**5. Limitations and alternatives**

There are few limitations of the BET-LPHR design. Some are inherited from EHR and PHR, others are from blockchain technology itself.

### **5.1 When BET-LPHR owner lost the secret private key**

From authentication to authorization, owner's secret private key is essential to unlock the patient's BET-LPHR as a passport to securely administrate BET-LPHR. Being a problem inherited from the blockchain technology itself, losing the secret private key presents a barrier.

We propose a separate blockchain-enabled SecureKey recovery process with a secure login portal using the "BeNGAC and RBAC Separation of Duty (SoD) capability" [3]. Accessing to this portal requires strong multi-factor authentication (MFA) with Fast Identity Online (FIDO) 2.0 biometrics [28]. The patient secret key pair is generated by the key administrator and delivered to the owner in a secure manner. At the same time, a recovery key pair is also generated and sent to the owner. The key administrator and the owner possess the recovery public key, but only the owner has the BET-LPHR patient secret key pair and recovery private key. The keys roles and permissions are described in **Table 3**.

At the BET-LPHR patient key pair generation time, a copy of the secret private key ð*SecPrivKey*) is encrypted with the recovery public key (*RecPubKey*). The encrypted secure private key ð*SecPrivKey*⨀*RecPubKey*) and recovery private key (*RecPrivKey*Þ are stored in a *Blockchain-Enabled SecureKey* database with read only permission.


**Table 3.**

*Roles of key administrator and BET-LPHR patient/owner.*
