Maintaining the privacy of a billing platform, particularly the cannabis registry, cannot simply be left to hidden ones and zeros in a forgotten codebase. The past year has taught us much, including the trauma caused by vulnerabilities in government circles. We have learned time and again that registrant privacy should be the first concern of registry architects.
But the first order is not the last. This intention and concern for privacy must then be communicated and supported by a reality check.
Gaps in data security and a growing distrust of public authorities hamper the effectiveness of important and well-intentioned registries. States that implemented new registries in 2021 are at a dangerous crossroads as public confidence crumbles.
As I write this, we have just learned that illegal operators have broken into a third party vendor in the Washington State Comptroller’s office. In the attack, the personal data of 1.4 million users who applied for unemployment benefits was compromised. Security breaches are a warning that is felt all too often.
But many in the public sector saw the unique challenge of launching new registries – related to cannabis – with privacy at the forefront of initial bids: The question is not when these first data protection registers will be introduced, but whether they will be introduced before a data breach or after the damage has already been done.
Fee system for new cannabis registries
These proposals are only a start, and I see them as providing minimal support to begin the process of setting up a new cannabis register. They include:
Full encryption of data in transit and within the system when the data is at rest.
A solution that is a cloud-based web application managed as a service to ensure maximum uptime and high security.
Registrars should also use algorithms and machine learning to ensure accurate data entry by analyzing incorrect or duplicate data before it is stored in the system.
The Health Insurance Portability and Accountability Act (HIPAA) requires privacy and security measures to protect personal health information (PHI). Whether compliance with this requirement should be mandatory for all companies working with medicinal cannabis is a matter of debate. Some government registries are exempt from HIPAA, but others choose to comply, not only for visual reasons, but also because of the well-known privacy and security benefits they provide to users. New cannabis registries must commit to complying with HIPAA to create a new trust standard for the privacy of patient medical records and legal consent for the use of medical cannabis.
This is just the beginning. Registrars must also have a SOC2 Type II certification, which ensures the security, accessibility, privacy and confidentiality of the website by independent auditors.
Connection to the Trust
Registers act as information hubs in the often confusing world of cannabis. The California Cannabis Control Bureau is displaying more than 25 links related only to the top navigation bar. Each link sends the curious to new sources. Registries should present themselves as reliable sources, especially if they redirect users to third-party sites.
One example is cannabis registries, which provide secure access to healthcare providers and are overseen by the Drug Enforcement Administration (DEA). These health professionals are authorized to dispense controlled substances, including cannabis. Any third-party linkage should provide the same high level of control to enhance trust and credibility in the registry.
New generation of ID cards
The cannabis registration card should not be a mere document, but an instrument that confirms the identity and authority of the represented carrier. The illegal counterfeit market tries to exploit loopholes in registration cards. New generation ID cards offer the best protection against counterfeiting and illegal use thanks to robust security measures. This starts with making sure each ID is a mobile ID compatible with iOS Wallet and GooglePay for mobile identity.
ID cards should also include:
Automatic change of the photograph of the holder, in accordance with the standards of the ICAO (International Civil Aviation Organisation). This essential change makes it easier to use a photograph to verify identity; it also makes it easier to detect photo manipulation.
The two-dimensional bar code collects the information contained in the one-dimensional bar code. It can also be used to confirm other data displayed on the map or in the system, such as B. Permit and license restrictions. Adding additional materials to the physical document, such as holograms, UV images, microprinting or laser perforations, provides an additional layer of protection against unauthorized use or counterfeiting.
While cannabis registries are a start, they are not an end in themselves. In order to ensure the effectiveness of the governmental registries needed for COVID19 surveillance, cannabis plant tracing and vaccine distribution, equal attention must be paid to issues of confidentiality, security and fitness for use. This is a game changer – not only for those who use these registries, but also for those who must implement, deploy and maintain them. The question is not when these first privacy registries will be implemented, but whether they will be implemented proactively, before the breach occurs or after the damage has already been done. I think government officials investigating new cannabis registries have the wisdom and foresight to take a proactive approach.