Restoring trust in the age of digital transformation

Sensitive data is a prime target for cybercriminals. Getting hold of your personal information can lead to identity theft and fraudulent use of credit cards, for example. This is why cybercriminals target the healthcare sector in particular. Hospitals are involved in around a third of all personal data leaks. These facilities hold large quantities of sensitive data that cybercriminals can sell for a high price.

Medical data is vulnerable, and not just to cyberattacks. In Quebec, one public figure’s medical file was accessed more than ten times in the last three years, even though she hadn’t set foot in the health facility for more than a decade. Unfortunately, this is not an isolated case. The mother of a teenager who took his own life in November 2020 was horrified to discover that 11 people had accessed her son’s medical file in the three years since his death.

In France, nine out of ten doctors say they use digital technology to share medical information with patients or colleagues. The shift to digital technology, accelerated by the Covid-19 pandemic, poses a number of challenges for personal data protection.

The incidents mentioned above highlight the main issues surrounding access to your data, personal data security and trust in the digital age. Although protecting this data is regulated by the GDPR in Europe and Bill 25 in Quebec, the architecture that is inherent to the digital world means that we lose control over most of our sensitive data. And with loss of control comes loss of trust.

This shortcoming is in part down to the lack of a true digital identity, as highlighted in a recent white paper on digital identity published by the Digital Identity Lab of Canada.

The triangle of trust

Discretion and confidentiality are the hallmarks of a face-to-face consultation with your doctor. There is no intermediary between patient and healthcare professional. Trust is established by identifying the patient on arrival. The patient produces a form of physical ID, which is validated at source to confirm its authenticity and verify that it has been issued to the right individual.

This “triangle of trust” is essential to ensure reliable interaction. Let’s take the example of creating a medical record for a new patient to illustrate the three essential roles in establishing this bond of trust. The triangle includes:

1. A trusted identity issuer (such as Assurance Maladie in France or Régie de l’Assurance Maladie in Quebec), which creates and issues health insurance cards, such as the Carte Vitale.
2. The holder (the individual), who holds this ID card and keeps it in their digital wallet.
3. A verifier (the hospital), which requests proof of identity when the patient arrives for treatment, and verifies the validity of this proof with the issuer.

After successful verification, the patient can be treated. This interaction is then recorded in the patient’s digital file. From this point onwards, the patient loses full control of their medical file and sensitive data. No notification is sent if the file is accessed without the patient’s authorization or explicit consent to any updates made. What’s more, the information is stored on centralized servers that are vulnerable to hacking.

Regaining data sovereignty through digital identity

The fundamental principle of digital identity is that users own their sensitive data (known as verifiable data) and only share it with specific organizations when necessary. Users access a mobile application – their “citizen’s digital wallet” – to carry out this transaction.

This digital wallet, much like its physical counterpart, contains data in the form of verifiable credentials, which may include digital versions of your driver’s license, diplomas or medical records. The advantage of digital identity lies in the tamper-proof verification process triggered when an organization requests access to the data contained in the digital wallet.

Let’s take the example of accessing a medical file. Digital identity technologies would provide a way of requesting a digital health insurance card from the issuer (from Assurance Maladie in France, for example). The card would then be encrypted and stored in the holder’s digital wallet.

To access this medical file, a doctor must first verify the authenticity of the digital identity via a decentralized verifiable data registry (a blockchain). This registry ensures that a credential (health insurance card) has been issued to the patient by a trusted issuer and that the issuer has not revoked this credential. It is only after this validation, and with the patient’s consent, that the doctor can access the medical file. The decentralized registry means that the verifier no longer needs to be in contact or “connected” with the issuer to validate the authenticity of the credential presented to them.

Trust architecture

How is a digital wallet different from Google Wallet or Apple Pay? The latter store sensitive data on a cloud-based infrastructure managed respectively by Google and Apple. These organizations have access to everything their users are doing at all times.

By contrast, the citizen’s digital wallet is located on the individual’s mobile device. This means that only that individual has access to their activity history and the data stored in the software, unless they consent to it being shared. Digital wallets are built using open standards and protocols and can therefore achieve a high degree of interoperability. This allows users to manage and share their identity flexibly and securely across a diverse ecosystem, regardless of the technology providers use.

Back to the future

This decentralized model lets users move confidently through the digital world, sharing their personal data selectively, securely, and confidentially. Although this technology is already available, adopting it is crucial to revolutionizing the way we manage and share information in the digital age. It transcends technology itself, addressing issues of privacy, security, transparency, and access to information.

Canada is keeping a close eye on European initiatives concerning digital identity standards and projects. At the provincial level, British Columbia has successfully implemented a digital identity program for its residents. Other provinces, including Ontario, Nova Scotia and Alberta, are following suit. Quebec has begun its digital transformation, as seen with its ClicSéqur and Clic Santé initiatives, designed to optimize digital public services for Quebecers.