Accelerating China's Digital Agenda Implementation in Health: Part3-B

Background

This is the continuation of part three of a?policy summary on the?Acceleration of China’s Digital Agenda Implementation in Health. The sum of six parts include (1) a detailed?meta-policy framework?for ecosystem trust (policy) design and implementation, (2) a number of case studies illustrating the approach, and (3) an?agile governance?framework for guidance in policy design and implementation and for establishing means and capacity for grassroots innovation and people-centred system change in health.

The motivation for this policy summary came along with China’s digital development and innovation agenda 2021 - 2025 (hereinafter PRC-DA), which was issued on the 28th of December 2021 by the?Central Commission for Cybersecurity and Informatization?under the 14th Five-Year Plan (1). In this domain-agnostic and complex agenda China embraces de-monopolisation and anti-trust policy, distributed identity management on blockchain, the development of an open ecosystem to foster connected and collaborative innovation through data sharing, a development strategy driven by innovation markets, and flexible governance to safeguard an?ethical acceleration of digital development for common prosperity.

To this end China emphasises the crucial role of?data as a?new production factor?together with the need to establish and perfect data factor resource systems with data resource exploitation and use, with sharing and recycling, the role of effective digital governance and the need to build up the country’s innovation support capabilities, specifically addressing in the agenda both market innovation and structural or sustaining innovation capacity building.

The acceleration of this PRC-DA thus sets a comprehensive and concise benchmark and paradigm against which to further elaborate on a meta-policy for?directionality design?and implementation, and on associated toolboxes, specifically addressing: (1) Catalyst-driven and focused digital acceleration, (2) Capitalisation on digital development markets through supporting innovation with an?ethical and functioning data ecosystem, (3) Governance for?connected innovation?together with legislative, regulatory and infrastructural facilitation along identified critical challenge quadrants, and (4) expansion of the country’s digital economy share and influence, ultimately strengthening its digital and data diplomacy.

The second Part introduced key concepts and provided analysis of different policy layers indicating their use to guide PRC-DA implementation and directionality designs within each layer and across. This continued part three thus goes into further detail on the approach to maintaining directionality in this?synthetic design space,?weaving together different policy layers into the technology policy layer in order to set the context for the agile development framework approach which follows as Part four of the policy summary.

On this note, I hope those brave enough to engage shall enjoy reading this policy summary and very much look forward to your feedback and support to further develop, publish, disseminate and deploy this policy framework in the context of global challenges programmes, toward strengthening Universal Health Coverage (UHC) and promoting the 2018 World Health Assembly resolution on digital health, in the context of the health and health-related UN 2030 Agenda for Sustainable Development, and in the context of the application of a Human Rights Based Approach (HRBA) to the use of technology as the means for promoting equitable, affordable and universal access to health for all, focusing on gender equity and on persons and groups living in vulnerable and marginalized situations - particularly those groups that are vulnerable in the context of digital health and those accessing transitioning health systems under challenging geospatial conditions.

Part-3. Trust-by-design (Continued)

Data ethics

Assessing the ethical deployment of Digital Health Interventions (DHI) within medical decision pipelines concerns the AI, algorithmic, probabilistic or other inference capability and performance, the ethical use of data to train, test and evaluate the devices, the ethics that derive from the available data (2) and eventually the overall ability of devices to improve care and outcomes, achievements which are ultimately determined in clinical evaluations of efficacy and effectiveness (3, 4, 5). ?

Normative ethical frameworks extend this scope of traditional morality in the digitalisation of decisions, namely the protection of autonomy, justice, beneficence and non-maleficence, with detailed frameworks of issues which are common across domains or industries and are probably closer to the macro-ethics framework of the data ecosystem that surrounds all digital activity rather than just the safety and clinical effectiveness of medical devices. And yet, the importance of data ethics and trust in clinical data sharing, as a necessary precursor to trustworthy, trusted, reliable and meaningful secondary uses of data is hardly mentioned in such frameworks. And since no matter how well this decision support apparatus is chained together, the garbage-in-garbage-out rule applies, data ethics remains a key regulatory concern in delivering trust-by-design in DHIs.

Establishing trust-by-design in the deployment of DHI artefacts and the care models they target, be that new inference pipelines as in the case of AI or systems clinics and precision medicine, foremost requires establishing trust-by-design in the data sources and hence the data sharing ecosystems, in the regulation of health data and the performance of governance structures and models.

Ultimately ethical AI shall always depend on key principles for maintaining data interoperability within and across decision pipelines. For example, a pipeline which senses standardised, classified and coded pharmacovigilance data for cancer treatment with immune checkpoint inhibitors and immune-related adverse drug reactions. Multiple AI services can be plugged into this source of data for medical research and assisted prognosis and prevention, provided the source can inform multiple uses or pipelines in accordance to their underlying clinical contexts - in a similar manner to multiple clinical digital phenotypes, including the interpretation, as adverse reactions, of symptoms from gastrointestinal toxicity, cutaneous toxicity, and pulmonary disorders. This, however, is currently not possible. And in the process of curating data for different uses after the fact, we introduce, together with heuristics, bias and room for misrepresentation, misinterpretation and discrimination.

By refocusing the ethics discussion on AI instead of on decision support artefacts, we are essentially avoiding a vis-à-vis with the multitude of apparently insurmountable problems encountered down the decision pipeline; problems which are associated both with delivering to AI developers as well as to users organisationally and ‘biologically’ viable data in order to train algorithms, test them, remove biases, eliminate discrimination, increase transparency, provide for accountability, and infer information and knowledge from data, be that by applying heuristic rules, Bayesian classification networks or other inference methods and techniques.

Establishing trust-by-design in the deployment of DHI artefacts and the care models they target, be that new inference pipelines as in the case of AI or systems clinics and precision medicine, foremost requires establishing trust-by-design in the data sources and hence the data sharing ecosystems, in the regulation of health data and the performance of governance structures and models.

Thus the first of principles which must be introduced into an EGF and corresponding regulation for data would be to extend the useful life of data from in-vitro to in-vivo validity by enforcing the requirement for the use of formal and standardised models for clinical data, models which ensure clinical context is maintained throughout the useful life of any specific data or digital asset.

Until now, data privacy protection regulation has been the sole enabler of trust. Evidently this is not enough. In the context of the GDPR for example, this relates to the accuracy of data, which with current policy limitations (6) is not adequately served, particularly posterior to the anonymization process which leaves clinical data open to any misuse with regard to validity and clinical cohesiveness. As the amount, type, and use of data expand, data privacy and security regulations are also expanding. However, considerations for the ethical use of large patient datasets are much broader than privacy and security. In addition to strict policies and procedures on privacy and security, evolving broader data ethics frameworks is becoming equally important (7).

Such an extended framework is a proposed part of this policy note to include data technology policies, best practices and standards. Furthermore, agile governance is proposed as the approach for the delivery of trust in data within an efficient life-cycle and self-sovereign identities on blockchain as the means.

Identity

Identity is a very wide concept in trustworthy and trusted DHI as in addition to regulating access, privacy and security policy it also regulates the data capture process and hence affects the legitimacy, legality, quality and reliability and ultimately engagement and data inclusiveness. Furthermore, identity as an existence concept relates to a number of situations and properties associated with a given person and therefore poses significant data modelling challenges. The resulting complex space is best approached through the 10 Principles of the Self-Sovereign Identity (SSI) as listed below (8). These principles are delivered by means of an array of technological standards, including decentralised identifiers, verifiable credentials, decentralised key management systems, decentralised identifier authentication, knowledge graphs and blockchain. The core idea behind SSI is that there are no middlemen of trust.

Existence

Users must have an independent existence. This means a user must be able to exist in the digital world, without the need for a third party. Existence as a principle in SSI extends beyond the identification of the person and into the existence of an entire data space [*]. ?For instance, my identity includes my health matters and the habits defined by those, including new reality lifestyles (9). To reflect the entire existence domain some modelling approach is required such as for example graph-based identity fabrics which are used to instantiate identity in the context of personal and collective existences as data spaces (10). This concept corresponds to the mandates management layer which cuts across the entire ISO13940 data model so that specific data space instances are regulated on the basis of an identity fabric, which is the part of the data model connected to responsibility in care.?

On the basis of the above, a self-sovereign identity aims to make public and accessible some limited aspects of existence with consent and respect for privacy and security.

---

[*] See for example graph-based identity fabrics used to instantiate identity in the context of personal and collective existences as data spaces (11). This concept is synonymous to the mandates management concept built into ISO13940 according to which specific data space instances are regulated on the basis of an identity fabric (part of the data model connected to responsibility in care (12)).?

Control

Users must control their identities and the parts of their existence they share on the basis of a pursued goal. For instance, purchasing a new life policy requires sharing parts of the identity which relate to the particular insurance policy premium. Furthermore, sharing is permitted subject to well-understood and secure algorithms that ensure the continued validity of an identity and its claims, the user being the ultimate agent and authority on their identity. They should always be able to refer to it, update it, or even hide it. They must be able to choose celebrity or privacy as they prefer. This doesn’t mean that a user controls all of the claims on their identity: other users may make claims about a user, but they should not be central to the identity itself. Finally, albeit closely interrelated, identity data control and ownership are separate entities. For instance, a driving license is part of my identity but ownership is not. Data ownership is moreover somehow regulated by means of data sharing regulation such as the GDPR, the HIPAA and equivalent frameworks. ??

Access

Users must have direct access to their own data, meaning they must be able to access their data and any associated claims without the interference of gatekeepers or intermediaries. This does not necessarily mean that the user has the authority to change all aspects and claims associated with their identity; however, it does mean that a user should be able to access (and control) records that indicate any changes associated with their identity (see existence). In order to protect the sovereignty of other users, an individual should only be granted access to their own identity and under no circumstances to the identities of others. The control and protection of privacy are thus imperative for the SSI paradigm and its principles.

Transparency

Algorithms and infrastructures must be transparent. Together with the previous principle transparency ensures that users are able to monitor any potential mismanagement of claims, credentials or associations related to their identity. In the broader context of identity, transparency also integrates fairness and support for a balanced identity system, leading to more comprehensive protection for individuals.?The systems used to administer and operate a network of identities must be open, both in how they function and in how they are managed and updated. The algorithms deployed for this purpose must be free, open-source, well-known, and as independent as possible of any particular architecture.

Persistence

Persistence is the single most important element of SSI and the core of the ability to reflect complex existence spaces within an able and effective control and protection environment. Persistence means identities and their semantics have a long life. In tandem with the other principles persistence means identities are long-lived at the direction and discretion of the user. This implies control over the validity and semantics and life of identities which have been shared with third parties in relation to anonymised data. Persistence also means that individuals can maintain their identities despite rotating multiple private keys (multiple wallets or identifiers within a blockchain) or changing data. Following the definition of identity in the context of existence, persistence is not exclusive to individuals but extends to the whole web of intricate relationships also institutions, organisations and collective entities which are subject to having their identities at the discretion of other entities. The way in which identities are modelled together with their interrelationships and semantics in the context of the above shall have an impact on their last in terms of being accurate and valid and thus usable within synthetic identify spaces.

Finally, persistence should not contradict the “right to be forgotten” (13). Users should be able to dispose of an identity at will and claims should be modified or removed as appropriate over time. To enable this requires an explicit separation between an identity and its claims.

Portability

Transportable identities ensure that users remain in control of their identity under any circumstance and that furthermore they can improve an identity’s persistence over time. Portability may have complex implications with regard to current and future implementations of SSI as it extends as a principle across the spectrum of considerations, including technology and platforms, jurisdiction and intermediaries, semantics and persistence.

Interoperability

Interoperability means identities can be deployed for any use and to participate in any process across any boundary, institutional, jurisdictional, semantic or other, without necessitating any intervention. Interoperability is thus a primordial requirement driving persistence and portability. Interoperability essentially means that all existences can be made automatically portable across different identities. Despite knowledge graphs can be deployed for this purpose and in order to deploy synthetic data modelling in the form of identity fabrics, due to the semantic complexity characterising the domain, standard terminologies are necessary to reflect the entire spectrum of existence with regard to interoperability.

Consent

The user must consent to the use of their identity, including the extent, purpose and duration of use. In decentralised self-sovereign identity systems consent must be inextricably interwoven with all entities and in all processes, and made persistent and portable. This explicitly implies consent is granular and concerns each and every part of the existence associated with the identity thus affecting the control the user exerts over their digital existence, including its privacy.

Minimisation

Minimisation means data sharing or disclosure must be limited to the scope directly relevant and necessary to accomplish a specific purpose. Minimisation is nonetheless a regulatory principle that must be adhered to when data are made available for secondary uses and once the owner has given consent for its capture for a specific primary use. Thus minimisation states that a minimal exposure to privacy protection risk should be permitted on the basis of specific policies governing use for various purposes including scientific research and use in the case of substantial public interest (14). Otherwise, the principle of the user’s explicit control over all uses applies (see also data governance below).

Protection

To be compliant with all the other principles listed above, SSI protection needs to be managed in a decentralised manner. In blockchain networks censorship-resistance, or immutability, is achieved by means of distributing completed transactions to all nodes within the network, making censorship or mutation extremely difficult, but not impossible. An algorithm is said to be censorship resistant if any node can send any operation to the network without being vetoed by another node. Censorship attacks can and have taken place, better known as 51% attacks exploiting vulnerabilities which are later addressed (15). ?In general a major deterrent is the cost of these intrusions, however if and when they do happen major disruptions can be caused to the network operation (16).

To ensure user protection censorship-resistant algorithms are developed to authenticate user identities, with the aim to also balance transparency, fairness and user support within the network. Picking a consensus algorithm and governance model for managing and implementing changes to a blockchain is therefore important for maintaining the integrity of the network while protecting the original aim to offer a fair, transparent and supportive system for decentralisation. In this context, lack of any censorship means malicious parties can and will inevitably spam a community with false, offensive, or harmful content, effectively robbing good-faith users of the use of the system and eroding trust for all (17).

Ecosystem ethics

Ultimately an innovation ecosystem built on the principle of trust-by-design shall support the data needs of any agent, human or artificial, and furthermore enable through a self-sovereign identity fabric, connectivity between these agents and toward a seamless care environment [*]. In this metaverse version, the digital health innovation ecosystem shall provide sustaining innovation and macro-ethics through the following mechanisms (18).

---

[*] CONTSYS definition - Seamless care builds on the previous two levels of longitudinal or integrated care (continuity-of-care and shared care) with the addition of a quality principle which focuses on the timely and appropriate transfer of activity and information, when responsibility for the delivery of health care services is wholly or partly transferred from a health care provider to another. With seamless care digital health systems enable the systematic transfer of responsibility for care, from one provider to another, based on specific objectives to achieve a healthcare goal or ultimate objective. Programmes of care and care plans, such as for example indicated by clinical guidelines, are an integral part of seamless care. Examples of seamless care are setting the goal as part of a care plan to increase the control of the systolic and diastolic pressure in a hypertension programme, or pursuing the ultimate objective of a programme of care to increase the survival of a patient with the breast cancer in a breast cancer screening programme. In addition to the automated referral (mandate propagation) mechanisms implemented as part of shared care, in this case scheduling and information sharing are automatically enacted by digital systems which follow the instructions of a care plan or programme stored in an EHR or other data record structure.

Persistence?

The global health innovation ecosystem in its metaverse form never resets, pauses or ends, it just continues indefinitely to pursue new care models that integrate healthcare with public health, with translational research and toward continuous, real-time learning health systems (19, 20). The goal is to support various levels of real-time learning health system transformation, embracing old population-based evidence-based medicine practices and new patient-focused precision practices, systems medicine (21), precision medicine or personalised medicine based practices, to deliver tailored diagnoses and treatment, spanning an entire range of capabilities, including cohort identification, positive and negative deviance, predictive care risk and outcome model algorithms and so on, all the way to dynamic, highly patient-specific disease management decision processes which rely on high-throughput data that are capable of capturing dynamic aspects of the activity of samples from patients – such as DynOmics or epigenetic factors (22).

Synchronicity?

The ecosystem is a living experience which unfolds on the basis of continuity-of-care, providing a clinically consistent value-based platform for any healthcare actor to synchronously and in real-time contribute to the patient journey and specific plans and outcomes, on the basis of a continually monitored state which includes public health, primary care and prevention.

Individual presence

Presence in the ecosystem is not associated with disease or a healthcare event. It provides each user with an individual and lifelong sense of presence?where everyone can be a part of the ecosystem and participate in a specific event, place or activity together, at the same time and with individual agency, thus enabling collective agency and provenance, and ultimately trust in data.

Fully functioning economy

In the health innovation ecosystem both individuals and businesses are able to create, own, invest, sell, and be rewarded for an incredibly wide range of health and health-related services that produce value which can be monetised as part of a policy on engagement and inclusiveness, thereby further promoting trust and ecosystem health and functionality. Other than the standard token driven on-boarding and monetisation policies, the blockchain can be very effective at implementing policies for the inclusive participation of providers in under-served areas and populations, with concepts such as the digital autonomous physician guild (23) with or other ad hoc arrangements, as needed for instance to support the future of surgery in rural areas (24), including the implementation of novel contracting models that cater for the needs of ad hoc units using smart contracts on blockchain.??

Hybrid intelligence

The health ecosystem shall offer an experience that spans?both the digital and physical worlds, private and public networks and health systems, as well as open and closed platforms.

Interoperability

The ecosystem shall offer unprecedented interoperability?of data as digital assets across each of the possible experiences. Interoperable identities means interoperable systems using these identities. For example, EMR systems can be made interoperable if these systems use a decentralised SSI space on a blockchain. It is important to note that the term SSI here is used to refer to an SSI fabric, weaving together the entire identity knowledge-graph and thus linking up the data space using on-chain and off-chain mechanisms to create the digital existence of all ecosystem participants (see above on Identity).

Care integration

The ecosystem is populated by content and experiences created and operated by an incredibly wide range of contributors, some of whom are independent individuals, while others might be ad hoc or informally organized groups or commercially-focused enterprises.

Chains of trust on healthcare blockchain

In health care a chain of trust is the process which unfolds on the basis of demand-for-care mandates. Such a mandate is the referral for hospitalisation where the referring physician demands that care is provided for their patient. With each mandate, responsibility is transferred from one healthcare provider to another, together with information that is ultimately used to justify the outcome of each action, be that clinical, consequent healthcare or economic (International Standard EN ISO 13940:2015 – System of concepts to support continuity of care was published December 16, 2015 (25)). With each mandate, a signature is thus provided by each party involved, on the basis of the legal architecture of the health system and in order to formalize a commitment to certain mutually agreed goals. The record which is maintained on the care mandates issued, their execution, and their outcomes, together with the information generated in the process, is the chain of custody of evidence used for clinical decision making in the process. Chain of custody is most evident in inpatient care and is executed by means of the patient chart. To trust this evidence means to trust the chain of custody. It is important to note that provider information systems invariably termed EMRs do not and cannot capture this mandate propagation process to the level of granularity necessary and hence the lack of trust in the accuracy and overall validity of data used in longitudinal studies, AI projects and the establishment of ground truths, or in big data pragmatic trials.

Two issues thus arise with this arrangement in the digitalisation of the health sector. One is without this level of trust data flow is obstructed. The other is that without a proper chain of custody any secondary uses of data are either not enabled at all or at best unreliable. Furthermore, this process is extremely underdeveloped and inefficient outside inpatient care and across levels of care and for this reason health systems around the world fail to embrace improved performance and clinical-economic effectiveness models. This is essentially what the EHR attempted to overcome and failed, and exactly what the blockchain paradigm now offers with much better suited policies: that is, trust in the chain of custody. Which makes blockchain technology very suitable for application in healthcare and public health [*]. This is particularly true when care models necessitate crossing ownership, jurisdictional, institutional, organisational or national borders, as is the case in patient-centred and integrated care or global clinical research in the case of a pandemic.?

Blockchain can be therefore defined as a term used in health care to refer to a linked, evolving list of care mandate transactions. Adopting this definition, the list contains data about an encounter or event and a hash pointer to the previous block in the blockchain, which is the previous mandate or mandate element. The hash pointer is a cryptographic hash and the blockchain’s security backbone, as it lets users verify that the previous block of data has not been tampered with, in order to verify, upload, and secure the next transaction on the network. For this mechanism to work to the benefit of healthcare collaboration and data sharing, mandates are fine grained (such as an appendectomy) and inherit the legal status of the more generic often implicit mandates, such as the demand for care (say an emergency hospitalisation). But this is actually the desired end point. In order to safeguard the trust in this chain of custody, the blockchain functions based on the verification of a hash and digital signatures for each and every linked healthcare act (26). This also means blocks are linked together using cryptography. Each cryptographic hash of the previous block is generated using some algorithm and defines the block together with a timestamp and the transaction data as above (transaction data organised in a data structure created using a Binary hash tree or Merkle tree). The timestamp proves that the transaction data existed when the block was published in order to get into its hash and continue building the chain. In other words the timestamp tells the network (and any observer) that transactions took place in a particular sequence.

---

[*] The exact same process is reflected in the clinical domain model terminology and ontology standardised by means of the ISO13940 model for the support of continuity of care, also known as the EHR. Nonetheless, for many reasons the EHR paradigm failed to deliver this.

Performance

Blockchain technology is a particular combination of component technologies which are deployed together in different ways to create different end-results or applications. And since blockchain is also open code it can be infinitely customized. While the details of implementation will vary between blockchain protocols or customisations, the core of the technology remains the decentralized digital ledger of transactions, which are verified by some form of proof which involves a cryptographic or security model and process called a consensus mechanism. Each mechanism essentially gives the blockchain its own character and needs to be censorship-resistant to guarantee the immutability of the blockchain and thus trust in the blockchain. The consensus mechanism essentially concerns the use of the network of nodes to secure the blockchain and comes with voting power and awards for participants. As a consequence of this implementation variability, resource use also varies greatly between different protocols, adding speed and scalability - transactions per second, latency and finality parameters, to the list of features that make different trust guardian models desirable - which are protection, particularly for immutability and of provenance, transparency, user support. This also gives rise to one of the core concerns in the adoption of blockchain technology in health – which is the limitation of performance. ?

With regard to performance vis-à-vis protection etc., the pioneering Bitcoin blockchain adopts a Proof-of-Investment approach for consensus with a protocol named Proof-of-Work, resulting in a technology deployment design which is secure but also slow and resource intensive [1,2]. Bitcoin is very hard to hack as a result of its consensus protocol, as well as its business model, and has therefore never been compromised (27). This is not the case for all networks, with exploits developed both in the network fundamentals and censorship-resistance, as well as in the use of smart contracts (28). To overcome the performance limitations of the pioneering Bitcoin, fast performers such as the better known Avalanche and Solana blockchains have been evolving the technology with each iteration. For example, Avalanche implements the same proof of investment approach and an equally pioneering protocol named Proof-of-Stake, which is reported as the fastest smart contract in the market, with a throughput of 5,000+ transactions-per-second (TPS) and transaction time of 1 to 2 seconds. By contrast, Solana implements an evolved hybrid protocol with a Proof-of-History (29) consensus mechanism which is part of the same proof of investment approach but offers a throughput reported anywhere between 29,000 TPS and 65,000 TPS and a transaction time of around 2 and half seconds. This particular mechanism solves the time challenge, and thus reduces the processing weight on the blockchain, making it lighter and faster. Solana combines this with a security protocol (Byzantine Fault Tolerance (Tower BFT)) which allows participants to stake tokens so they can vote on the validity of a proof-of-history hash, and with proof-of-stake to determine who can participate as a block validator. Avalanche uses a proprietary implementation of the ‘ecological’ proof-of-stake system (ecological as in by contrast to the proof-of-work models) with the Ethereum blockchain being one of the pioneering implementations.

An emerging alternative to proof of investment is the Proof-of-Identity approach which has been proposed as the smart city proof system (30). The approach ensures the integrity and authenticity of created data by comparing the private key of a user with an authorized identity, or a piece of cryptographic evidence for a user’s private key that is also cryptographically attached to a specific transaction. Any identified user from a blockchain network can create a block of data that can be presented to anyone in the network. The aim of the proof-of-identity blockchain consensus mechanism is to verify the identity of citizens and to this end each uniquely identified individual receives one equal unit of voting power and associated rewards (minting token). This makes this approach fundamentally different to previous investment-based approaches and fit for purpose.

?Healthcare applications of these protocols seek to improve both the speed and scalability for the network and improve the security to avoid hacking and privacy protection to avoid the chance of re-identification [3]. And with the permutations made possible combining network privacy (permissioned or permission-less) with various consensus protocols (31), smart contracts and other coding interventions, the possibilities for fine tuning applications in healthcare are numerous and currently under-developed.

---

[1] Distributes voting power and rewards to participants according to their investment in some activity or resource and thus introduces the opportunity to reform and redistribute income on the basis of the blockchain paradigm. For example by disrupting the supply chain in favour of small producers (see BanQu (32)) or incentivising recycling with crypto for trash (33).

[2] Bitcoin has more recently implemented a Lightning Network as a second layer on its blockchain that facilitates off-chain transactions with speed and thus scalability improvements, by allowing a channel to be established between two peers to defer final settlement until later (34) .

[3] Carevo is using blockchain technology to optimize medical record retrieval in Indonesia (35).

Security

Blockchain networks are open to vulnerability exploits both with regard to their consensus mechanisms as well as the smart contract mechanism deployed with various network configurations, including permissioned and permissionless blockchains. For example, deploying a smart contract on a permissionless private network automatically creates a private side-chain associated with that contract (36). Combined with the network operations characteristics, smart contracts can lead to a range of technology polices for healthcare applications but also to a varied degree of performance capacities, scalability and security [1].

Security attacks associated with the network performance exploit the hashing and consensus mechanisms that make blockchains censorship-resistant. Better known as 51% attack perpetrators, malicious users can gain the ability to block new transactions from being confirmed as well as change the ordering of new transactions.?

In blockchain networks all transaction data are cryptographically hashed - meaning they are sealed in data blocks which are converted into hashes or strings of symbols which are almost impossible to reverse engineer from this hash back into the original data, thus making transactions immutable. Furthermore, each new transaction contains a timestamp of each data block in the history of the blockchain, which is required to verify the owner of the data asset or chain. New assets are transferred to the chain and distributed to the network by authenticating the transaction history leading up to the present ownership. Therefore, in order to change the transaction history held in a blockchain ledger a malicious user would have to reverse engineer the hash of a sealed block, which would lead to a different hash output once the block was resealed, making the new tampered hash ‘out of sync’ with the timestamps running through the rest of the chain, thus alerting the system to reject the resealed mutated block. Considering ledgers are decentralized, for the new chain to ‘take effect’ the malicious user would have to achieve consensus over at least 51% of the participating nodes, who would have to verify new blocks of data by verifying the rightful owner. Moreover, there is the overwhelming size of networks such as the Bitcoin blockchain. While it is not theoretically impossible to reverse engineer a hashed block, the number of permutations a processor would need to go through to do so is mind-boggling. This is even before taking into consideration that more than 51% of the nodes would also need to be hacked simultaneously and the new block inserted into each. And if it wasn’t the last block in the chain all those predating it would also have to be un-hashed and replaced to prevent the historical stamps not being thrown out of sync.

As blockchains evolve, additional security features are built into their operations. For instance, with Bitcoins the sender must present a private key, signifying ownership, and a public key, which securely identifies digital wallet the Bitcoin is held in by means of its ‘address’. On the other side, as exploits go, the more complex a blockchain system becomes the higher the likelihood that vulnerabilities will be accidentally baked into the system (37). Software clients will also inevitably contain vulnerabilities and risks increase when data tokens get monetised and exposed to double spending attacks (38).

---

[1] Smart contracts comprise three types of objects: signatories who use digital signatures to approve the terms of the contract, the purpose of the contract and the specific terms.

Privacy

Protecting the privacy of blockchain enabled and implemented chains of trust concerns the problem of de-anonymization or re-identification in the process of data sharing for secondary uses of data. All other elements of this chain-of-trust-by-design problem space set aside, de-anonymization refers to the possibility to reassemble data sets in a manner which reconstructs the obscured or hidden identity of the person they describe. And since secondary uses of shared data are of paramount importance for public health protection (39, 40, 41), for clinical research and the development of novel precision treatments, and for social, health and economic innovation and development at large, blockchain implementations shall have to bear the burden of this risk together with any other technology policy available.

Fortunately there is already movement in this particular space, with simple de-identification on the basis of privacy-by-design policies and regulation such as minimisation and purpose limitation being phased out as a method of anonymizing data, giving its place to what is called privacy-enhancing technologies, such as homomorphic encryption and pseudonymization (42, 43, 44).

Chains of trust in EHRs

The first generation attempts at building chains of trust in healthcare and leveraging longitudinal data to enable provider collaboration and advanced clinical research took place with the EHR. The fundamental concept behind the EHR was longitudinal data or life-long records of health events that took place at different levels of care. For this to be delivered the technology would have to rely on a set of organisational, structural and data semantics standards that would ensure clinical context is maintained all along during the process of data capture at the point of care and in real-time. This essentially, together with the mandates propagation mechanism which would have been necessary to coordinate the events from a regulatory and clinical coherence perspective, would have been the first attempt at building chain-of-custody solutions in healthcare. It never took off and the reason for this failure is that the necessary de-centralisation with federated semantics (standards) was not embraced in care models and process reform in health systems. With institutional and jurisdictional borders maintained, siloed care left no room for cross-border data flows and with that new care and payment models such as value-based bundled care services and reimbursements never made it into widespread routine clinical practice. Time to change all that with blockchain technology policies and tools that place the patient at the epicentre of the trust ecosystem and data sharing process in order to also enable with that the multitude of clinical and care models that reform relies on. The sections which follow unlock the key concepts of blockchain in the context of the insofar seemingly insurmountable challenges in the domain (45). Table-2 provides an outline of the key messages.

Interoperability and integrity

Data complexity is often cited as a major challenge in making shared healthcare data interoperable and clinically coherent. Data standards are means to make data interoperable since their adoption by all parties involved means mutually agreed semantics and hence the maintenance of clinical coherence in data between different users and uses. The WHO family of international classifications and terminologies developed or adopted by the World Health Organisation is such an effort which has been instrumental for the standardisation of data aggregation (46). With the advent of computers, additional standards emerged to digitalise the data capture process by mapping classifications, or leaves of a domain ontology, to raw clinical data terms (47), or to digitalise the data communication process by standardising data exchange messages between two healthcare agents (48). Despite the many efforts, the infamous silo effect remained a major obstacle in data-driven collaboration, policy and research. And since different healthcare agents by definition hold different part of the health puzzle for each individual, the integrity of patient journeys or patient history is at stake, with the effects being most evident once this process is digitised (for instance in an effort to use ground truths to train AI on the basis of big data). To overcome the interoperability challenge one would have to standardise the care process itself, the terminology used together with the underlying concepts, in an effort to digitalise the process in addition to digitising the data and hence create a metaverse (see Section 3.6 on Ecosystem Ethics) that enables automation in the deployment of decision tools. Such a pre-standard was first released in 2001 and then in 2007 as a European standard by the EU’s Technical Committee 251 of the European Committee for Standardization (49, EN 13940-1:2007 Health informatics - System of concepts to support continuity of care - Part 1: Basic concepts. CEN 2007). To-date, the 2015 revision of the international EN ISO13940 standard (50) constitutes the only attempt to bridge the range of standardisation islands and solve the problem of interoperability and integrity. The standard is nonetheless not adopted in EHRs due to the care models and concepts it forces into existence [*]. The same models and concepts are forced into existence by self-sovereign identities in healthcare blockchains. And as the technology policy does not lend itself to complex clinical data modelling, ISO13940 can be deployed to map an additional enterprise off-chain data layer to the on-chain layer of the blockchain-driven logical architecture.?

---

[*] The authors first introduced the standard for the development of EHRs in Serbia in 2003 (51, 52) and then subsequently in a number of countries including Kazakhstan (53) and Mongolia, the latter of which as a result prompted research on the adoption of the standard in Estonia (54).

Healthcare delivery

The ultimate goal of healthcare blockchain applications is to enable existing patient-centred integrated care models and to implement new cost-effectiveness arrangements by leveraging data sharing, chains-of-trust and chains-of-custody toward provider collaboration, the seamless integration of care and public health services on the basis of shared goals, protocols, diagnostic and care plans, and evidence-based policies. In addition to leveraging advanced data sharing mechanisms and chains-of-custody to enable integrated care, a blockchain ecosystem offers the means to implement financial incentives and models for the reform of health systems toward a sustainable and inclusive future; for instance:??

1. Fee-for-value clinical economic and disease management models are enabled including the availability of fit-for-purpose, accurate and reliable data for conducting relevant cost-effectiveness studies and adjusting polices and payment models
2. Improving risk management with a holistic evidence-based view of healthcare, the control of prices and the introduction of new approaches to risk management.
3. Addressing the current trade-off between personalized care and operational costs by connecting the ecosystem to precision treatment innovation and practice.?

Engagement and Scaling

Patient engagement describes a care situation where patients are empowered and actively involved in their care processes and decisions, in order to improve the access to and the quality of care and to achieve better outcomes at lower costs, both in the short term and in the longer term. The patient thus becomes an integral part of the care delivery system, also participating in the design and implementation of novel delivery channels and improved efficiencies. Virtual care, telehealth, telemedicine and their various deployment configurations are only a part of those channels (55).

Implicit in this definition is the use of digital health to empower the patient and enable their active engagement, as well as to enable and empower patient-centred care in order to make patient engagement meaningful and sustainable in the long term and in the context of the health system as a whole. Equally important is a functioning?patient-centred innovation ecosystem which, by enabling the underpinning of virtual care processes with seamless exchanges of pertinent, context-sensitive data, transforms individual opportunities for digital patient empowerment and engagement into a long term relationship, with the patient engaged in a lifelong care collaboration where the above stated benefits are leveraged to deliver efficiencies and value-added services across levels of care and across the care continuum. Vice versa, with such an arrangement, the ecosystem is enriched by performance and outcome data which is necessary to measure efficiencies and reach set value-added goals.

From the perspective of blockchain supported telehealth and virtual medical services, to provide for and enable patient engagement is to empower the patient with patient-centred care information exchanges and sharing, and that requires interoperability between various data capture systems (mobile, provider EMR systems, telehealth devices and wearables), across the care continuum and within an integrated care environment, including those deployed for the purpose of patient engagement and virtual care. Empowering the patient with such means also means empowering the providers, the emphasis being on primary care, hence a patient-centred architecture.

To describe the above target capability for scalable telemedicine and virtual care, a Canadian Virtual Care Task Force (VCTF) recently observed that “in a virtual care ecosystem, the sum total of a person’s longitudinal health information should be available in a functionally single digital chart that is accessible to their entire circle of care on a need-to-know basis, irrespective of location.” In February 2020, this task force was established by the Canadian Medical Association together with the College of Family Physicians of Canada and the Royal College of Physicians and Surgeons of Canada, who published a report of the VCTF with recommendations for scaling up virtual medical services toward a national capacity and strategy (56). The report suggested actions necessary for building a sustainable nationwide virtual medical services delivery system that would include digital means for the remote engagement of patients in healthcare. The mandate was to develop strategies and recommendations for promoting the delivery of publicly insured medical services through virtual means, including telemedicine and telehealth.?Four working groups were formed to identify challenges and outline principles and recommendations for a pan-Canadian framework:

1. Interoperability and governance to support nationwide, enterprise virtual care and virtual medical services,
2. Licensure and quality of care,
3. Payment models, and
4. Medical education.

According to the VCTF, the VMS framework would aim to establish "excellence in virtual care that upholds quality health service and supports continuity of care among care teams". Without such a framework, the VCTF noted there is a risk that a series of fragmented virtual care services will be established that detract from continuity and potentially lead to quality of care issues. One of the key conclusions was that while the majority of Canadian physicians now use some form of digital record keeping and a majority of households have internet access, there is a long way to go to reach the level of maturity that allows the use of digital technology to provide for publicly insured virtual care. Interestingly, the interoperability working group furthermore found that presently there are no comprehensive metrics on the state of interoperability in health care, but available evidence suggests there is a long way to go before it is achieved. In this direction, the VCTF noted that the exchange of health information is the foundational activity for all virtual care, describing data sharing across services, within “circles of care” and between patient and provider as a potentially complex process which is subject to legislative, policy, standard, workflow, technological and governance variation that potentially impairs the ability to deliver virtual care. More specifically, as a result of legislative and policy barriers, Canada, they said, lacks national standards to support patients having electronic access to their health information. The result is the deployment of multiple portals in many jurisdictions which has been promoting a lack of the necessary patient-centric information architecture for Canada.

The report furthermore documented a lack of alignment of policies across the board of issues that need be tackled to deliver patient engagement and telehealth or virtual care, with patient-centricity not being adequately reflected in legislation, health care policy or health information architecture. Coupled with antiquated ownership and custodianship models for medical data the systematic virtualization of care is impaired and instead fragmentation of care is further promoted, with the risk that this state of affairs may spillover to the new virtual care ecosystem potentially also inhibiting the adoption of telehealth as a publicly insured service.

In this context and on the basis of this policy note, a blockchain-driven data sharing platform can leverage patient engagement as a policy component in universal continuity-of-care in order to reach the following endpoints:

1. Improve outcomes, also by enabling a shift from treatment to prevention, and with new care integration models being driven and made feasible by means of inclusive patient engagement and empowerment.
2. Support patient-centricity across the board of policies and practices, as well as patient-centred outcomes research by strengthening the evidence chain-of-custody and thus the longitudinality, quality and relevance of evidence available to make informed health decisions.
3. Patient engagement means comprehensive data sets with data being collected from non-traditional sources, such as wearables or telehealth channels, thus furthermore improving the continuity-of-care.
4. With engaged patients owning their data and controlling with whom to share it, blockchain enables emerging approaches for disease treatment and prevention, including precision medicine.
5. More and better data help reduce bias in protocols and adopted practices making care equitable and inclusive.
6. Facilitates the development and deployment of telehealth and telemedicine services horizontally with secure, equitable, validated and integrated access.

Governance and policy

Current digital health governance and policy follows those of the health systems they are designed to serve. This means that the problem of a heavily siloed healthcare industry is exacerbated by siloed data and compounded by digital governance models. The blockchain ecosystem is based on principles of ethical digital technology deployments in health and embodies the concept of trust-by-design in its configurations, thus introducing new holistic governance approaches and models that address this problem by providing access for all involved parties to a shared blockchain, a shared chain-of-evidence and a shared chain-of-trust, a shared contracting platform, and the list goes on.

The blockchain ecosystem can effectively phase out the problematic simple de-identification of health data as a policy, in order to enable advanced and at the same time ethical and trustworthy secondary uses of data for public health purposes and for mounting effective responses to health emergencies. This by supporting and underwriting privacy protection policies with improved mechanisms to control minimisation and purpose limitation, to maintain clinical coherence in captured and shared data, and to protect the identity of those the data concerns.

Last but not least, a blockchain technology policy enables new procurement and contracting models and mechanisms by providing a platform for flexible, efficient, secure and non-excludable collaboration outside current jurisdictional and institutional boundaries, making it possible for healthcare professionals who are not associated with provider institutions, and small practices, to be included in a learning and constantly adapting health system , thus forcing prices down and reducing downstream overutilization. This also strengthens the capacity for value-based care, expands the basis for the generation of data for secondary uses by covering a larger population to include rural areas and mitigates the risk that fragmentation spills over to the deployment of virtual care services thus detracting from continuity and potentially leading to quality of care issues.

---------

Further to those presented in the previous Part 3-A, this part of the meta-policy defined and illustrated further normative and formative perspectives, policies and frameworks to be included in the?directionality enabling meta-policy?for digital development and innovation in health.

Part four presents the Agile Governance Framework in further detail and the use of the AGF to orchestrate the interaction of different policy components and normative design parameters at different levels in order to identify and design preferred development paths on the basis of policy formulated principles, and to govern and steer these paths into set outcomes on the basis of policy-enabled directionality.??