Blockchain-Based Authentication in the Healthcare Industry Vishal Menon[40220758], Vighnesh Srinivas Gumma[40227580], Sivs Sushma Battineni[40235007] Abstract—Blockchain-based authentication has the potential to transform the healthcare industry by providing reliable, efficient and secure ways to store the healthcare records of the patients. This paper focuses on the benefits of blockchain technology when used in the Electronic Healthcare Records systems for authentication purposes. This is achieved by specifying the benefits and the attacks that the Healthcare systems can be prone to. The paper also discusses several systems that were implemented according to the papers that have been referred to. The highlight of this paper is explaining how the blockchain-based authentication can revolutionize the field of Healthcare by helping the patients have access to their medical records electronically without compromising on the security. Keywords— Electronic healthcare records, Blockchain, Authentication, Smart contracts, Healthcare industry I. INTRODUCTION Blockchain has transformed the tech industry in various domains. It has primarily focused on the financial sector namely cryptocurrencies, but the advancements and benefits associated with a blockchain are not limited to it. Blockchain has created a new medium to share data and information in a safe manner. Various fundamental sciences are used to achieve this common goal including cryptographic hash functions, distributed consensus techniques and digital signatures. Decentralized execution of all transactions eliminates the requirement for intermediaries to confirm and validate them, which was a necessary requirement in any environment until the world of blockchain was introduced. [23] In the domain of healthcare, along with the various advancements in the industry, EHR (Electronic Health Records) have also started to gain traction [3] as a significantly more effective alternative to traditional patient health records. [2] The research community has also been interested in the potential advantages of EHR systems, such as public healthcare administration, online patient access, and patient medical data sharing. A key example of the potential of EHR systems have been demonstrated during the pandemic caused by the novel coronavirus, also popularly recognized as COVID-19. EHR has helped contain the virus partially by enabling remote patient monitoring along with additional means to make healthcare more accessible with minimal contact. [3] However, EHR systems follow traditional authentication methods i.e., using a centralized system. Centralized server scenarios are publicly known to have security and privacy shortcomings due to their design. This may be an acceptable risk today but as the adoption of such technology gains traction, it could introduce larger issues as it primarily handles sensitive information associated to the identities of a vast number of individuals. [3] With the introduction of blockchain-based technologies, multiple studies have been conducted to achieve a common goal of tackling most of the problems associated to the traditional systems. [2] This is primarily possible due to the fact that blockchain based technology is decentralized as it uses a peer-to-peer network to enable transmission of data unlike the centralized server models. [1] It is far from perfection as these blockchain based technologies will have to implement comprehensive safety and privacy features in terms of interoperability, authentication and the exchange of information within the environments it gets implemented on to satisfy the strict legal requirements contained within the 1996 Health Insurance Portability and Accountability Act. Nevertheless, this technology has gained a lot of attention and also achieved success in a number of countries. It has been able to solve the problem associated to single point of failures.[2] However, along with the advantages of blockchain based technology, there also exists multiple concerns mainly concerns that are related to financial costs as most organizations are categorized into small and medium sizes and affording such a technology and its implementation is not a small problem. [23] In this report we will go through the different ways blockchain-based technology has been implemented for authentication purposes within healthcare. II. RELATED WORK In this section, we analyze multiple studies that have been performed in the past associated to the main aspects of our research after which we will analyze these areas in detail to understand its structure and design. A. Blockchain-based implementations on EHR One of the main topics that revolve around healthcare today is the use of EHR systems which is meant to simply digitalize the process of data sharing and storage as compared to traditional systems that would generally be done on paper. There have been multiple studies that have focused on integrating blockchain into the EHR. One such study [5] talks about how multilevel authentication can be used to secure electronic health records. According to this study, the proposed model splits the modules into two categories, the user management layer and the EHR generation and view layer. Under the user management layer, the flow goes through three main processes namely registration, validation and a QR image generator. The user, i.e., the patient, would provide their details to be recorded onto the system after which the validation system checks the validity of the information provided. Additionally, neither the patient nor the medical professional would be able to access the records until it is deemed to be valid after which a QR code will be generated. Once the process moves forward into the next module, the blockchain implementation is put into effect. The first step involves the login function where the patient accesses their respective account using a userid and a password and an additional MFA scheme. When a consultation is completed with the medical professional, the EHR record is created within the system and a the patient is notified of the generation. This is where the patient must approve the generation of their record which avoids the possibility of double spending attacks. [5] A double spending attack is essentially a situation where an attacker tries to create a fork by generating a new group of blocks. It is also necessary that the group has a longer chain. If these conditions are met, a successful double spending attack has been initiated. [25] Once the patient approves the generation of the details, a new block is created for the EHR. The key generator module is responsible for generating a key which will then be used to generate a hash for the respective block. [5] Another such study [26] demonstrates a simpler scenario as to how the EHR records will be generated using blockchain based technology. In this model, a role-based hierarchy is implemented. Fig 1: Blockchain-based EHR implementation using rolebased restrictions. [26] In the above figure, the flow of the record creation and access management is demonstrated. Similar to the previously mentioned study, the patient provides the details which ultimately leads to the creation of records along with the medical personnel’s inputs. Additionally, there exists an administrator that is responsible for managing the blockchainbased implementation. The admin will be responsible to handle all the functions from the deployment of the network until the storage of data. Once the records have been created and registered, the access is granted to specific personnel only. The medical personnel can only access the information of a patient directly associated to them. [26] B. Smart Contracts Smart contracts are essentially lines of code that are executed when any transaction is made on the blockchain. This study [1] describes smart contracts as an implementation that brings about logic into the blockchain. In this model, the smart contract will be used as a means to control and handle access management to the patient’s medical records. It will be deployed as a ledger feature that exists within the blockchain network. [1] In the below Fig 2, the flow of information is shown as to how records are accessed. When the patient performs a successful login attempt, the private key is fetched from the Ethereum wallet. The Ethereum wallet is described to be a cold storage wallet which means that the data is stored offline which ultimately leads to a more secure model as this reduces the risk of attacks and data leakage. The wallet can also be further used to provide signatures on any document in a similar manner. [1] Fig 2: Flowchart showcasing the access management process of records. C. Authentication using tokens Another interesting means to authenticate is by using specially generated tokens. Medicalchain is platform that uses the decentralized model of blockchain to share medical data in a secure manner by making use of tokens known as MedTokens. Medicalchain enables access to patients by generating a smart contract. At its core, the means to pay if done by using the MedTokens which can be either earned or spent by the patient. The patient pays using the tokens when a service is used or accessed within the system. When a patient grants access to a third party, tokens are earned as a reward. The Medicalchain system is already known to be implemented in parts of the United Kingdom. This allows patients to achieve any medical need remotely at their disposal and convenience. [10] III. ANALYSIS OF MODELS TO MANAGE EHR In this section of the study, we analyze the different models that could be implemented to manage the electronic health records. A. Using DIDs to authenticate in EHR systems DID is one such method that can be used to perform authentication functions within electronic health record systems. DIDs are known as decentralized identifiers. They are used to represent the identity of any entity whether an individual, organization etc., in a decentralized system. DIDs also allow complete control over their information to the owner of the respective data. This allows the owner to perform transactions in a simple manner without much concern associated to privacy. DID-based authentication works on the principle of the cryptographic challenge and response mechanism. A challenge response mechanism is a scenario where a verifier sends a challenge to the prover and expects a response to that challenge that is usually generated by an algorithm that both parties need to be aware of as per their agreement. [12] However, another study [27] mentions that the level of security and privacy that could be achieved using DIDs can only be derived after performing a comprehensive threat analysis. According to this study [12], the most important part of this model is the storage and usage of DIDs and keys. This model uses DKMS wallets to store all the data including DIDs. During the initial stages of account creation, the identity and data associated to the patient is verified using DIDs and Verifiable Credentials (VC). The VC is then distributed amongst the required parties such as the medical professionals. This helps create a more privacy oriented system due to the absence of a centralized system managing all the records. The transaction control is performed by making use of the distributed ledger in the blockchain network. These transactions will hold all the data such as DIDs credentials etc. [12] It is also known that attacks can be performed on blockchain based systems where the adversary could access data by performing attacks such as replay attacks. An example mentioned in another study shows that the attacks need not be malicious but used to gain financial advantage. A pharmacist could try to gain access to information associated to prescription patterns in order to gain a financial advantage by tailoring their marketing strategies based on the newly learnt information. However, this study also proposes a similar DID based system and deems it to be secure based on the design to authenticate using a challenge response mechanism. It also additionally adds an extra security layer by introducing access control lists and policies into the network. [27] present proof of identity in response to the healthcare provider after which the patient fetches the respective credential which is stored in the ledger. The patient will then generate a request using a secret and send it to the healthcare provider. The patient will then fetch the verifiable credentials from the wallet and further provide proof to the healthcare provider. Finally, the healthcare provider will be able to verify the received proof by performing a comparison with the public key of the issuer from the blockchain network. [12] An extra layer of security measure can also be implemented on top of the discussed model. Another study [28] mentions the presentation of only a part of the credential. Essentially, a presentation of the credential is provided by using a VCs that are to be generated by the respective authority that is assumed to be trustworthy by the verifiers involved. However, this information that is used in the presentation does not initiate from the authority but the parties involved such as the owner, researcher and the cryptographic content in order to provide a means to ensure that the data originates from a distributed ledger. [11] According to this research and proposed framework, the DID uses Hyperledger Indy blockchain which is built around the DIDs. The Hyperledger Indy blockchain is built around DIDs and is used for credentials setup and generating the DIDs. There are two types of DIDs used namely; Verinym and Pseudonym. Pseudonym, otherwise also known a pairwise-unique DID or peer-DID, is generated uniquely for each digital connection and is used in the context of that particular connection. This DID is private. The Verinym DID is public and visible to everyone. It is supposed to determine owner’s legal identity. The peer DID generation includes a verifying key, a signing key, and a DID. The signing key is kept private and is stored in the user’s wallet, whereas the verifying key and the DID are made public. B. Security Analysis of Decentralized Identifiers [11] Discusses some of the security implications of DIDs. The paper mentions that the probability of a sybil attack or Identity theft is minimum, as the users are responsible for their identity. They decide whom to disclose their identity. The peer-DID which ensures that the identity is only valid for the ongoing digital connections, and the selective disclosure of identity ensures that these kinds of attacks are not possible. The paper does not use smart contracts in their implementation and hence does not produce any kind of code level vulnerabilities. Fig 3: Access Control Consent Management for EHR access [12] The above figure 3 shows the flow of information involved in managing consent associated to EHR record access. The healthcare provider will first provide a credential based on the identity to the patient. The patient will then be obliged to C. Other Mechanisms [6] A different paper suggests a decentralized framework to maintain, manage and transfer healthcare records. The framework relies on using Proof of Stake(PoS) instead of the traditional Proof of Word(PoW). The authors inclined towards using blockchain to manage healthcare records was mostly due to the immutability nature of blockchain and smart contracts deployed on blockchain. The paper mentions the use of smart contracts in the framework to exchange the health records between various healthcare providers purely due to the privacy provided by blockchain. Although, the paper at no point gives technical details about the kind of smart contracts used, the algorithm used, or any other specifics about the framework. It does mention that the framework relies on usual cryptographic primitives used in blockchain such as ECDSA for signature, hashchain for immutability, SHA256 for hashing the values and such. There are five active roles in the framework, each of which perform various functions. Visitors nodes will request services relating to the healthcare data which is carried out by Agent nodes. Coordinator nodes approve these requests, and the Administrator nodes performs the requested operation on the data. The contributor nodes circulate the data in the network. According to this framework, the block size is limited 30kb and 15 transactions per block. Each block is created after 6 minutes, regardless of the number of transactions in the block. D. Medical Security System using Distributed Ledger Blockchain and Distributed technology in systems designed for Electronic Health Records has the potential to revolutionize the security and the privacy to greater lengths. The main of the system is to maximize the sharing rate of these electronic records alongside very less impact caused by the adversaries. When a medical system that maintains health records electronically uses Bitcoin Technology, consist of a medical server that protects the shared data like shown in the picture below. On a general note, users might find it less secure, when they know that their health records are on a shared server however, the medical server is supposed to serve the purpose of securing the shared patient information. There will be authentication techniques that will be used in order to maintain high level of security. [12] cannot be modified or deleted without consensus from all parties involved. This system uses an end-user application where the patients/users can access the files that they have the access to. They provide communication to the system through conventional communication standards. The initial authorization for the end-user is provided using login ID/name and password information, which is validated by the medical server to ensure the reputation of the user. It is designed to also fight against attacks like man-in-the middle and data tampering. In general, the man-in-the-middle attack is an attack where the adversary overlaps the user’s access to the healthcare records. This will allow the adversary to access the health records of any patient that is available on the medical server. By doing this, the adversary is degrading the security of the EHR system [12]. In the case of Data tampering, the adversary will be able to breach the health care records from the node that is communicating in the network of the system. In data tampering, the data is either modified or listened to. Either way, the security of the EHR is compromised. The authentication mechanism used in this system is the above-mentioned linear decision making and concentric authentication. Concentric authentication is a mechanism that uses multiple levels of security to secure the system. The use of concentric authentication allows several additional layers of security than the existing one by requiring multiple levels of authentication before granting access to healthcare electronic records to the requested user. This will ensure that the system prevents unauthorized access and only authorized users have access to their records. In a nutshell, the use of concentric authentication in conjunction with other security measures such as blockchain technology and linear decision making provides a highly secure way for patients to request and access their records while maintaining privacy and data security. IV. FUTURE WORK The trust model that is used in the medical server is based on linear decision making. Apart from using bitcoin technology, this model/system used different technologies like Authentication, Classified-based learning and lineardecision making. This model involves linear decision making which in turn involves assigning different set of weights based on different options provided and provide a decision based on the score obtained. This approach is applied to the electronic healthcare records as the records of several patients are recorded and to maintain successful access. When the linear decision-making model assigns weights and gives a score, it is indeed granting the access to the person that obtained the right score to access their file. This is an authentication technique and heavily relies on providing more efficiency. This system uses a blockchain-based distributed ledger to store and manage healthcare electronic records. The distributed ledger is resistant to tampering, which means that once data is added to the blockchain, it The future work in the application of blockchain-based authentication in healthcare from an authentication perspective can focus on enhancing security, providing greater user control, improving key management and enabling decentralized identity management. A. Standardized Protocols Since the blockchain application in healthcare sector is still in the beginning phase, standard protocols to follow will rule out a lot of hassle for the upcoming systems that need universal application. B. Multi-factor Authentication A lot of patient’s data is stored in the servers of these systems and if necessary, authentication isn’t performed, there is a high chance that the system can be prone to several attacks that could steal and modify the data. To avoid this from happening, the future work should focus on implementing various authentication mechanisms. C. Key Management The secure management of keys is a necessity in systems that are based on blockchain authentication. Future work can focus on developing more secure and user-friendly key management solutions. D. Organizational Adoption Although, the proposed system is still emerging, it is important to expand the application to all the healthcare organizations. This is because the security mechanisms and the authentication mechanism can be better tested when there is wider usage of the related systems. V. CONCULSION With the wide usage of blockchain technology in the healthcare industry for better management of healthcare records of patients, there are also challenges that the systems are posed to. Despite being prone to security attacks and several challenges, several successful implementations of blockchain-based authentication in healthcare have demonstrated that the application of blockchain technology has enough potential to improve patient medical records and reduce costs while maintaining patient privacy and security. Therefore, healthcare organizations should carefully consider the benefits and challenges of blockchain-based authentication and carefully consider its potential for their specific needs before implementing this technology. With careful application, blockchain-based authentication can transform the healthcare industry and provide significant benefits to patients, healthcare providers, and other stakeholders that deal with the medical records on a general basis. REFERENCES [1] [2] [3] [4] [5] https://www.hindawi.com/journals/js/2022/7299185/ https://www.mdpi.com/2673-8732/2/2/16 https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7362828/ https://onlinelibrary.wiley.com/doi/10.1002/spy2.231?af=R https://www.researchgate.net/publication/342639757_Securing_Block chain_based_Electronic_Health_Record_using_Multilevel [6] https://www.frontiersin.org/articles/10.3389/fpubh.2022.938707/full [7] https://www.sciencedirect.com/science/article/pii/S131915782100105 1 [8] https://manipal.pure.elsevier.com/en/publications/a-blockchain-baseddecentralized-identifiers-for-entity-authentic [9] https://stlpartners.com/articles/digital-health/5-blockchain-healthcareuse-cases/ [10] https://www.mdpi.com/2071-1050/12/22/9693 [11] http://www.truevaluemetrics.org/DBpdfs/Technology/Blockchain/5onc_blockchainchallenge_mitwhitepaper_copyrightupdate [12] d.pdfhttps://iom3.tandfonline.com/doi/pdf/10.1080/23311916.2022.2 035134?needAccess=true&role=button [13] https://www.mdpi.com/2227-9032/8/3/243 [14] https://www.hindawi.com/journals/js/2022/7299185/ [15] https://www.sciencedirect.com/science/article/abs/pii/S138912862100 4382 [16] http://www.truevaluemetrics.org/DBpdfs/Technology/Blockchain/5onc_blockchainchallenge_mitwhitepaper_copyrightupdated.pdf [17] https://iom3.tandfonline.com/doi/pdf/10.1080/23311916.2022.203513 4?needAccess=true&role=button [18] https://www.mdpi.com/2227-9032/8/3/243 [19] https://www.irjmets.com/uploadedfiles/paper/issue_6_june_2022/261 57/final/fin_irjmets1655372310.pdf [20] https://www.emerald.com/insight/content/doi/10.1108/EL-05-20220104/full/html [21] https://journals.plos.org/plosone/article?id=10.1371/journal.pone.024 3043 [22] http://mail.webology.org/datacms/articles/20211102103453amWEB18248.pdf [23] https://www.mdpi.com/1424-8220/22/14/5274 [24] https://www.researchgate.net/publication/336393649_Using_Blockch ain_for_Electronic_Health_Records [25] https://www.researchgate.net/publication/351136583_Revisiting_Dou ble-Spending_Attacks_on_the_Bitcoin_Blockchain_New_Findings [26] https://arxiv.org/ftp/arxiv/papers/2203/2203.12837.pdf [27] https://ieeexplore.ieee.org/abstract/document/9895264 [28] https://www.mdpi.com/2076-3417/11/19/8984