States across the US are grappling right now with how to securely implement new cannabis patient registries amidst increasing data breaches and patient privacy concerns. Addressing those privacy concerns and HIPAA compliance is only the beginning.
The task of preserving privacy for any records platform, especially a cannabis registry, cannot simply be relegated to ones and zeros lurking in some forgotten codebase. This past year taught us many lessons, especially related to the trauma unleashed by vulnerabilities in government domains. We learned time and again that a registrant’s privacy must be the first order of business for the architects of registries.
But the first order of business isn’t the last order of business. That intention and effort to secure privacy must then be communicated and reinforced through real-world reality checks.
Lapses in data security and rising distrust for government institutions block the efficacy of well-intentioned and vital registries. Those states launching new registries in 2021 are at a precarious crossroads as public trust erodes.
As I write this, we’ve just learned illicit operators hacked a third-party service provider for the Washington State Auditor’s office. The attack compromised the personal data of 1.4 million users seeking unemployment benefits. Security hacks are a cautionary tale, whose impact is felt too often.
But many in the government sector are staring at a once-in-a-generation challenge to launch new registries – those related to cannabis – with privacy top-of-mind from the initial Request For Bid.“The question isn’t when these privacy-first registries will be implemented, it’s a question of whether they’ll be implemented proactively ahead of hacks or after the damage is done.”
Table Stakes for New Cannabis Registries
These suggestions are just the beginning, and I see them as the minimum buy-in to begin the architecture of a new cannabis registry. They include:
- End-to-end data encryption while in transit and within the system while the data is at rest.
- A solution that is a cloud-native web application which is managed as a service for maximum uptime and strong security posture.
- Registries should also leverage algorithms and machine learning to ensure accurate data entry by analyzing incorrect or duplicate data before it is saved within the system.
The Health Insurance Portability and Accountability Act (HIPAA) requires privacy and security measures to protect Personal Health Information (PHI). Debate exists on whether compliance is a requirement for all entities transacting in the medicinal cannabis space. While some state registries are exempt from HIPAA, others choose to provide HIPAA compliance not just for the optics, but the known benefit to users’ privacy and confidence. New cannabis registries should commit to HIPAA-compliance to set a trusted new privacy standard for medical patient credentials and legal authorization for the use of cannabis for medical purposes.
Published: March 10, 2021
Founder & Interim Editor of L.A. Cannabis News