Healthcare data is different from other personal data.
We think that patients should control who has access to their healthcare data; that patients should be able to do so in a granular manner; that they should be able to revoke access at any time; and that they should have a detailed log of all access.
However, this is not what most governments, professional healthcare organisations, healthcare technology and pharmaceutical companies or university researchers and healthcare administrators believe. Collectively these are the groups which have traditionally had by far the greatest influence on both the legislative environment governing the rules relating to access to health records, and also to what actually happens in practice.
WISH is not a full medical record, but it will hold detailed information - a profile - about several aspects of the user's health, including their management of chronic conditions.
This is where treating healthcare data differently from other personal data becomes important.
The reality is that there is a market for individualized data profiles; furthermore, it is the source of the world's greatest fortunes. Personal health data is a real El Dorado for organizations that can access it, and a potential handicap for the individuals concerned.
Data is often shared between organisations: the terms and conditions under which it is held generally permit this: users are "informed", but are rarely - in any meaningful way - in a position to refuse the terms. Sometimes users are reassured that such data will be "anonymised".
But even "anonymised", with big data analytics and AI technology we know that joining the dots between data sets to identify the individuals is easy, cheap, valuable, difficult to prove and often deniable: in short, irrespective of whether the legal framework is in place to provide theoretical protection for patients, the incentives to make use of such data by selling it are irresistable.
In a world where patients have "rights" but no control, the buying and selling of healthcare profiles risks impacting lives:
- a prospective employer can simply subscribe to a service, look the applicant up, and block the appointment without giving the real reason
- an insurer can perform a similar screening and refuse to sell insurance or raise premiums to unaffordable levels
- applications for mortgages, or car loans can be refused by credit organisations on the basis of similar screening and without giving the real reason
These are realistic scenarios in a world with widespread access to healthcare data. There are certainly others.
Even when the organisations concerned are more progressive and equitable, they retain the capacity to read the data (they hold the key to decrypt it), and it requires only one disgruntled employee or one security bug to expose the data of every account that they host.
This will not be possible with the approach that WISH is adopting: user data will be encrypted with the authorised reader's public key; in the event of a breach - only possible if the reader exposes their private key - only one account is compromised, not the entire list. The reason that WISH can work like this is that we do not read user data to mine it and monetise it: instead we charge a subscription fee: we don't offer a "free" service and then sell information derived from user profiles for profit or spam users with ads.
A model which encrypts user data with the user's own key puts the user - the patient - in control.
If patients do not have full control (not just "rights") over their data, there will be no privacy, and they stand to lose a great deal more than their dignity: they risk becoming second class citizens with no means of determining why or how, or of appeal.
Part of the reason for this project is to put the power to correct this back in the hands of individual citizens.