218     CHAPTER 8 BLOCKCHAIN IN HEALTHCARE: CHALLENGES AND SOLUTIONS




             electricity consumption by network equipment [75]. The scalability issue for healthcare big data must
             be taken care of seriously in order to make blockchain popular.
                Privacy and regulations: Blockchain maximizes the security of its content many times. Crypto-
             graphic, decentralized, independent, and immutable architecture can ensure the highest security of its
             contents. Healthcare big data is all about sensitive information of the patient, by the patient, and for the
             patient. Therefore, it can be risky to keep a copy of those data in every node. The most critical issue for
             currently practiced blockchain technology is storing of PII and EHRs forever. Several countries and
             standardized organizations do not follow this practice. Let’s discuss the General Data Protection Reg-
             ulation (GDPR) and blockchain case as an example.



             8.5.1 GDPR VERSUS BLOCKCHAIN
             8.5.1.1 Problem statement and key factors of GDPR
             The focus of the recently executed GDPR is to secure individual’s information so organizations must
             pay particular attention to both individual’s consent and data sharing. Consent needs to be obtained
             before any private data is analyzed and there is also an accountability to confirm that this data can
             be withdrawn or deleted (i.e., “the right to be forgotten”). The blockchain is based on “immutability”
             of the data, on the contrary, GDPR demands that all personal data or PII should be mutable or erasable
             by any organization according to the users’ wish. GDPR mentioned in (Article 17th sec 2 of GDPR)
             “the obligation to erase personal data without undue delay.” Similarly, GDPR also stated “the right to
             be forgotten.” At this moment, blockchain data storing facilities follow the CRAB principle (Create
             Retrieve Append Burn). The interesting part is the last part, burn, which means throwing away the en-
             cryption key for accessing the blockchain data. Yet, GDPR does not accept this as “erasure of data.”
             Key GDPR changes are:

             •  Territorial scope of personal data. Every kind of personal data should be gathered, stored, and
                processed within the territorial boundary of the European Union.
             •  GDPR can fine up to 4% of the company profit or 20 million Euro.
             •  Consent must be taken from the user for any kind of personal data collection. Consent should be
                understandable and simple.
             •  Three rights are ensured: right to access, right to be forgotten, right to breach notification.

             Possible solution: We listed few possible solutions below:
             1. Do not store personal information on the blockchain.
             2. Record personal information pseudo-anonymously.
             3. Store information in the referenced local encrypted database.

             8.5.1.2 Solutions
             Above all, the blockchain must comply with GDPR in order to work in the EU and with EU citizens.
             Several studies are proposing a modified blockchain architecture in order to satisfy GDPR.
                Humbeeck [76] proposed an off-chain blockchain architecture that complied with GDPR. That study
             proposed a two-layer data storing mechanism. In the local database, database 1 and database 2
             (Fig. 8.16) will store (off-chain) every kind of GDPR sensitive data. With the help of an associated ap-
             plication, this system will store the link and hash of the data in blockchain (on a chain). This system can
             delete data from the local database anytime. At the same time, a remaining hash of the data is of no use.