The task of preserving privacy for any records platform, especially a cannabis registry, cannot simply be relegated to ones and zeros lurking in some forgotten codebase. This past year taught us many lessons, especially related to the trauma unleashed by vulnerabilities in government domains. We learned time and again that a registrant’s privacy must be the first order of business for the architects of registries.
But the first order of business isn’t the last order of business. That intention and effort to secure privacy must then be communicated and reinforced through real-world reality checks.
Lapses in data security and rising distrust for government institutions block the efficacy of well-intentioned and vital registries. Those states launching new registries in 2021 are at a precarious crossroads as public trust erodes.
As I write this, we’ve just learned illicit operators hacked a third-party service provider for the Washington State Auditor’s office. The attack compromised the personal data of 1.4 million users seeking unemployment benefits. Security hacks are a cautionary tale, whose impact is felt too often.
But many in the government sector are staring at a once-in-a-generation challenge to launch new registries – those related to cannabis – with privacy top-of-mind from the initial Request For Bid.“The question isn’t when these privacy-first registries will be implemented, it’s a question of whether they’ll be implemented proactively ahead of hacks or after the damage is done.”
Here’s how:
Table Stakes for New Cannabis Registries
These suggestions are just the beginning, and I see them as the minimum buy-in to begin the architecture of a new cannabis registry. They include:
- End-to-end data encryption while in transit and within the system while the data is at rest.
- A solution that is a cloud-native web application which is managed as a service for maximum uptime and strong security posture.
- Registries should also leverage algorithms and machine learning to ensure accurate data entry by analyzing incorrect or duplicate data before it is saved within the system.
Beyond HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) requires privacy and security measures to protect Personal Health Information (PHI). Debate exists on whether compliance is a requirement for all entities transacting in the medicinal cannabis space. While some state registries are exempt from HIPAA, others choose to provide HIPAA compliance not just for the optics, but the known benefit to users’ privacy and confidence. New cannabis registries should commit to HIPAA-compliance to set a trusted new privacy standard for medical patient credentials and legal authorization for the use of cannabis for medical purposes.
That’s just the start. Registries should also ensure SOC2 Type II certification, which safeguards security, site availability, confidentiality and privacy through independent third-party auditors.
Connect with Confidence
Registries function as a hub of information in an often-confusing cannabis space. The California Bureau of Cannabis Control displays more than 25 links wired into its top navigation bar alone. Each link sends the curious to new resources. Registries must establish themselves as credible resources, especially when directing users to third-party sites.
One example is for cannabis registries to provide secure access to healthcare professionals who are verified by the Drug Enforcement Agency (DEA). These healthcare professionals are licensed to distribute controlled substances including cannabis. Each third-party link should offer the same high-level of scrutiny to enshrine confidence and credibility in the registry.
Next-Generation ID Cards
A cannabis registry card should not just be a document, but a toolset that attests to the identity and the authority of the carrier represented. An illicit counterfeiting market seeks to exploit registry card vulnerabilities. Next generation ID cards present the best defense against counterfeiting and illegal use with robust security measures. That starts with assuring that any credential is mobile ID compatible with iOS Wallet and GooglePay for mobile identification.
ID cards should also include:
The automated modification of the document bearer’s photograph to ICAO (International Civil Aviation Organization) standards. This critical modification makes the photograph easier to use for ID verification; it also facilitates the detection of photograph substitution.
A two-dimensional barcode compiles information contained in a one-dimensional barcode. It also delivers confirmation of other data shown on the card or in the system such as license authorization and limitations. Adding additional material to the physical document such as holograms, UV image, micro-printing or laser perforations offers another level of protection against illicit use or counterfeiting.
While cannabis registries are the beginning, they’re not the end. Driving efficacy for government registries needed for COVID19 track-and-tracing, cannabis plant track-and-tracing and vaccine distribution require the same attention to privacy, security and ultimate useability. A sea change is required – not just for the sake of those who use the registries but also for those who must implement, deploy and maintain those registries. The question isn’t when these privacy-first registries will be implemented, it’s a question of whether they’ll be implemented proactively ahead of hacks or after the damage is done. I believe the government sector leaders exploring new cannabis registries offer the wisdom and foresight to choose the proactive approach.