Comment: Safe from Harm – New routes to secure healthcare data

Stephen Stanton-Downes of Mvine discusses data implications in the healthcare sector and looks at how this could be resolved with secure use of the cloud

Stephen Stanton-Downes

In this article, Stephen Stanton-Downes, chief operating officer at Mvine, discusses data implications in today’s healthcare sector and looks at how this could be resolved with secure use of the cloud

Technology is revolutionising the healthcare landscape. One of the areas of most-significant change is in the ongoing process of convergence between the devices and apps used by doctors and other medical staff and those used by their patients. There are two main trends.

Firstly, clinicians are increasingly looking at using consumer-based devices, particularly tablets and mobiles, as part of care management plans. Whereas in the past, patients would typically leave the doctor’s surgery with a prescription for a drug, in the future that prescription may also include an app. Hospital patients will be discharged with apps on tablets or smartphones to enable them to monitor their progress on an ongoing basis.

Such an approach provides benefits for doctors and patients. For patients, these apps can be invaluable in helping manage their condition, enabling them to record symptoms while recommending strategies for pain control, appropriate medication or rest and recuperation.

From the clinicians’ point of view, in addition to the immediate healthcare benefits, there is huge potential in the ability of these apps to gather significant volumes of data from a source, to which they have never before had access. After all, this kind of care management would previously have been handled in the hospital or doctor’s surgery. Extending the plan into the patient’s own personal life will provide clinicians with a rich store of new data to mine for additional insight.

In a sense, we are seeing the worlds of the formal medical profession and of consumer health and fitness colliding

There are significant potential benefits here, but this also raises serious data privacy concerns. Who owns the data recorded by the patient on the tablet? Does the patient have any say over what happens to that data? Can the clinicians sell it onto pharmaceutical companies who might want to mine it, albeit in an anonymised form, for product development and research purposes?

There are also related security issues to consider. If the patient is using a tablet to record personal and highly-confidential healthcare information, is the data encrypted? Is it travelling over the home user’s wi-fi and then over a public broadband network? Most important – is it secure in transit?

Wearable devices

This is not a phenomenon solely driven by the medical profession, though. It is being driven by consumers also. More and more people are buying wearable devices which are becoming increasingly medical or pseudo-medical in nature, everything from Fitbit through to apps that take blood pressure and wearable gadgets that monitor heart rate.

People are buying these for their own personal benefit. But, when they are used over time, they will typically be generating large quantities of data, all potentially valuable to doctors.

When you bring a new device online, it will need to join a security domain in order to participate in the exchange of data within that office. And, when it joins, a number of policies will need to be applied to it and a number of key questions answered

Imagine the scenario. The patient turns up at the surgery with a racing pulse and high temperature. He is diagnosed with a heart condition, but turns to the doctor and says, ‘I’ve got a Fitbit, which I’ve been using for four years and I’ve gathered lots of data about my heart rate, would that be of use to you in treating the condition/1

The answer is clearly ‘yes’, but that’s when questions start again. How is this going to happen? Is the patient going to extract the data and provide it to the GP? And now they’ve handed it over, do they still own it? Perhaps, even more concerning, what happens if they use the data to make decisions and that data was incomplete. Or if the Fitbit wasn’t working properly and the data recorded was inaccurate? It’s a complex dilemma and becomes even more so if a device is sold on to a third party.

In a sense, we are seeing the worlds of the formal medical profession and of consumer health and fitness colliding. This coming together is presenting great opportunities through the emergence of the latest digital and mobile technology apps and the data that these innovative new devices can generate. But it presents challenges too in terms of the privacy and security of this data. The key question is how can these challenges best be addressed?

Building an ecosystem

In truth, there are currently no real solutions. The pieces of the puzzle are still coming together, but the direction of travel is clear

One way may be through the development of a safe and secure collaborative cloud ecosystem approach which can potentially address the data privacy and the security issues that are key to this new healthcare scenario. One of the benefits of an ecosystem approach is that it enables organisations or groups to establish a security context around a set of devices, people, systems and data as one collective entity.

That, in turn, allows organisations to put in place a set of series and policies and guidelines and business rules with respect to the systems and data and people that reside inside that secure context that apply to all of the above. It allows them to start setting either weak or strong policies depending on the nature and the sensitivity of the security context in which they are dealing.

It’s a little like bringing a new PC onto an office network. After all, when you bring a new device online, it will need to join a security domain in order to participate in the exchange of data within that office. And, when it joins, a number of policies will need to be applied to it and a number of key questions answered.

Can one user or multiple users log into it? Is it restricted to an individual user, or can a range of different users log in? Does it only operate at certain times of day? Can it only communicate with certain other machines? The level of lockdown will vary depending on the deemed secure nature of the data, people and systems in a given domain.

It’s analogous to the situation within an ecosystem where people, devices and systems will effectively need to be vetted before they can be brought into a secure portal environment. And the benefit of what we might call an ecosystem security check effectively remains the same as we move beyond the boundaries of the firewall into the cloud and from there start to explore concepts like the Internet of Things.

Organisations will need to establish ecosystems of people, data, systems and things. They will then need to decide whether each of those entities are participants in that ecosystem or not and apply the appropriate level of rigour in terms of access and control in order to effect the policies which they have deemed appropriate.

The route ahead

Moving forward, questions will inevitably remain as to the right levels of policy for particular ecosystems, such as the ones we have described. It’s currently an open debate. What is clear is that all of the participating entities within these ecosystems have the capacity to be managed within this domain. Once again, this raises security issues. How can we ensure, for example, that medical devices produced by the manufacturers have the software on them that will allow them to participate in secure ecosystems and have their privacy settings and controls managed remotely?

The use of mobile devices and digital apps in healthcare is becoming ever-more pervasive and we are seeing a blurring of the lines between their usage by clinicians and the patients they are treating

In truth, there are currently no real solutions. The pieces of the puzzle are still coming together, but the direction of travel is clear.

The use of mobile devices and digital apps in healthcare is becoming ever-more pervasive and we are seeing a blurring of the lines between their usage by clinicians and the patients they are treating. These trends are creating data that is potentially of great value in treating diseases and managing long-term conditions.

This value will, however, only be realised when an approach is implemented that addresses the key challenges in terms of privacy and security challenges we identified earlier. But, if the right industry policies and standards are put in place, if the device manufacturers get the right messages about device settings - and we are confident this will happen over time – then a secure ecosystem approach will surely have a key role to play in turning this vision into reality.

Companies