TripleBlind’s CEO and Co-Founder Riddhiman Das and SVP of Healthcare, Dr. Suraj Kapa, spoke at HIMSS last week about unlocking the full potential of healthcare data. The current barriers and challenges in data sharing processes are stifling healthcare innovation.
Outlined below are two approaches to data collaboration. The first is the current process that is not only difficult but risky for data owners and users. The second process is what the future could look like with TripleBlind implemented.
Current Burdensome Process
Step 1: The Data Request
Data processes begin with discovering which data are available. Using first party data requires proper cataloging, communication, and role-based permissioning. Without infrastructure, valuable data could be underutilized. It is even more challenging to discover available third-party datasets.
Both parties need to have infrastructure in place for discoverability. The data requester (or user) must look in the right places while the data provider (or owner) must advertise their datasets so that they can be found.
Step 2: Involvement with Legal Departments
- The proprietary nature of the datasets being shared.
- The prevalence of protected health information (PHI) and personally identifiable information (PII).
- The abundance of opportunities for misuse.
- Increased legal risk and liability.
Legal agreements take a lot of time and resources, but can only account for so much. Ultimately, trust plays a major factor in compliance.
Step 3: The Compliance Obstacle Course
Regulatory and compliance teams weigh the risks and legal implications of sharing data. Compliance teams must perform expert examination of the data sharing processes
proposed, in the context of the growing number of privacy regulations, including HIPAA and GDPR.
With each law and regulation imposing a different set of requirements, data sharing,
especially across borders, becomes a compliance obstacle course. This of course adds time, costs, and may result in cancellation or major changes to the data sharing project.
Step 4: Data Preparation
Once the legal and compliance teams have set the stage, the data must be made ready for transmission meaning data needs to be anonymized or de-identified.
For HIPAA compliance, data must have 18 identifiers removed – even when the first 17 HIPAA identifiers are removed, individuals can still be re-identified.
|1. Name||10. Account Number|
|2. Address||11. Certificate or License Number|
|3. Significant Dates||12. Vehicle Identifiers|
|4. Phone Numbers||13. Device Identifiers|
|5. Fax Numbers||14. Web URL|
|6. Email Address||15. IP Address|
|7. Social Security Number||16. Finger or Voice Print|
|8. Medical Record Number||17. Photographic Images|
|9. Health Plan Beneficiary Number||18. Other Characteristics that Could Uniquely Identify an Individual|
However, genomic and image data is very difficult to de-identify as it is so specific to an individual and few organizations have the resources to do it. If not done properly, it increases risk and liability.
Step 5: Encryption and Transmission
The data provider encrypts the data and sends it along with a key. Most organizations have encryption-in-motion processes, which allow for information to be sent securely to their counterparties. But, if the key is compromised, so is the dataset.
Not to mention, large datasets are difficult to transmit because it:
- Requires a fast and reliable connection.
- Relies on the data user or recipient to have sufficient storage capacity for the data.
- Increases risk and liability with the generation of a decryption key – reducing the number of eligible data sharing partners as well.
Plus, if it’s genomics data or image datasets, it can easily contain terabytes worth of information.
Step 6: Decrypt and Use
The final step is the most concerning one. Once a data user has received the encrypted dataset and key, they begin to use the data. At this point, the data provider has no control over how the data can be used.
There’s no way to monitor how the data is being used, or to account for trusted-but-curious parties. The data provider has to trust that the counterparty will adhere to the BAA. On top of that, this whole process creates a copy of the data, which the data user is now responsible for safeguarding as well. This adds liability to both parties and does not enforce any permissions.
All in all, this requires high degrees of trust in people and processes.
The TripleBlind Process – Unlocking Data Value
TripleBlind has created the most complete and scalable solution for privacy enhancing computation. TripleBlind’s innovations build on well understood principles, such as federated learning and multi-party compute. Our innovations radically improve the practical use of privacy preserving technologies, by adding true scalability and faster processing, with support for all data and algorithm types. We support all cloud platforms and unlock the intellectual property value of data, while preserving privacy and enforcing compliance with HIPAA and GDPR.
With TripleBlind the process can be simple as this:
Step 1: Create an Agreement
Data owners can create a simplified agreement with built-in compliance protections.
Step 2: Set Permissions
Data owners can manage what can and can’t be done with the data. Once that agreement is set, it’s guaranteed that those approved operations are the only ones that can be run on the data.
Step 3: Share and Use (over and over)
Once the agreement and permissions are set up, the data can be shared and used at any time, even more than once. TripleBlind ensures raw data is never exposed, reducing risk, cost and effort without restricting utility.
This process lowers IT costs, provides an audit trail, de-identifies data with HIPAA/GDPR compliance, prevents data from being decrypted and it’s done in real time with pre-approvals.
With TripleBlind, we bring data owners and users together. What was once a hassle due to regulations, risk, and competitive pressures can now be the next big step in innovative and efficient data and analytics ecosystems.
Organizations can build new AI models and create specialized products and insights including: clinical trial early indication, remote diagnostic delivery, and x-ray AI models. Plus, they can deploy AI models and other algorithms for use by others without exposing IP.
Overall, TripleBlind will digitize medical data to enable scalable healthcare discovery and delivery (and not at the expense of privacy). Hopefully, future digital healthcare data networks will be non-hardware dependent, facilitate secure and trustworthy multiparty interactions, and ensure individual and institutional privacy.