True, there are some rather frightening bits. Like the fines for data breaches, which can be up to e20M or 4% of annual global turnover. Levels which one commentator has already called “existentially threatening” to some firms. Then there’s the cost in money and time of becoming compliant, with organisations being forced to streamline their personal data – knowing where every piece is, what it’s being used for and why, and deleting any that is no longer relevant.
The question of whether patients should have to give “explicit consent” for their healthcare data to be used for research purposes provoked fierce debate during negotiations for the EU General Data Protection regulation (GDPR). Cancer research groups lobbied that in the era of Big Data restricting access to billions of terabytes of data would hold back research. But they lost the argument to advocates of greater privacy. When GDPR comes into effect on May 25, explicit consent will be required for “data concerning health,” “genetic data” and “biometric data”.
The decision delighted some people and infuriated others. A prominent supporter was Valentina Bottarelli, the public affairs director at Eurordis, which represents patients suffering from rare diseases. Her view was that: “Patients are the owners of the data and they should be informed and asked for consent.” But there were high-profile opponents, such as Vytenis Andriukaitis, EU commissioner for health and food safety. In one emotional outburst Andriukaitis said: “Do you think someone whose child is dying from cancer cares about data privacy? Of course it’s important. But people use it as an excuse a lot when they don’t want to do something”
Professor Subhajit Basu, from Leeds University, studied the issues in depth for a book about privacy and healthcare data. Although he has a lot of sympathy for Bottarelli’s point of principle, he sides with Andriukaitis. Having studied EU healthcare systems, especially in the UK, Professor Basu concluded that the only way to resolve the funding crisis was through technological advance, which requires access to patient data.
“Treatment has to become more focused on individual needs and the analysis of Big Data allows machine learning, or AI, to help us develop more personalised medicines. GDPR will make healthcare innovation more laborious in Europe as lots of people won’t give their consent. It will also add another layer of staff to take consent, making it more expensive. We already have stricter data protection laws than the US and China, who are moving ahead in producing innovative healthcare technology. EU law is paternalistic and prescriptive and even more so after GDPR,” he said.
National health services in Europe face unprecedented financial pressures from the growing burden of chronic diseases as populations age. Professor Basu says Big Data analysis not only helps with researching treatments, but also improves operational logistics. “We cannot afford to build huge hospitals and add more and more beds. But we can use innovative AI technology to manage patients efficiently within the hospital. You can send people home quicker if you’re monitoring closely what’s going on with their particular health problem. Using Smartphone apps, doctors could become multi-taskers. They could be anywhere in the hospital but aware of what’s going on. In the future, we can imagine doctors and nurses sitting in a room with multiple screens and monitoring several patients.”
To the disappointment of Professor Basu, however, GDPR tightened controls. A UK Government white paper explained that “an active process will have to be put in place, which could include ticking a box when visiting an internet website, choosing technical settings for information society services, or another statement, or conduct which clearly indicates…. the data subject’s acceptance of the proposed processing of his or her personal data”. The regulations also require companies to conduct a Privacy Impact Assessment (PIA) prior to processing the data.
A further consequence of the legislation is that healthcare research organisations will have to be more precise in knowing where data is stored, how it is being processed and whether consent has been given. Professor Basu says this could lead to a reluctance to take risks. The threat of maximum fines of €20 million, or 4% of global annual turnover of a business – whichever is greater – will necessitate a risk-free approach.
The dangers of over-zealous control of data were already evident, he argues, in the case of the London Royal Free hospital, which failed to comply with the UK’s Data Protection Act when it handed over the personal data of 1.6 million patients to DeepMind, a London-based Google subsidiary. The data transfer was being used to create the healthcare app Streams, an alert, diagnosis and detection system for acute kidney injury. The Information Commissioner’s Office ruled in July last year that patients were not adequately informed that their data would be used as part of the test.
Professor Basu says GDPR rules make it even harder for companies like DeepMind to collect this data. He would prefer to see explicit consent replaced with “implied consent”. Patients would still be informed that they can opt out. Although privacy campaigners would protest, he believes it could be done safely. “We need a system based on complete transparency. The doctor or nurse can say ‘we will be collecting this data for this particular medical research, but I assure you we will never share it with an insurance company, or a car manufacturer and it will never be used for direct marketing. You can come back to me at any time and opt out of the process’,” he said.
In Europe, the advantages of exploiting Big Data in healthcare could be significant because of the sheer quantity of data available, which exceeds the amount in the US, Professor Basu says. However, it’s not straightforward to access it because it’s scattered in different healthcare systems, most of which are shackled by privacy concerns and technological backwardness. Recognising the problem, an EU 2011 directive committed the bloc to cooperating on e-health. The Commission and 16 EU countries will introduce an eHealth Digital Service Infrastructure this year, which will allow the exchange of e-prescriptions and patient data summaries across borders.
Experts say sharing the data will help to overcome rare and stubborn diseases. However, GDPR’s stricter rules will limit the amount of data that can be made available for cross-border trade-offs.
Much of the healthcare data in the future will be collected from Internet of Thing devices. These present special dangers because corporate cyber-attacks are becoming more sophisticated and data leaks from companies like Yahoo have a direct impact on customers. There are, however, different types of devices. The most serious hack would involve a connected device with a direct impact on an individual’s medical care, according to Pål Kastnes, a technical manager with Nordic Semiconductor, which provides the Bluetooth technology for half the world’s connected devices. “An insecure blood glucose monitor could hand over control of a person’s medical condition. In the worst case scenario, poor security of a medical device could be life-threatening,” he said.
For critically important healthcare devices the best strategy is to decide on the level of security at the start, then design the product features. Designing features first can make it hard to retrofit devices. “Being too eager to create cool features can lead you to increase the risk of leaving vulnerabilities in your product,” he said.
Nordic Semiconductor takes a lot of responsibility for making devices safe. Pål Kastnes says the company provides the software for encryption, including some Out-Of-Band (OOB) communication to protect against ‘Man In The Middle’ hijacks. The two main factors, he says, are protecting data from outside influences and ensuring it’s only seen by medical professionals.
A new source of data has emerged in recent years with millions of people now wearing fitness monitoring devices, such as Fitbits, the Apple Watch and the Garmin fitness bands. Kastnes says these fitness devices have become increasingly sophisticated and now collect relevant healthcare data. The British law firm, Osborne Clarke, says this data could prove valuable for researchers and GDPR will make access to it much more difficult.
The law firm conducted research showing that 55% out of 4,000 people would happily permit their data, including heart rate, sleeping patterns and exercise regimes, to be used to recommend medication.
The concept of data-based healthcare was particularly attractive to the 18-24 year-old age category, 68% of whom said they would like to be alerted to any potential health issues, while 62% were also happy to be recommended medication from their wearable device, or health app. “Smart use of health data is way more than just mapping heart rates and running distances, it can save lives if allowed to be used correctly. Unfortunately, the forthcoming legislation has the potential to nullify the potential of such technology by being overly restrictive,” said Jon Fell, a partner at Osborne Clarke.