A new frontier for Big Tech
In a world where information is shared more freely than ever, our health records might have been seen as the last bastion of data that stays truly personal. However, there are signs this might be changing.
In the last year, tech giants like Amazon, Google, and IBM have taken significant steps forward in their efforts to apply the power of their technologies to healthcare and, in the process, they have gained access to millions of medical records. Unsurprisingly, this has prompted widespread concern about how such sensitive information will be used.
The furore began when Google was found to have had access to millions of patient records through a partnership with Ascension, a large US medical provider, and sought access to millions more by offering steep discounts on its cloud servicesto health data companies like Cerna, which hosts over 250 million records.
The NHS: A ‘gold-mine’ of medical data
While the UK hasn’t seen the same scale of projects as those described above, there are signs that the NHS might be moving in a similar direction.
Last November, it was revealed that big tech executives met NHS senior managers to discuss the creation and commercialisation of a single database of 65 million patient records, days after Amazon struck a deal with the NHS that opens up access to its medical data (albeit not personal information).
Even further back in 2017, the Royal Free Hospital was found in breach of data protection laws by the UK’s Information Commissioner’s Office (ICO) after handing over 1.6 million patient records to Google-owned AI company DeepMind.
It’s not hard to see why the tech giants are actively seeking to gain access to NHS data; comprising 55 million high-quality primary care and 23 million specialist care records, it is estimated to be worth £9.6bn annually by Ernst & Young.
A balancing act
This trend leaves medical providers, doctors, patients, and regulators facing a patient care conundrum.
Of course, medical data is among the most sensitive information that is gathered about us. But emerging technologies – such as Deep Learning – could yield incredible benefits for all of humanity if they can be effectively applied to the biggest problems in healthcare. And these technologies rely on data – and lots of it – hence the sheer scale of these projects.
In theory, each of us stands to benefit if better processes are put in place to facilitate data sharing in the right contexts. Both the UK and US examples cited above were aimed at solving the ‘holy grail’ of healthcare digital transformation – a one-stop shop for electronic medical records which is standardised and searchable.
The value of such a system is undeniable: quicker access to vital records, greater efficiencies that would free up doctors’ time and lead to improved and faster diagnoses, not to mention millions saved in reduced costs.
Some doctors, including Dr David Feinberg, the head of Google Health, would argue that they have a moral obligation to pursue such research. To do otherwise, he says, would be akin to knowingly offering substandard patient care.
And yet, as individuals, we should not have to forfeit our right to privacy. The question is therefore: how can we effectively strike a balance that empowers patients and enables innovation without foregoing entirely valid privacy and data protection concerns?
Not so HIPAA-go-lucky
In the US, the Health Insurance Portability and Accountability Act (HIPAA) is often thought of as a patient privacy law – but this actually isn’t the case.
The intention of HIPAA when it was enacted in 1996 was actually to accelerate the move to electronic record-keeping, not to manage data protection and privacy for health providers.
Currently, HIPAA’s terms are so broad that medical providers can share the most sensitive forms of patient data with third parties even for purposes not directly associated with patient care, under ‘business associate agreements’. This is the form of deal that Google struck with Ascension.
HIPAA does not require patients to be informed of who these third parties are, for what purposes their data is being used, or even the existence of specific agreements. At the moment, HIPAA only requires medical providers to make it known that such agreements generally exist.
Does this make companies that violate patient privacy HIPAAcrits? Not really. It’s not surprising that HIPAA has failed to stand the test of time and deal with the issues outlined above. After all, in 1996 Google hadn’t even been founded and Amazon was barely two years old.
The ageing of laws that impinge on health data simply drives home the need for modern privacy legislation. The California Consumer Privacy Act, which came into force this year, is a welcome development insofar as it is stimulating a conversation ever closer towards a U.S. federal privacy law – now a question of when, not if.
In Europe, GDPR governs all sectors including healthcare and, in theory at least, puts in strong protections for individuals when it comes to data sharing and consent. However, there is a growing need to address the specific considerations governing health data and medical records, given the profound digital transformation taking place in the sector. In the UK, this need will only become more acute post-Brexit when the flow of data across borders will become one of many topics for negotiation with potential trading partners.
Moving consent online
When we look for positive examples to follow, the original purpose of HIPAA – the standardisation and digitisation of medical records – is only now just starting to become a reality, with the help of the FHIR (Fast Healthcare Interoperability Resources) API. A key part of this transformation must be moving consent online and across what used to be isolated silos of the healthcare ecosystem.
The more these narrow ecosystems are connected with each other, the easier it will be for patients to electronically manage authorizations across a healthcare system with a single consent directive.
US government programmes like ‘Consent to Share’ and working groups like HEART (Health Relationship Trust) at the OpenID Foundation have been working towards achieving this – portable patient-directed health data sharing.
No innovation without trust
People aren’t averse to innovation, but they become understandably concerned when they feel it is being done ‘to them’ rather than ‘for them’. They want to be informed about what companies are doing and why, and they want to be asked for consent for data usage rather than forgiveness for data mistakes.
The debate of recent months isn’t about the ends tech companies are pursuing but the means. If huge data-heavy research projects are only known about once they are already underway (or complete), tech companies will only erode trust and goodwill among patients and clinicians.
Without prior notice, the average consumer will naturally leap to the worst-case scenario and decide that the primary beneficiary of these projects is likely to be the business itself, rather than the subjects whose data has been used.
As so often with Big Tech, the damage done has likely resulted from naivety and a lack of care rather than malicious intent. However, this is no excuse. Google, IBM and Amazon must learn their lessons fast. If they truly want to fulfil their ambitions in healthcare, these giants will – like so many in medicine before them – have to learn about the importance of a good bedside manner.
By Eve Maler, Interim CTO, ForgeRock
Eve Maler (@xmlgrrl) is ForgeRock’s Interim CTO. She is a globally recognized strategist, innovator, and communicator on digital identity, security, privacy, and consent, with a focus on fostering successful ecosystems and individual empowerment. She founded and leads the User-Managed Access (UMA) standards effort and provides expert advice to forums such as Open Banking. Previously Eve co-invented the SAML and XML standards. Eve contributes to the rock ‘n’ roll outfit ZZ Auth and the Love Tokens.
ForgeRock®, the leader in digital identity, delivers modern and comprehensive Identity and Access Management solutions for consumers, employees and things to simply and safely access the connected world. Using ForgeRock, more than a thousand global customer organizations orchestrate, manage, and secure the complete lifecycle of identities from dynamic access controls, governance, APIs, and storing authoritative data – consumable in any cloud or hybrid environment. The company is privately held, and headquartered in San Francisco, California, with offices around the world