The task of maintaining privacy for every record platform, especially a cannabis registry, cannot simply be relegated to ones and zeros lurking in a forgotten code base. The past year has taught us many lessons, particularly regarding the trauma caused by weaknesses in government areas. We have learned time and again that registrant privacy must be the first task for registry architects.
But the first rules of procedure are not the last. That privacy intent and effort must then be communicated and reinforced through real-world reality checks.
Gaps in data security and increasing distrust of government institutions block the effectiveness of well-intentioned and important registers. These states, which open new registries in 2021, are at a precarious crossroads as public confidence deteriorates.
As I write this, we just learned that illegal operators hacked a third party vendor for the Washington State Auditor’s office. The attack compromised the personal information of 1.4 million users who applied for unemployment benefits. Security hacks are a cautionary story, the effects of which can be felt too often.
However, many government officials are faced with the unique challenge of opening new registries – those related to cannabis – with privacy being paramount from the first request for quotation.“The question is not when these privacy registers will be implemented, but whether they will be implemented proactively before hacks or after the damage.”
Table inserts for new cannabis registries
These suggestions are just the beginning, and I see them as the minimum purchase to begin the architecture of a new cannabis registry. They include:
- End-to-end data encryption in transit and within the system while the data is at rest.
- A solution that is a cloud native web application managed as a service for maximum availability and strong security posture.
- Registries should also use algorithms and machine learning to ensure accurate data entry by analyzing incorrect or duplicate data before storing it in the system.
The Health Insurance Portability and Accountability Act (HIPAA) mandates privacy and security measures to protect Personal Health Information (PHI). There is a debate about whether regulatory compliance is required for all companies operating in the medical cannabis field. While some state registries are exempt from HIPAA, others choose to provide HIPAA compliance not just for looks, but also for the well-known benefit for user privacy and trust. New cannabis registries should commit to HIPAA compliance to establish a trusted new data protection standard for medical patient identification cards and legal approval for the use of cannabis for medical purposes.
That’s just the beginning. Registries should also ensure SOC2 Type II certification, which ensures security, website availability, confidentiality and data protection by independent external auditors.
Connect with confidence
Registers act as an information center in an often confusing cannabis room. The California Bureau of Cannabis Control shows more than 25 links in its top navigation bar alone. Each link sends the curious to new resources. Registries need to establish themselves as credible resources, especially when directing users to third-party websites.
One example is cannabis registries providing safe access for health professionals that have been reviewed by the Drug Enforcement Agency (DEA). These health professionals are authorized to distribute controlled substances including cannabis. Any third-party link should provide the same level of control to instill trust and credibility in the registry.
Next generation ID cards
A cannabis registration card should not be just a document, but a toolset that confirms the identity and authority of the bearer it represents. An illegal counterfeit market seeks to exploit vulnerabilities in registration cards. Next-generation ID cards with robust security measures offer the best defense against counterfeiting and illegal use. This starts with making sure that all mobile identification credentials are compatible with iOS Wallet and GooglePay.
ID cards should also contain:
The automated modification of the photo of the document carrier according to the standards of the ICAO (International Civil Aviation Organization). This critical change makes it easier to use the photo for ID verification. It also makes it easier to detect photo substitutions.
A two-dimensional barcode collects information that is contained in a one-dimensional barcode. It also provides confirmation of other data displayed on the card or in the system, such as: B. License Authorization and Restrictions. The addition of additional material to the physical document such as holograms, UV images, micro-printing or laser perforations offers further protection against illegal use or forgery.
While cannabis registers are the beginning, they’re not the end. In order to increase effectiveness for government registries required for tracking COVID19, tracking cannabis plants and distributing vaccines, privacy, safety and final usability need to be considered equally. A fundamental change is needed – not only for those who use the registers, but also for those who implement, deploy, and maintain those registers. The question is not when these privacy registers will be implemented, but whether they will be implemented proactively before hacks or after the damage. I believe that the leaders investigating new cannabis registries offer the wisdom and foresight to take the proactive approach.