Decentralizing Medical Data with Nostr and FHIR: A developer’s deep dive

Data has become a critical component of modern healthcare. The availability of patient data is crucial to providing quality care, managing patient privacy and safety, and promoting patient engagement. Yet, the accessibility of medical data across the healthcare system is hampered by data silos, ownership, and lack of interoperability between healthcare systems.

Patient-centric healthcare also means revolutionizing how patient data is collected, stored and shared. A promising solution that PathCheck Foundation is exploring is Nosh: Nostr for Health. Using Nostr’s open protocol for social networking and messaging through the use of relays, Nosh is aimed at decentralizing medical data to empower individuals with ownership and control over their health records. This blog post will explore how Nosh can leverage Fast Healthcare Interoperability Resources (FHIR) and advanced encryption techniques to revolutionize how medical data is stored, shared, and accessed.

FHIR and Medical Information:

FHIR provides a standardized framework for exchanging medical information and has quickly become one of the most popular protocols for joining disparate systems to enhance interoperability and health information exchange. FHIR represents various categories of health information as resources, such as patient records, medications, and insurance claims. FHIR takes each category and creates a special "package" for them called a FHIR Resource. These resources contain all the important details and relationships within each category of information, making it easier for different systems to understand and share data accurately.

For example, a patient's FHIR record is a JSON-based resource containing essential details like the patient's name, active status, and other relevant information. Similarly, immunization records are also represented as FHIR Resources, including information such as vaccination codes, dates, and providers.

Decentralizing Medical Data with Nosh through Nostr:

Nostr takes the concept of decentralized social networks and data storage to the realm of healthcare. It introduces a novel approach to encrypting and sharing medical information securely while giving patients and authorized users control over their data. Using Nostr, Nosh achieves this through the use of parameterized replaceable events defined by NIP-33.

In Nostr, messages are encrypted and stored within object types called events. Each event object has a kind, which denotes what type of event it is and what actions might be available to an application. Nosh can use the encryption process for events to ensure that medical data is encrypted and stored securely. PathCheck/Nosh has proposed the use of kind:32225 to carry encrypted medical information and kind:32226 to allow users to declare consent to access those resources. Each kind:32225 event represents an individual FHIR Resource, where the encrypted content is placed in the .content field. This content is a base64-encoded, AES-256-CBC encrypted JSON serialization of the FHIR Resource using a unique 64-byte secret.

The .content field of the event ensures that only authorized individuals with access to the secret can decrypt and view the medical information. The event also contains tags that specify the resource ID, author, subject (patient), and other relevant parties. Secrets are encrypted using the public keys of the authorized entities involved in the sharing process.

Nosh introduces another event kind, kind:32226, called Secret-Sharing events, which enables authorized users to share their encrypted medical information with others. These events contain the secret that was used to encrypt the medical information, encrypted using each receiver's public key, allowing them to decrypt the associated health information. Tags within the event specify the resource and the receiver's information. Each resource can be encrypted with a different secret, allowing full granularity when sharing information with others.

By leveraging these secure sharing events, individuals can selectively provide access to their medical records to healthcare providers, family members, or other authorized parties. The decentralized nature of Nostr empowers Nosh to ensure that individuals maintain control over their data while allowing seamless and secure information sharing.

Nosh places utmost importance on the security and privacy of medical data. Relays, the intermediaries responsible for transmitting events in Nostr, cannot access private keys and cannot view the content of encrypted events. Client applications are designed to prevent users from accessing or copying secrets, ensuring that sensitive information remains protected.

Editability and Secrets Management:

With Nosh, the author of a kind:32225 event can modify both the resource content and the secret used for encryption. This provides flexibility in managing medical data while maintaining control over access. In case of a compromised secret, the data owner can individually reset access, ensuring the security of their information. Compliance with jurisdictional regulations, including periodic secret rotation, can be facilitated using Nostr's architecture.

Nostr's innovative approach to a decentralized social network holds tremendous potential for revolutionizing the healthcare industry. By leveraging FHIR Resources, advanced encryption techniques, and secure sharing events, Nosh can equip individuals with ownership and control over their health records and the ability to share encrypted information selectively. With Nosh, the future of healthcare data management looks promising, putting patients at the forefront of their own health journey.