HIMSS20: Improving smart contract security in the healthcare supply chain
Healthcare organizations should enter into smart contracts with their eyes open and take steps to ensure the mitigation of risk.
From a technological standpoint, supply chain data and processes are undergoing an evolution. They are making the transition from enterprise and manufacturing resource planning systems to the cloud.
Smart contracts, which have received a lot of renewed focus due to their integration into specific blockchain technologies, provide vehicles for organizations to augment their existing data exchange while utilizing it to provide even more business value.
But in a digital HIMSS20 session, Mitchell Parker, Chief Information Security Officer for Indiana University Health, cautioned that healthcare organizations should enter into smart contracts with their eyes wide open, and take steps to ensure the mitigation of risk and the integrity of their data.
Currently, supply chains depend heavily on electronic data exchange, or EDI, to automate and run their businesses. What smart contracts do is encompass both the data and the workflow in a viable, integrable manner that supply chains are now beginning to leverage.
"This is an evolution, not a revolution," Parker said.
With EDI workflows there's a lot of variability in the data, because they don't provide for the automation of workflow data itself – and they don't address security or process concerns. The move toward smart contracts stems from the need to evaluate the entire process, not just the data.
The shifts in the data and contracting realms are happening simultaneously, moving from traditional legal practices to automation and self-service. This shift can trace its roots to the 21st Century Cures Act final rule, which placed a lot of workload on legal teams. With EDI, there's a lack of automated enforceability.
"Our current contracts, due to the lack of resources, are a leap of faith," said Parker. "And that's not a place we want to be in."
The 21st Century Cures Act final rule prompted a move from EDI to an application program interface, or API-based mode of communication. That means customizations have to be rebuilt every time an organization upgrades. Because this means hacking the system, they don't really allow for effective patch management, and upgrades can break the customization.
That means healthcare organizations keep old systems around to maintain business functionality, which in turn increases the risk of ransomware or other kinds of attacks. Electronic health records systems also tend to resist customizations.
EDI, the means by which organizations interchange data, are characterized by manual processes that often come with significant customization to determine what contracts are being performed effectively. Now, instead of just data, organizations are being asked to prove data-flow integrity from source to destination, which has led to decreased security and a dependence on legacy systems that can't be touched.
"There's no provenance or auditability with these hacks," said Parker. "There's no way to comply with regulations, and there's an increased risk from having to operate these systems. This leads to significantly increased risk."
Smart contracts – commonly known as "contracts as code" – feature intelligent programmable workflows, and can be legally binding, since blockchain qualifies as an electronic record-keeping system.
Under this framework, automated EDI and contracting transactions act as a hybrid of master agreements and smart contracts. They allow organizations to do as much as possible electronically, and also perform better analyses on the data that needs to be improved.
"This is an evolution of technology," said Parker.
The risks of EDI are tied to their running on old, outdated software that opens itself up to ransomware attacks. With mobile and 5G technology making the communications picture more complex, there's a need to improve security to reduce the potential for legacy systems to be attacked by hackers. Vendors offering blockchain-based smart-contract solutions for EDI include Oracle, SAP, IBM Hyperledger and Salesforce.
The benefits of blockchain-enabled technologies is that the data is decoupled from the source systems. It often uses triggers to execute contracts and the code contained within them.
The key to successfully implementing this model, said Parker, is to interview, not one, but many potential business partners, and get their firms a security risk assessment from a business partner skilled in ERP. Organizations should develop a plan to remediate any issues that arise, and also develop a plan to comply with NIST requirements for ID management.
Contracts, said Parker, need a master agreement covering usage terms and conditions as part of the contract language needed to perform testing to ensure intended behaviors.
HIMSS20 Digital
Experience the education, innovation and collaboration of the HIMSS Global Health Conference & Exhibition… virtually.
Twitter: @JELagasse
Email the writer: jeff.lagasse@himssmedia.com