Digital Health Data Security Challenges and Opportunities

Digital health data is changing the health, medical and financial industries. Digital health is one of the most important and hottest topics in healthcare. And yet, it’s not a new theme: Richard Feynman wrote his paper on it in 1960, with the introduction to his book, “What Do You Care What Other People Think?”. In the early ‘90s, the term was much more commonly associated with cell phones than today. I remember thinking that digital health raised a lot of questions and challenges we didn’t have to confront back then.

We all know that technology is good at solving problems, but there are many challenges when you look at how technology can be used. For example:

• Making sure your alarm system works correctly
• Integrating multiple technologies into your business
• Enforcing compliance with regulations
• Ensuring data security

We also know that technology can help society by enabling more things like:

• Cultivating innovation in medicine
• Improving agriculture and food production
• Improving air quality through sensors and pollution tracking systems (which can be used by local governments)

So while it’s great to have better tools (like self-driving cars), this isn’t a threat or an inevitable development: it’s something you need to plan for because it will be there even when you don’t have them (or because you do but not well enough). And now that we’re starting to see some signs of progress around digital health. I think this is an important time for us to start thinking about how we can help make digital health work as well as possible for everyone involved. As always in healthcare, nobody wins if everyone loses: risk mitigation is crucial if you want improvements from technology (for your patients) without compromising privacy or security (for citizens), so along with transparency measures, decisions around data policy will affect everyone who uses these technologies

The Problem Digital Health Creates in Regulatory Regimes

The pandemic is a reminder that digital health data are in most cases not safe to share. Electronic health records (EHRs) contain personal information about patients, and even where the EHR is kept in an encrypted format, it can still be easily compromised. One of the problems with EHRs is that patient consent and privacy are often not well-defined, making it difficult for providers to adequately protect patients’ information.

The problem has been exacerbated by the regulatory framework itself, which continues to evolve and change. The U.S. Safe Harbor framework was intended to protect U.S. based companies from litigation by providing a way for them to retain customer privacy and security while complying with the obligations imposed by European regulators. In practice this meant that many U.K. based companies were able to sell their services across Europe without having to provide adequate data protection or data security safeguards, but this was not sustainable going forward as European regulators demanded more stringent compliance measures in exchange for continued access to the European market (especially given the changing nature of business regulations).

This is an important story because it tells us something about how regulators work and how different regulatory regimes work together. The EU Court of Justice has ruled that if you want access to the single market you have to conform with the standards set by your own country’s legislature; and if you want access from other countries you have to follow those standards there too; so you need both external legal requirements on data protection and internal regulatory requirements on data security (and several other factors).

It is also worth noting that there are several different ways each individual regulator could interpret these rules: one might only enforce external legal requirements; another might only enforce internal regulatory requirements; or they might try both at once, depending on what they feel will get them the most return on their investment in regulation enforcement relative to other things they do (such as enforcing company culture).

This makes it incredibly hard for smaller companies trying to do business across borders, especially if they don’t have a deep understanding of what an “adequate level” of security or privacy protection means, because they can be fined when one regulator doesn’t believe their system is good enough while another thinks it is too good, which means they can never be sure which standard applies where or which regulations apply where when they’re trying a new service or product (and this situation will likely get worse as our current “lawful intercept” regimes begin transitioning out of service).

The Development of Innovative Solutions to Digital Health Governance Challenges

Google’s announcement that they are partnering with the World Health Organization (WHO) to “pilot” a digital health data collection system to improve patient care is an exciting development.

The partnership builds upon Google’s commitment to the ‘cloud as a platform’ by offering the data management and analysis systems that are needed for developing an effective and responsive digital health ecosystem.

The WHO has recently published ‘ A Blueprint for Data Protection in Health Care ,’ which focuses on improving access to data while protecting individuals’ privacy rights. While this is welcome news, it is also important to remember that there are many other challenges facing digital health governance, including:

• Human error: following people into the hospital can lead to a high-profile case of errors, but where can you catch errors before they occur? Are there areas where your doctors and nurses must be trained not to do things that could result in patient harm?
• Data ownership: who should have access to your personal information? Where will you store your data? Who will create it?
• Data mapping: how will you transfer information between different platforms, such as between hospitals and insurance companies? How will you ensure interoperability across devices or platforms?
• Data breaches: how can you protect personal information using unique identifiers, such as Social Security numbers or driver’s license numbers? How can you limit the risk of sensitive information being stolen and ultimately lost or accessed without authorization?

There is certainly scope for innovation in digital health technology. However, there are concerns about privacy and security of personal medical information. Consider these questions when considering all aspects of creating an innovative solution:

• Who owns the relevant data, WHO/UNICEF; healthcare providers/employers/insurance companies; patients; consumers; etc.? What rights do they have over their own personal data if it is used for research purposes (as opposed to commercial purposes)?
• What types of privacy protections would be appropriate for each type of owner, what level of protection from unauthorized use would be appropriate for those responsible for collecting, storing and transmitting personal data (e.g., insurance companies)? What type(s) of liability protection would be appropriate for those who authorized their use by others (e.g., employers)?
• How will your solution reconcile all these issues together so it effectively addresses all stakeholders’ needs, do you need different rules across different sectors that conflict with one another (e.g., hospitals vs insurers vs consumers vs employers)

Digital health data challenges and opportunities

Digital health is a rapidly growing industry, with a volume of data about individuals and health that is expected to double in the next few years. The potential for abuse and misuse of this data has been raised as a concern, but also an opportunity, with the potential to positively transform our public health infrastructure.

The most recent wave of cyber-attacks on companies and individuals using personal information was not only a disruption to communications: they were also an attack on our collective trust in the digital world. Governments have taken steps to protect their citizens from such threats (for instance, by requiring companies to encrypt sensitive data), but we need to do more.

So what can we do with digital health data security?

• We need good guidance for doctors and other health care providers when deciding whether or not to use technology for virtually anything, including diagnosis and treatment.
• We need better guidance for government agencies when deciding how privacy rights apply in digital environments, which equates to both an examination of their own operations against these principles, and an examination of how they might apply them in other contexts.
• We need better guidance for manufacturers when deciding how much control they really have over their end users’ devices which includes having real-time visibility into everything that happens on them, then having the legal authority to take action if it becomes necessary (or just notifying users if it doesn’t).
• We need better guidance for consumers when choosing between various forms of digital insurance, technological and otherwise. And finally, we should look seriously at the implications of birth control technologies (such as IUDs) for sexual behavior – because where there is less choice it creates less privacy protectio, especially if you are paying a premium price for it!

Contact us for more relevant details. To find out more about how we can help you with your Digital Healthcare Transformation, Healthcare organizational growth, or Healthcare brand positioning, please get in touch via phone +44 (0) 203 3620421 or via e-mail: info@digitalsalutem.com