Year after year, patients fret about what clinicians are secretly doing with their medical data, while researchers strain to find data to support their experiments, and everybody complains about how hard it is to exchange data with a new doctor. I was talking recently to a UK-based software startup whose approach to identity management and data sharing may appeal to all these stakeholders. Currently, the service is in testing at the University of Cambridge and other British universities, who need to monitor identities in order to control access to various facilities.
Octopus.sh combines a number of familiar technologies in identity management, but creates an unusual distributed data repository from them. Each person or organization can set up one or more repositories for their data, called a vault by Octopus.sh. To share the data, the owner creates an intermediate repository called a dead drop location and loads selected items into it. The recipient also sets up a dead drop location.
Another important technical piece of the architectures is an access control token (ACT) that works like the certificates exchanged in identity services such as Active Directory and Kerberos–but critically, there is no third-party hub in charge of validation. Each ACT is encrypted and ensures that it represents the valid owner or recipient through an embedded signature. The owner generates an ACT and places it in the drop dead location provided by the recipient; the recipient does the reverse for the owner. Once they accept each other’s ACTs, data can be exchanged.
The encryption and digital signatures make sure that no one else can see the data there–or even find out the existence of a connection between the owner and recipient.
The co-founders of Octopus.sh, CEO Thomas Behe and CTO Neil Stansbury, are interested in entering the health care field, and one can see why the service could be valuable there. The architecture keeps patient data on a computer system under the control of the patient–a cell phone, a health bracelet, or an account in the cloud. Some five years ago, specialized services such as Google Health and Microsoft HealthVault tried to persuade individuals to store health data with them, but newer services such as Octopus.sh are likely to isolate data and keep it with the owner.
Digital signatures not only preserve security and privacy, but can be used for controls over data use. For instance, a pharmacy can automatically check that a doctor signed a prescription before filling it. Stansbury, inspired by his work in the airline industry and its “chain of custody” concept, suggests that signatures and data transfers in the Octopus.sh style be used to track controlled substances (as explained in a video).
Octopus.sh uses standard formats such as JSON for storage, and defines schemas based on the cooperative, community-maintained Schema.org ontologies. Thus, medical institutions can convert their multitudinous schemas and EHR formats into the Octopus.sh storage formats.
Thanks to metadata stored in the system, Octopus.sh can query across multiple vaults. This can be valuable for researchers: given permission by owners, they can run analytics across thousands of vaults.
Let’s see how the Octopus.sh designers intend to handle two common desired features of health care data:
- This is the term commonly used when a patient withholds data–for instance, not telling the orthopedist who sets your broken arm that you have an alcohol problem. Octopus.sh makes this easy. You just choose which data to put in your dead drop location for the recipient to take.
Segmentation is complex and controversial. I go over the pros and cons in another article (half-way down). The skinny is that withholding data can be bad for your care, and may not work anyway. However, we have always withheld data from our providers intuitively. Let me ask: do you tell your doctor how much pot, alcohol, bacon, or candy you really consume? Data segmentation is a fact of life, and digital systems might as well facilitate it.
- Revocation and deletion
- Octopus.sh provides a feature for you to ask the recipient to delete the information they have on you. They are not required to comply. In fact, all parties participating in a dead drop location must agree to deletion before the data is removed.
It might seem like stricter systems that keep all the data on the client side are superior to Octopus.sh: in theory, such systems let the owner just shut off access. But that’s not a good idea. First, once you give a recipient access, they can find a way to copy what they want, so shutting off access gives you a false sense of security. Second, the recipient must often keep hold of the data in case of a lawsuit or to prove compliance with regulations. So revocation should be a request, not a requirement.
Unlike many data sharing services–such as BurstIQ, which I recently covered on this site–Octopus.sh does not use blockchain. I expect that the combination of vault and dead drop location will scale better, because potentially thousands of users can add data simultaneously without having to line up to get access to the blockchain, and because each user holds only the data they are responsible for rather than the whole blockchain.
Octopus.sh also provides features commonly required in storage systems, such as audit trails and backup keys. Thus, it can be adapted for use in regulated environments, which health care is known for. There are also some intriguing biometrics available for verifying identity. I’d like to come back in six months and see how Octopus.sh is carrying out its promising technology.
This article is part of the #HealthIT100in100