Reproductive Health Data: Open Standard Offers Access Control, Revocation, and Other Traits

A team of women coders caught attention at DEF CON on June 26 with a secure reproductive health tracking app (Figure 1) that lets a menstruating person exchange data securely with health staff. Their core technology was OpenTDF, a free software library that advances a crucial goal in health care: patient control over their own data, in tandem with the ability to share data with their doctors and other people through access policies and encryption.

The SecureCycle user interface lets you enter menstrual information by date along with symptoms, and to share the information.
Figure 1: The SecureCycle user interface.

The need for patient control and privacy protection has become more timely than ever with the U.S. Supreme Court decision to reverse Roe v Wade. The public staggered under news that a prosecutor in Nebraska got access to private Facebook postings through a warrant in order to prosecute a teenager for abortion.

This article isn’t about the politics or morality around abortion; it’s about the current state of health care privacy and the right of the individual to control their data. The reproductive health app itself, SecureCycle, is not yet ready for use. It was created in a recent hackathon held by Virtru to promote OpenTDF, which they created and put under an open source BSD license.

Few healthcare apps truly protect privacy. The Mozilla Foundation, which has rigorously upheld online privacy for years, rates applications related to reproductive health for privacy. They reveal a wide divergence in privacy protection. A recent email from the Foundation said, “18 of the 20 reproductive health apps we reviewed earned our *Privacy Not Included warning label.” Risks can be subtle: For instance, although Apple Watch is fairly trustworthy on its own, breaches can open whenever you try to transfer your data to another service.

In short, the shock of the Roe v Wade reversal highlights what privacy advocates and health IT activists have said for at least fifteen years: Patients need to control their own health data and protect it against unwanted releases.

This article is based on an interview with two managers at Virtru: Dana Morris, senior vice president of Product & Engineering, and Cassandra Bailey, senior technical product manager and leader of the team that developed SecureCycle.

What’s special about OpenTDF?

There are many standards for secure data exchange. Unsurprisingly, many popular ones—notably OpenID Connect (OIDC) authentication and Keycloak identity management—are embedded in OpenTDF. The speciality of OpenTDF is fine-grained control over who gets to see the data and when, a feature often known as role-based access control (RBAC) in the security field, and called policies in OpenTDF.

TDF stands for “trusted data format.” Morris says, “TDF enables policy to be cryptographically bound to the data so that the policy goes wherever the data goes. This in turn enables the owner to exert control over the data regardless of its location or physical possession.”

With OpenTDF, you can share your bank information with a mortgage firm just long enough for them to complete the mortgage transaction, then remove access. In health care, you could mark a certain type of data—assuming that you have a health record that segments data—to be available to a certain doctor, or to everyone in a certain hospital, for the duration of your treatment.

You can also delegate trust, for instance granting a doctor the right to show data to other people that the doctor believes need to see it. Finally, an audit trail tells you everyone who has looked at the data, and when. A doctor who uses the data you give them after you have revoked access would be identified in the audit trail, and subject to discipline.

In theory, clinicians could copy your data and continue to use it after you revoke access to your personal copy. But this would be a violation of the contract you form when granting access, and would also be flimsy if used for law enforcement and legal purposes because the clinician couldn’t prove it’s accurate.

An entertaining, in-depth article describes the origins of OpenTDF in a project at the National Security Agency (NSQ).

Details about the SecureCycle reproductive health app

SecureCycle was completed in two or three days during a Virtru hackathon and won first prize there. Being a demo, the app is simple and modest in scope. The user logs in and enters the dates of her menstrual cycles along with symptoms she experiences. The app stores data in a relational database.

SecureCycle was developed with the React Native framework, creating apps that run on both iOS and Android. The source code for SecureCycle will be released under an open source license soon.

The app is not practical at this point because it stores data on a server, but no one has set up a server for the data yet. But anyone could do so and start offering the service.

Shannah Koss, a consultant and consumer health IT advocate, told me—based on my information—that SecureCycle is going in the right direction. She says that many consumer apps are prioritizing features and revenue over helping individuals easily and securely aggregate, store, and control their health information. If the apps incorporate the work of SecureCycle, they could offer enhanced security and control. Koss also emphasized the importance of granular control over what’s shared from the user’s data.

Control and consent

Koss pointed me to a November 2021 survey called Modernizing Consent to Advance Health and Equity. The key issues it identified were “identity verification and management; privacy protection; and a progression from absolute ‘opt-in/opt-out’ choices toward more granularity in selecting what data can be shared, with whom and under what circumstances.” (Page 9 of the survey.)

Page 15 gives a tip of the hat to the importance of a patient owning their own data. Putting data under their control and providing enforceable policies for data sharing, as OpenTDF does, simplifies many of the concerns about consent. After all, the patient defines the rules for sharing and use from the get-go.

And yet all the issues mentioned in the survey are still relevant. For instance, data shouldn’t be shared until the sharer has verified the identity of the person asking for the data.

And questions will always arise concerning whether the patient understands what they’re consenting to, or whether data can be used for legitimate research purposes that weren’t anticipated when the data was collected. These questions were famously discussed in The Immortal Life of Henrietta Lacks by Rebecca Skloot.

Although no principle may seem more intuitive and just than the jurisdiction a person should have over their own personal data—particularly data as sensitive as the data concerning their body and health—powerful forces prevent the principle from coming into reality. The hospitals, clinics, payers, and health IT vendors all want to grasp and hold onto patient data for a variety of reasons. Technologies that help return control to the patient are important achievements.

About the author

Andy Oram

Andy is a writer and editor in the computer field. His editorial projects have ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. A correspondent for Healthcare IT Today, Andy also writes often on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM (Brussels), DebConf, and LibrePlanet. Andy participates in the Association for Computing Machinery's policy organization, named USTPC, and is on the editorial board of the Linux Professional Institute.

   

Categories