Reproductive Health Data: Open Standard Offers Access Control, Revocation, and Other Features


A team of female coders caught the eye at DEF CON on June 26 with a secure reproductive health tracking app (Figure 1) that allows a menstruating person to securely exchange data with healthcare staff. Their core technology was OpenTDF, a free software library that advances a crucial goal in healthcare: patient control over their own data, in tandem with the ability to share data with their doctors and others. through access policies and encryption.

Figure 1: The SecureCycle user interface.

The need for patient control and privacy has become more relevant than ever with the United States Supreme Court’s decision to overturn Roe v Wade. The public was stunned to learn that a Nebraska prosecutor had gained access to private Facebook posts through a warrant to prosecute a teenage girl for abortion.

This article is not about the politics or morality around abortion; it is about the current state of healthcare privacy and the individual’s right to control their data. The reproductive health app itself, SecureCycle, is not yet ready to use. It was created during a recent hackathon organized by Virtru to promote OpenTDF, which they created and released under an open source BSD license.

Few healthcare apps really protect privacy. The Mozilla Foundation, which has rigorously upheld online privacy for years, rates apps related to reproductive health for privacy. They reveal a great divergence in the protection of privacy. A recent email from the Foundation stated, “18 of 20 reproductive health apps we reviewed got our *Privacy Not Include warning label.” The risks can be subtle: for example, although Apple Watch is quite reliable on its own, loopholes can open every time you try to transfer your data to another service.

In short, the clash of the Roe v Wade reversal highlights what privacy advocates and health informatics activists have been saying for at least fifteen years: patients must control their own health data and protect them against unwanted broadcasts.

This article is based on an interview with two Virtru executives: Dana Morris, senior vice president of Product & Engineering, and Cassandra Bailey, senior technical product manager and leader of the team that developed SecureCycle.

What is special about OpenTDF?

There are many standards for the secure exchange of data. Unsurprisingly, many popular systems, including OpenID Connect (OIDC) authentication and Keycloak identity management, are integrated with OpenTDF. OpenTDF’s specialty is granular control over who can see data and when, a feature often known as role-based access control (RBAC) in the field of security, and called Strategies in OpenTDF.

TDF stands for “trusted data format”. Morris says, “TDF allows policy to be cryptographically tied to data so that policy goes wherever the data goes. This in turn allows the owner to exercise control over the data regardless of its location or physical possession.

With OpenTDF, you can share your banking information with a mortgage company just long enough for them to complete the mortgage transaction and then remove access. In healthcare, you can mark a certain type of data – assuming you have a health record that segments the data – to be available to a certain doctor, or to everyone in a certain hospital, for the duration of your treatment.

You can also delegate trust, such as granting a doctor the right to show data to other people the doctor thinks they need to see. Finally, an audit trail tells you who viewed the data, and when. A physician who uses the data you provide after you revoke access would be identified in the audit trail and subject to disciplinary action.

In theory, clinicians could copy your data and continue to use it after you revoke access to your personal copy. But that would be a breach of the contract you form when granting access, and would also be fragile if used for law enforcement and legal purposes, as the clinician could not prove that it is correct.

An entertaining and in-depth article describes the origins of OpenTDF in a National Security Agency (NSQ) project.

SecureCycle Reproductive Health App Details

SecureCycle was completed in two or three days at a Virtru hackathon and won first prize there. As a demo, the app is simple and modest in scope. The user logs in and enters the dates of her menstrual cycles as well as the symptoms she is experiencing. The application stores data in a relational database.

SecureCycle was developed with the React Native framework, creating apps that work on both iOS and Android. The SecureCycle source code will soon be released under an open source license.

The app is inconvenient at this point because it stores the data on a server, but no one has configured a server for the data yet. But anyone could do it and start offering the service.

Shannah Koss, consumer health information technology consultant and advocate, told me, based on my information, that SecureCycle was headed in the right direction. She says many consumer apps prioritize functionality and revenue over helping individuals easily and securely aggregate, store and control their health information. If apps incorporate the work of SecureCycle, they could offer improved security and control. Koss also stressed the importance of granular control over what is shared from user data.

Control and Consent

Koss pointed me to a November 2021 survey titled Modernizing Consent to Advance Health and Equity. The main issues identified were “identity verification and management; privacy protection; and a progression from absolute opt-in/opt-out choices to greater granularity in selecting what data can be shared, with whom, and under what circumstances. (Page 9 of the survey.)

Page 15 gives a thumbs up to the importance of a patient owning their own data. Putting data under their control and providing enforceable policies for data sharing, as OpenTDF does, simplifies many of the concerns about consent. After all, the patient sets the rules for sharing and use from the start.

And yet, all the questions raised in the survey are still topical. For example, data should not be shared until the sharer has verified the identity of the person requesting the data.

And questions will always arise about whether the patient understands what they are consenting to or whether the data can be used for legitimate research purposes that were not intended when the data was collected. These questions were discussed in The Immortal Life of Henrietta Lacks by Rebecca Skloot.

While no principle may seem more intuitive and fair than the jurisdiction a person should have over their own personal data – especially data as sensitive as data about their body and health – powerful forces prevent the principle from become reality. Hospitals, clinics, payers and health informatics providers all want to capture and store patient data for a variety of reasons. Technologies that help return control to the patient are significant achievements.


Comments are closed.