Prototype implementation of a HIPAA audit log using ethereum blockchain
Concept
A HIPAA audit log keeps track of which users access which patients at what time.
Implementing this functionality using blockchain is interesting because:
- Blockchain is immutable - once an audit record is stored, it cannot be removed or changed.
- Blockchain is built on public key cryptography. Users and patients could have their own unique public keys on the blockchain that can be referenced by the audit log without revealing the actual users identity or any PHI.
- Blockchain is accessible - the audit records can be easily accessed by anonymous users without revealing any PHI
This prototype uses ethereum for the blockchain implementation and has a smart contract that contains an audit log entry (see contracts/Patient.sol).
-
Setup a private ethereum network from here: https://github.com/chafey/ethereum-private-network
-
Metamask with supported browser (Chrome is what I use)
-
Meteor
-
Make sure your ethereum private test network is running.
-
Make sure you have created an account with metamask and are connected it to the localhost 8545 network
Start the meteor application:
cd patientApp
meteor npm install
meteor Open your web browser to localhost:3000
You should see the page "Welcome to Nucleus.io" and "Welcome Ethereum Account ". If you don't see an ethereum account number, you need to create an account in metamask.
Click "Register", the registation page should appear.
Click "Submit", to connect your ethereum account to the "Alice Liddel" user.
Metamask should prompt you with a "CONFIRM TRANASCTION" dialog to sign message.
Click "Sign". You should now be logged into the application and see a nav bar with tabs for "Patients" and "Reports". You will also notice that the system shows your name as "Alice Liddel" in the upper right corner.
Click "Add Patient". This will present a screen to add a patient with a diagnostic report.
Click "Save". This will result in the system creating a new Patient document in mongodb with the PHI. It will also create a Patient smart contract in ethereum and save the address in the patient document. You should now see the patient John Doe in the worklist.
Click "John Doe". This will cause the view report screen to be displayed showing the PHI. The system will also log an audit even to the patient smart contract.
Click "Reports" in the navbar. You will see the report screen.
Click "Search". The report should show the audit event created when you clicked john doe. The audit events are discovered using an ethereum filter.
This demo supports the storage of Patient records according to the FHIR Patient 1.6.0 resource schema.
Because the FHIR standard also specifies the support of REST APIs, these Patients are available at the following endpoints.
GET /fhir-1.6.0/Patient/:id
GET /fhir-1.6.0/Patient/:id/_history
PUT /fhir-1.6.0/Patient/:id
GET /fhir-1.6.0/Patient
POST /fhir-1.6.0/Patient/:param
POST /fhir-1.6.0/Patient
DELETE /fhir-1.6.0/Patient/:id
However, because these endpoints are protected by OAuth, they won't be accessible without an OAuth signin infrastructure, or disabling OAuth. You can disable OAuth by using the NOAUTH environment variable. So, to access the Patient resource, you'll need to run the following:
# start the meteor application with OAuth disabled
NOAUTH=true meteor
# perform an open query of the Patients collection
curl http://localhost:3000/fhir-1.6.0/Patient
Please see the clinical:hl7-resource-patient package for more implementation details.
We recommend the following utitilies for inspecting the Mongo database, and querying the app via REST calls.
Robomongo - Mongo database management
Postman - REST utitlity for the Chrome browser