded in a block (once a majority of nodes running Hyperledger have validated it); then this block is added to the ledger with information that allow to ensure confidentiality and integrity of this block, but also of all the previous ones.
On a practical point of view, this solution is hosted in Orange Flexible Engine cloud, in a Blockchain as a Service infrastructure. Of course, to be coherent with the Blockchain philosophy, this solution can integrate Hyperledger nodes hosted elsewhere than in Orange Cloud.
Due to its intrinsic features (decentralization, built-in consensus, cryptographic techniques) Blockchain (lower right part of figure 2) can be an innovative way to address the consent management topic. That is why it was chosen to implement our patient consent management function which is integrated in a medical data collection chain.
In complement to the Blockchain mechanism features, in the consent management function which we demonstrated, we added a new feature providing finer grain for patients to manage their consents: instead of being defined at the patient record level as in most existing solutions, the consent is set up at the vital sign level, Digital trust3is also improved since the consent data recorded in the ledger are not under the responsibility of a single actor, but validated by a whole set of consortium partners.
A simple and efficient solution
The end to end vision of the solution demonstrator is described in figure 4 above, which displays all actors, servers and sensors involved. In our specific use case, and for the purpose of our scenario, we also combine the integration of our Continua data collection chain, and a multi-vital signs sensor (Gogo EarBuds) which generates heart rate and steps measurements. The solution works in four steps, detailed in figures 3 to 6 as follows.
The first step (figure 3 below) is the consent recording: it concerns the data owner (here, the patient) who defines his consent (through the application giving access to his data), the consent being recorded in the Blockchain through the consent management server.
In a second step (Figure 4) the patients’ data recording is classically done via the Continua data collection chain: from the Gogo earbuds sensor which measures heart rate and number of steps, via the gateway application on the patient’s mobile phone (which also computes data derived from the both measurements) and up to the data server.
During the third step, illustrated in figure 5, third parties can only access the data for which the patient has granted them authorization: upon a consultation request, the data management server consults the consent management server which transmits recorded authorizations in the Blockchain.
Figure 6 depicts how the Blockchain is used for ledger consultation (simple reading).
Thus, a smart solution has been developed and demonstrated for patients’ consent management.
This solution brings high governance: privacy is guaranteed, fine granularity too, with a precise level of accuracy in data access control for selection, definition of access modalities.
In the end, a perfect traceability is made possible due to log of achieved actions: consent recording as well as access to data themselves, all traced in time.
To summarize, an innovative solution for consent management has been developed, that could also open new possibilities of data valuation. This work, which can be applied to a number of domains other than e-Health (for example IoT), allows Orange customers to keep control of their data, respect their privacy, using innovating technologies.
With your help we can go further
This solution is now implemented using Hyperledger V1 promoted by the Linux Foundation and takes profit of external features such as the Composer Rest Server to automatically generate Restful webservices.
Last but not least, a remaining challenge is to check with actors of the health domain (or any other domain or use case in which the use of this solution is considered) whether it is possible to find a sufficient number of actors agreeing to be part of such a consortium.
Independently from that, the demonstrator is evolving in the frame of the Serene_IoT Penta4 European project and the Multipass agricultural data sharing project where it will be implemented.
The high security and especially privacy regulations that apply in the health data sector need a cautious care when personal medical data are handled. Patients’ empowerment through a better personal data governance is also a critical feature to help them manage their pathology.
Our research work shows that Blockchain is a good candidate towards a smart and reliable solution to tackle these key issues in an innovative way.