Marzio Ghezzi of digital health technology specialist, Mia-Care, gives his insights into the issue of patient data privacy
Pressures on the health service, from an ageing population to the COVID backlog, new treatments and staff shortages, mean that innovation and digital transformation have a major role to play.
The use of AI in speeding up the work of radiologists in reading MRI scans is a prime example.
Digitalisation is also a vital part of the clinical trials process for new drugs and medical devices.
However, innovation is not without its risks. One of the major challenges facing healthcare organisations embarking on digital transformation is the risk that patient data will be compromised, leaked or stolen.
Attack surface
So why has the risk to patient data security risen up the agenda over recent years?
First, the implementation of technology has created a broader attack surface for malicious actors. GP practices are connected to the NHS, pharmacies and hospitals.
The increased use of apps in delivering personalised healthcare and telehealth means that we are reliant on a whole army of developers to make sure these apps are secure, as well as delivering health outcomes.
Big data is increasingly being used in the field of public health to track health conditions like Type2 diabetes, which is invaluable in driving improvements in therapies and disease prevention.
In the case of the COVID pandemic, big data played an essential role in tracking the disease, as well as in clinical trials of the vaccines.
But the area of big data poses some major questions for the use of patient data, as illustrated by the class action against Google subsidiary DeepMind for the alleged misuse of the confidential records of 1.6 million UK patients.
National treasure
Although the NHS is a national treasure with free treatment at the point of use, it is made possible by a combination of state-owned and private sector organisations.
This covers everything from NHS Trusts, GP practices, pharmacies, medical device and pharmaceutical companies, not to mention a raft of private sector IT providers.
With so many organisations involved, the security risk rises exponentially, regardless of whether they are public or private sector.
Online pharmacies have been caught selling private patient data illegally.
Hospitals have fallen victim to ransomware attacks. As recently as August last year, an attack on a third-party NHS software provider led to clinicians losing access to patient records and having to make decisions without access to vital patient data.
So, what is the potential impact of poor patient data security? As we have seen, clinicians not having access to patient records means that there is a potential risk of doctors and nurses working ‘blind.’
That could mean patients being given the wrong treatment and no account being taken of vital information like allergies or underlying health conditions. This in turn could have a financial impact on the health provider in terms of malpractice suits and compensation for medical negligence.
Financial impacts
Other financial impacts could be in the shape of fines from the regulators for poor management of personal health data, such as in the case of Delus Biologie in France where regulators imposed a fine of €1.5 million for failure to comply with patient data security obligations where information was leaked including social security numbers and recent medical diagnoses like HIV.
This brings us to the topic of ransomware, where hackers can cost health providers millions in the cost or remediation irrespective of any ransom payments made to cyber criminals or the reputational damage done to the healthcare provider.
In the specific case of clinical trials for new therapies or devices, the loss or compromise of patient data could render the trials invalid while at the same time running the risk of loss of intellectual property.
When you consider the cost of a typical pharmaceutical trial is in the region of $50-$100m, this is a serious risk, quite apart from the fact that any tampering with data from clinical trials could result in IoT connected devices administering the incorrect dosage to a patient.
Safeguards
So, what steps should we be taking to minimise the risk of a breach of patient data security? There are a number of “safeguards” required to protect unauthorised access to personal health data.
Priority number one is end-to-end encryption of data. Encryption is the ultimate fail-safe measure so that if the worst happens, unauthorised persons will not be able to make sense of the information they have access to.
With increased IoT adoption, this is becoming more of a concern for healthcare providers. Data should be encrypted at-rest (in all places, including network and cloud back-up) and in-transit, with decryption tools stored on a device or at a separate location.