Experts introduce ways to maximize security, safeguard privacy, and ensure global interoperability
Evernym recently hosted a webinar on the role of self-sovereign identity (SSI) privacy in verifiable health credentials. The pandemic has helped accelerate digitization at a faster pace than previously anticipated and organizations and governments are racing to keep up with growing privacy and trust challenges. Key issues are the concept of privacy in digital ID and its implementation into infrastructure. The panel consisted of industry and thought leaders from Accenture, Lumedic, Providence Health and Services, and Evernym. Evernym EMEA Managing Director Andy Tobin moderated the event.
Evernym Chief Trust Officer Drummond Reed opened the event by providing a comprehensive overview of verifiable digital credentials. Verifiable credentials (VC) are already in use for various daily transactions, whether this is used for hotel booking, banking, and even hospitals.
Traditionally, all of these credentials were physical or digital and revolved between three parties, the issuer, the holder, and the verifier. Issuers such as hospitals or government agencies would sign digital identity attestations or issue physical credentials to the digital ID holder, who could then present the credential to a verifier such as an airport that would request proof of identity. Yet, this relationship only works if the verifier trusts the issuer of the credential.
Verifiable digital credentials replicate the physical process using cryptography. Accordingly, an issuer digitally signs a credential which is then presented to a verifier who then validates that signature to determine whether it has been tampered with or not. This step presents the biggest privacy challenge in digital ID. While traditional physical credentials would be carried safely in a wallet, their digital versions face various vulnerabilities as they are exchanged in cyberspace. This is mainly due to increased information interchange.
In contrast, digital information interchange requires three basic steps to address privacy. First, credentials need to be issued and stored in a secure digital wallet controlled by only the holder. Second, the holder must be in control of when and where to present this information. And third, safeguards must be in place to prevent the holder from being tracked.
Reed also introduced the spectrum of privacy and highlighted the difference between non-privacy preserving VCs versus privacy-preserving VCs. Key differences are that non-privacy preserving VCs would be highly traceable, do not use zero-knowledge proofs (ZKP), and make no use of privacy-preserving protocols. Privacy-preserving VCs differ in that they are only issued to privacy-preserving identifiers, use ZKP, and utilize privacy-preserving protocols. While an organizational issuer such as a university would fall on the non-privacy preserving end of this spectrum, issuers of sensitive individual health care data should usually fall on the privacy-preserving end.
Providence Health Corporate Development and Clinical Strategy Lead Eve Cunningham emphasized that privacy builds the basis of the trusting relationship between patients and providers. In the healthcare world, there are many different ways to address privacy. Some examples include HIPAA legislation and later privacy, security, and breach notification rules added to further protect patients. Challenges arise due to increased health information exchanges between health organizations that cause concerns about errors and breaches that might endanger privacy.
Another challenge is to translate and implement new changes to privacy into the digital space. Cunningham added that the key to such implementation is information infrastructure and whether it is built in a way that will be compliant with these changes. One constant challenge is to ensure the cybersecurity of such infrastructure. Organizations need to invest immense resources to ensure that only authorized persons have insights into sensitive information and also keep a digital trail of all information interactions.
Patient-centric privacy needs
Lumedic Chief Operations Officer Chris Ingrao explained that the patient health journey can be greatly improved by providing patients with the information they need. He explained that, traditionally, patient and benefits information was only passed between a payer and a healthcare provider, leaving out the patient. This was mainly due to spare patients from having the unnecessary hassle of understanding the highly complex information used in the healthcare process.
Thus, as these matters were exclusively discussed between providers and payers, patients were left mainly in the dark and had little knowledge or choice of what type of healthcare they receive. Nowadays, the health information landscape has changed as patients are increasingly liable for their information. Thus, making this information available to individuals in a secure manner is paramount to improving the healthcare experience and alleviate privacy concerns. Having access to this information allows patients to have more control over the care they receive and how to register and schedule procedures.
Accenture Blockchain Identity and Biometrics lead Christine Leong highlighted how these requirements translate when they are scaled globally. According to Leong, the technology aspect is the easier part in global implementation. It is the concept of privacy that requires better understanding as it differs between cultures. Other key questions to consider are how much data is shared, how much is needed, and who is it shared with. And based on these considerations, levels of trust and privacy can be very different across the globe. The key to reaching a global level of trust in digital ID is self-sovereign identity, which requires industry and governments to deepen cooperation to ensure that individuals can enjoy the level of privacy that is right for them, regardless of where they are.
Cunningham also laid out how verifiable information looks on the provider end. As doctors and nurses move around to work at different facilities, digital information interchange can allow for their credentials to be checked more easily and reliably. The streamlining of these processes also requires the same amount of effort and resources to gain the same level of trust and privacy that patient data requires. Reed then explained how identity binding can help to attach an individual to the information in their digital wallet. Wallets would have an encrypted identifier that would make them the solely authorized party for sharing privacy-preserving VCs.