Digital Healthcare: overcoming privacy and security challenges in a post-pandemic era
From mobile health (mhealth), telehealth, telemedicine and wearable recording devices, to wider integration of artificial intelligence, CROs (clinical/observational trial anonymisation services) and moves to standardise record medical keeping (Electronic Patient Records - EPRs); digital health tools are working to compensate for a lack of physical interaction, to support accurate diagnoses and treatment of many conditions, and to augment the overall delivery and care given to remote patients.
With physical visits to hospitals and clinics not accessible to most people throughout the pandemic, many illnesses have gone undiagnosed or untreated for some time.
By May 2020, a study in northern Italy showed a 58% increase in out-of-hospital cardiac arrests that occurred at the same time as the worst of the COVID-19 outbreaks (1).
In June, Cancer Research UK highlighted that, after almost 2.5 million people failed to be tested, treated and screened, an estimated 24,000 cancer cases had gone undiagnosed (2).
Many have not dared to enter hospitals or GP practices out of fear of catching COVID-19; with many vulnerable patients, who have been shielding, suffered delays in their care, operations and appointments.
Telehealth and decentralised, video-based observational trials provide a clear and simple alternative to visiting your doctor in person, and advancing healthcare.
Almost 10% of outpatient appointments were recorded as telemedicine in the UK in March 2020 - a significant jump from the 3.5% recorded the previous year (3).
Seize the benefits of automated video redaction today.
Before the pandemic, almost 80% of GP appointments were in person, but as of June 2020, this had fallen to just under half in the UK - a time when the pandemic was not even at its worst (4). Moreover, remote trials have also gained popularity - thanks to artificial intelligence, cloud computing and video communication services - so much so that 76% of researchers are now running decentralised trials due to COVID-19 (5).
As a result of our ever-increasing digital surroundings, and the magnitude of COVID-19, telehealth has made huge strides in allowing the health sector to adjust to the need for remote provision of consultation and care. From a patient perspective, it is a powerful and convenient alternative that offers a quick and easily accessible way to speak to clinicians and manage care.
Even though there have been significant delays in ongoing trials due to the pandemic, telemedicine and video are making decentralised and observational trials increasingly possible.
However, as businesses and clinicians that control large volumes of personal and sensitive data, digital healthcare service providers are having to play catch up to ensure that their systems are up-to-date with GDPR, HIPAA and other data regulations; alongside ensuring the data they are processing is as secure as possible.
As medical data is perhaps the most sensitive, identifiable information that is stored digitally; its proper care, distribution and storage is essential.
For all healthcare organisations, there are two perspectives that need to be balanced: on the one hand, you have the back-end organisation and systems - standardised computing platforms that need to be made accessible to all health trusts and apps: software that links the ordering of blood tests, diagnostic imaging, digital management of EPRs for appropriate distribution to doctors and patients etc. On the other hand, there is the patient-to-doctor experience and systems that need managing: video consultations, body worn cameras, CCTV monitoring of beds and observational trials.
These two perspectives pose a range of privacy and security concerns that must be addressed in tandem; all of which point to a need for a proper security infrastructure to protect from cyber security risks, and automatic and consistent protection of the privacy of sensitive medical data.
Digital Healthcare’s Infrastructure
On Friday 12th May 2017, the NHS suffered one of the biggest cybersecurity breaches ever recorded. The Wanna Cry cyber attack popularised ransomware across the globe, infiltrating over 200,000 computers in over 150 countries, and costing the UK £92 million.
The NHS was brought to a halt, as hospitals and GP surgeries were surrendered, thousands of appointments and operations were cancelled, and emergency patients had to be frantically relocated from afflicted emergency centres.
Staff even had to return to pen and paper methods and use their own phones for documentation and contacting patients.
NHS England reported that 80 out of the 236 trusts were compromised, in addition to 595 GP practices and 603 other NHS organisations offering primary care. (6)
Ransomware remains the most common cyber extortion method in the UK, according to the National Crime Agency (NCA) (7), and experts highlight that health records remain particularly lucrative as they can be worth up to ten times more than other data (such as banking information) (8).
Although the NHS was not specifically targeted, it highlighted key security vulnerabilities that could not be ignored, in particular a specific chink relating to legacy software (Microsoft Windows 7) (9). The operating system was found to be used by most NHS devices (including computers, phones and even medical machines), supported but un-patched.
Since then, the NHS digital infrastructure has had a significant amount of funding to ensure better security, which led to a wholesale upgrade of software across all affiliated trusts to try and move all internal systems to Office 365 and Windows 10 (10). This meant a move from on-premise to the more secure and backed-up cloud infrastructure.
These upgrades that came off the back of Wanna Cry also extended to a deal with external health organisations, meaning that all networks had to be linked to NHS digital, providing an opportunity for the NHS to monitor any breaches, and to access patient information.
Despite a more secure foundation for the NHS, the pandemic has brought new and unprecedented challenges.
Telehealth’s expansion was fuelled by an increase in remote patients who were seeing less availability for traditional care via the NHS directly, which has resulted in the creation and storage of vast amounts of new digital health data. Telehealth apps have been popping up frequently, all in a bid to answer the surge of remote care requirements spreading across the globe.
As a result, not only was there a rapid escalation in cyber breaches as more health data became available, but compliance to HIPAA and GDPR had to take a backseat in order to keep up with demand (the US has paused elements of the HIPAA regulation for telehealth providers to support their rollout and usage through the pandemic) (11).
So much so that in February 2021, it was reported that as much as 80% of live healthcare apps that apply to work with NHS trusts failed to meet adequate security and compliance standards (12).
Furthermore, significant cyber breaches affected many telehealth companies such as Babylon Health (whose patients could briefly access other patients’ video consultations), and Verkada (whose hospital surveillance cameras, which were linked to doctors’ phones, were hacked) (13) (14).
This spans from someone quickly checking a family or friend’s record, printing of personal information, to inadvertently viewing the patient logs of other units.
With reams of personal and sensitive information at healthcare professionals’ fingertips, it is up to organisations to train employees and provide the right technical control and policies to help mitigate the risk of snooping.
Furthermore, the transition into Windows 10 is still underway for some NHS organisations, due to the sheer volume of content and complexity of linking machines and EPRs to the right systems, and it can take years to update versions, particularly when the right technical ability can be unavailable (16).
The transition to a more secure infrastructure is definitely a priority for the NHS, especially after Wanna Cry, but the pandemic’s immediate demand to provide unencumbered remote care has caused unavoidable delays.
The COVID-19 vaccine rollout has alleviated some of the pressure on physical healthcare services, and many trusts are turning their attention back to the implementation of mature digital infrastructure with appropriate levels of data security and privacy built in.
Telehealth and CRO clinical trials are a perfect solution for this - a proof of security measures and an update of compliance policies to specify the handling of medical data may be in order so that more healthcare apps can work with the NHS safely.
It is clear that digital care is not just an aid for the pandemic, but is here to stay.
After an increase in cyber threats across all sectors, a secure digital infrastructure for healthcare that can protect against an attack is both a necessity, and an active working progress.
Accelerated usage of video for consultations, observational trials, and hospital monitoring
Across digital healthcare, video has become a critical tool to conduct doctor-patient consultations, carry out clinical studies that cannot be completed in person due to COVID-19, and maintain hospital surveillance and NHS staff safety.
In terms of video-based clinical trials and CROs, telemedicine grants greater access to research and reduced attrition - allowing trials to overcome one of the largest barriers for enrolment: a patient’s geographical location and/or socioeconomic status.
They also increase the probability of better patient diversity, allowing for more accurate results and representation of a disease or drug within that particular population. With the push for video-based everything - not just consultations, but everyday forms of communication - the rise in video observational studies has meant that communication with patients is better and more direct, as they can communicate with physicians and investigators more efficiently throughout the entire treatment process, instead of waiting for its conclusion (17).
CCTV streams in hospitals and NHS staff surveillance is also an important area of healthcare video to consider.
This includes captured footage of ambulances and their licence plates, body worn paramedic cameras, monitoring people density in wards (particularly now as a result of COVID and social distancing), monitoring whether people are wearing masks and washing their hands frequently, monitoring staff access to medications, patient records, and maintaining overall surveillance for staff, patient and visitor safety.
Even before the COVID-19 pandemic, telemedicine consultations were on the rise with many healthcare providers.
They were the perfect way to reduce patient flow through hospitals and GP practices, and limit exposure to infection.
They are surprisingly versatile too - they have been deployed to help trial remote treatment and care for a wide variety of conditions: from the management of diabetes, hypertension and strokes - to more acute illnesses such as emergency eye care and certain skin conditions (18).
In March 2020, registrations to the NHS app increased by 111%.
As a result, ‘Attend Anywhere’ was rolled out nationally under licence for 12 months. It is a platform that supports video consultations in outpatient settings and is the only one centrally procured by NHSX (the joint unit of NHS England and Department of Health and Social Care) (19).
Many studies report that the use of video consultations between clinicians and patients led to a high satisfaction rate among patients, and, according to Christopher Sharp, the Chief Medical Information Officer at Stanford Health Care (Palo Alto, California), 75% of patients who completed a video visit report say that they are very likely or extremely likely to choose a video consultation over an in-person one in future (20).
With this step into a more digital and video-led way of providing healthcare, there are certain practicalities that must be considered for both GDPR and other data privacy compliance, along with data security.
The amount of health-related video now being captured is considerable, and it needs to be anonymised in order to protect personal and sensitive data when it’s accessed, shared or used for collaboration.
With organisations and each country’s data protection and telehealth regulations rapidly evolving, all digital communications with patients and clinicians need constant attention.
Compliance and protection of sensitive medical data
The recovery approach to COVID-19 is moving forward with help from the vaccine rollout, meaning patient data compliance for healthcare is moving rapidly back up the agenda.
In terms of video doctor-patient consultations and CRO clinical trials, compliance in the UK needs to be met under the UK GDPR and the Data Protection Act (DPA, 1998), with the Information Commissioners’ Office (ICO) and the Care Quality Commission (CQC) as regulators.
There are many overlapping compliance requirements between the United States’ Health Insurance Portability and Accountability Act (HIPAA) and the UK’s DPA too, which may not necessarily concern certain organisations, but if healthcare providers also operate in the US, they will need to comply with both.
There are also certain policies provided by the NHS with regards to safeguarding patient data, that are not necessarily law, but are widely recognised by the ICO and NHS foundation trusts as being necessary in order to both protect patient information, and to work with the NHS as an official body. (22)
Data compliance within healthcare, especially in order to work with the NHS and US health sector, is not a one-time fix, it demands an active demonstration of on-going activity above the base level to ensure patient and staff security of medical data.
As the DPA can be open to interpretation (as it covers many industries vs being healthcare specific), there is a strong assumption that healthcare providers will do everything possible to not only comply with the baseline of regulation, but go to all possible lengths to protect customer medical data.
Key data areas to cover include the degree of access, maintenance of key security procedures, employee security training and many data security measures to reduce the risks of a breach.
NHS TOOL KIT:
https://www.dsptoolkit.nhs.uk/
According to the ic2Design Install Project’s paper on CCTV compliance in NHS trusts, one of the biggest challenges facing the NHS is the continual hardening of the regulatory framework for ensuring high standards of care.
The UK government’s data watchdog for healthcare is the CQC - however, they do not govern CCTV video surveillance in hospitals - this instead falls under the jurisdiction of the ICO, the DPA, and Surveillance Camera Code of Practice (Home Office, 2013).
To accommodate for the sensitivity of healthcare environments, the Freedom of Information Act (FOI, 2000), the Human Rights Act (HRA, 1998), and the Protection of Freedoms Act, 2102 (POFA) are all regulations that add to the complex framework needed to comply with. (23)
A key approach to ensuring complete security is by compartmentalising geographical areas within a hospital into public (e.g. entrances and exits), communal (e.g. wards) and private (e.g. consulting rooms).
Naturally, CCTV surveillance in private areas are of the highest sensitivity, and further considerations are to be taken, including inappropriate image or video capture, and clinician consultation must be taken with regards to the CCTV and its usage after recording.
In any case, all types of video footage must be handled in a way that prioritises confidentiality.
In other words, you must view all footage captured in a secure area, with restricted access, and you must seek consent to disclose or use any information surrounding anyone captured. Consent is considered extremely important - this is only not the case when it can be justified as in the public interest or it would undermine the purpose of the disclosure.
The best way to protect someone’s personal information is to remove any identifiable information and take any and all steps to minimise what is stored - this way, access is restricted, video data is further protected (on top of all other security measures) if there is a breach, and patient confidentiality is kept secure.
How can artificial intelligence help?
From being able to detect cancerous cells un-viewable to the human eye, robotic surgery to 3D image analysis; artificial intelligence has permeated its way into healthcare and proven a useful tool.
AI globally within the healthcare market is predicted to reach $35,892.2 million by 2030, and the pandemic has catalysed funding, with almost $1billion invested in AI-focused healthcare start-ups in the first quarter of 2020 (24) (25).
It is clearly changing the landscape with which many healthcare companies are providing care, but how can it help to protect patient data and provide security?
In order to stay compliant and allow wider use and collaboration of data healthcare providers need to prioritise data privacy and security within their systems, operations and cultures.
Automated video anonymisation through Secure Redact means that you can comply with data privacy legislation - regardless of whether it is video consultations, clinical trials, or CCTV.
Powered by Pimloc’s world-leading machine learning platform, it can decrease unnecessary manual labour for your teams, allow you to share video without the need for consent (as personal data is already anonymised), and ensure that your customers, patients, and staff are well cared for - like every other aspect of healthcare that you provide.
Find out more NOW! Contact: info@secureredact.co.uk
Definitions:
Mhealth = Mobile health - public health and medicine supported by mobile services (26).
Telehealth = The use of telecommunications and online services to support and give remote clinical health care, patient/professional health education or administration and public health (27).
Telemedicine = The provision of remote clinical services (28).
Observational study = where investigators assess health outcomes of participant(s) according to a research plan and/or a protocol by observing only (there is no intervention or interference) (29).
CRO = Contract or Clinical Research Organisation. They provide support and help to pharmaceutical and biotech companies via outsourced research trials (30).
Sources:
https://www.wired.co.uk/article/roche-digital-healthcare
https://www.wired.co.uk/article/roche-digital-healthcare
https://www.enterprisetimes.co.uk/2021/02/15/hipaa-and-2021-healthcare-data-security-trends/
https://www.securityinfowatch.com/healthcare/article/21210284/catch-and-prevent-healthcare-snooping
https://www.reutersevents.com/pharma/clinical/telemedicine-future-clinical-trials
https://www.wsj.com/articles/what-covid-19-taught-us-about-telemedicine-11616932803
https://www.isdecisions.com/healthcare/data-access-necessity.htm
http://www.ic2cctv.com/wp-content/uploads/2016/06/iC2_CCTV_Compliance_NHS.pdf
https://uk.finance.yahoo.com/news/global-ai-healthcare-market-analysis-093900857.html
https://www.healtheuropa.eu/the-rise-artificial-intelligence-in-the-healthcare-sector/105870/
https://www.healthit.gov/faq/what-telehealth-how-telehealth-different-telemedicine
https://www.aafp.org/news/media-center/kits/telemedicine-and-telehealth.html
https://www.pharma-iq.com/glossary/contract-research-organisation-cro
References:
https://www.ifsecglobal.com/video-surveillance/rise-of-body-worn-cameras-security-retail-healthcare/
https://digitalguardian.com/blog/healthcare-cybersecurity-tips-securing-private-health-data
https://healthinformatics.uic.edu/blog/3-ways-him-professionals-protect-patient-data/
https://www.cbinsights.com/research/report/healthcare-trends-q4-2020/
https://healthmanagement.org/c/cardio/news/the-impact-of-digital-technology-on-healthcare
https://hbr.org/2020/12/what-the-pandemic-means-for-health-cares-digital-transformation
https://www.themdu.com/guidance-and-advice/guides/cctv-in-healthcare
https://internationalsecurityjournal.com/healthcare-smart-cameras/