Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
MedicalandPharmaceuticalSectors I ElectronicMedical Data–Powerful NewCommunication ToolsCreatePrivacy Challenges By Carol A. Umhoefer and Winston J. Maxwell Telecom companies use the slogan “anytime, anywhere” to describe ubiquitous access to entertainment, e-mail accounts and corporate networks using broadband connections. 26 CommerceinFranceN°73–Autumn2009 n the field of healthcare, “anytime,anywhere”takesonanew meaning, allowing doctors and other healthcare professionals to consult images of a patient who might be located thousands of miles away; to consult, with a simple mouse click, a patient’s comprehensive health records,includingtestsresultsandimages collected in several hospitals locatedindifferentcitiesatdifferenttimes; to monitor, in real time, patients’ vital signs,whetherthepatientisatwork,at home,orintransit. Anenlighteningcasestudy Nonetheless, new technologies associatedwitheHealthapplicationswillraise new privacy challenges for both U.S. andFrenchauthorities.Thesechallenges were highlighted in a recent report bytheEuropeanNetworkandInformation Security Agency (ENISA), which focusedonacasestudycalled“Being diabetic in 2011.” The case involves ahypotheticalpatientcalledRalphwho wearsbiosensorsthattransmitinformationonhisglucoselevel,heartrateand blood pressure to his watch, which in TheadvantagesofeHealthapplications turntransmitstheinformationtoacenaretwo-fold:theysavemoneyforthena- tralized care center. Ralph receives tionalhealthsystem,andtheysavelives. a daily message on his mobile phone The cost savings come from the ability reminding him to take his medicine, to avoid unnecessary and and must respond to the duplicative tests, and to message—otherwise he Many eHealth permit more health maniscalledbysomeonefrom initiatives raise agement at home instead the care center. If Ralph privacy concerns ofincostlyhospitalrooms. needs help, the sensors that are serious— The life-saving aspects inwilltriggeranalarmand but so are the cludeavoidingmedicalergeolocalization will perlife-saving benefits rors, improving preventive mitemergencyservicesto associated with medicine,andgettinghelp reachhimquickly.Every eHealth." topatientsquickly. evening,Ralphmakesentriesintohisonlinehealth France and the U.S. are investing journalregardinghisdietandexercise heavily in new eHealth initiatives as that day, as part of a global diseasepart of economic-recovery programs. management program prescribed by ManyeHealthinitiativesraiseprivacy his doctor. After validation by a docconcerns that are serious—but so are tor, parts of Ralph’s health journal are thelife-savingbenefitsassociatedwith includedinRalph’selectronichealthreeHealth. As usual, a careful balance cords,whichcontainallofRalph’stest hastobestruckbetweenprivacyand results and physician notes. Those reother important social values before cordsarecentralizedinasecuredatasuch initiatives can be deployed on base.Ralphhasaccesstocertainparts a broad scale. Policymakers on both of his electronic health records and to sides of the Atlantic are advancing the various consents that he has given withcaution,knowingthattheprivacy inconnectionwithusingthoserecords. andsecurityriskswillhavetobemanaged so that these new applications ENISAusedthiscasestudytohighlight canbedeployedquickly. the enormous benefits associated with Ralph’s program, but also the risks of TheU.S.isperceivedashavingweak deployingsuchaprogramonabroad privacy protection compared to Eu- scale. rope.Thisisnottrueforhealthdata. The U.S. has had health-specific privacyrulesinplaceforoveradecade, Howtodealwithinformed andthoseruleswererecentlystrength- consent? ened by the American Recovery and Reinvestment Act (ARRA) of 2009. Most eHealth applications require the France’s law on privacy contains spe- informed consent of the patient. Incial provisions on health data, which formed consent sounds easy, but it is areconsidered“sensitive”andrequire one of the most thorny issues in data specialprotections. protection.Inthehypothetical,Ralphis MedicalandPharmaceuticalSectors abletounderstandtheconsequencesof hischoices,andissufficientlycomputer literatetoaccesshisonlinerecordsand review his consent parameters from timetotimetomakesuretheyarestill valid. New Web 2.0 tools make it easier to put the user in control of his orherprivacyprofiles,andtomanage thoseprofilesovertime.ButineHealth, thiskindofuser-centricapproachhasits limitsbecausemanypatientsarenotin apositiontomakedecisions,letalone access parameters online. Existing practices and regulations in the health field with respect to informed consent may be too elaborate to enable widespreaduptakeofeHealthapplications. UnauthorizedaccesstoRalph’s data? Electronic health records will contain sensitive information on Ralph, and potentially millions of others. The information will be centralized and accessible to healthcare professionals andnationalhealth-insuranceschemes forpurposesofadministeringtreatment and reimbursing costs. Systems will be designed1 to mitigate risks of unauthorized access, including identitymanagement systems that will authenticateindividualsandtailortheamount ofdatathatcanbeviewedbyagiven professionaltoonlytheminimumnecessaryforthatperson’sfunction.Nevertheless,aspointedoutbyENISA,the dataareallinoneplace,andnosystem is completely fool-proof. Consequently,therearerisksassociatedwith malicious hackers, or even insiders seeking medical information about a famouspoliticianorsportsfigure.User authentication will be key, but again, thisiseasiersaidthandone.Sophisticated identity-management systems areemergingtodealwiththisrisk,but thefamousNewYorkercartoonstating that “On the Internet nobody knows you’readog”stillraisestrickysecurity problems for network professionals. And beyond electronic-security issues, thereissimplehumanerror—assome of Europe’s more notorious examples of data loss indicate, massive loss of data may result from nothing more thananotebookcomputer’sbeingleft onacarseat. Unauthorizeduseofdata? backbone, the call center’s patient-management system, the central electronic ENISAalsounderlinestheriskof“mis- health-records database itself. Doing sion creep,” i.e., that government bu- awaywithpaperrecordscarriesbenefits reaucrats would find new uses for the butrenderseveryonemorevulnerableto data, which may be laudable (in the technical failure, which may be caused caseofmedicalresearch)butneverthe- by congestion, natural disaster, saboless exceed the scope of the original tage,ortheproverbial“grainofsand.” patient consent. ENISA also points to law-enforcement access to medical After telling the horror story of everydata. In Sweden, police obtained ac- thingthatcouldgowrong,ENISAlists cess to electronic medical records to the benefits of Ralph’s eHealth prohelp locate a murderer, even though gram, which involve rights and intersuch access was not originally part of ests that are every bit as important as the patient's consent. Finally, ENISA privacy, including better protection of mentionstheriskthatmedicaldatawill Ralph’s life, more efficient use of taxbeusedforotherkindsofsurveillance payereuros,andtheabilityofRalphto and profiling, including by insurance leadarelativelynormallifeinspiteof hisdisease. companies. What’s“anonymousdata”? Havingaccesstomassivepatientdata can help medical research. One ECfunded project is called @neurIST—IntegratedBiomedicalInformaticsforthe Management of Cerebral Aneurysms. This project is based on analyzing large quantities of scanner images of individualshavingsufferedanaccident, and using those data to better predict when an aneurysm presents a health risk requiring intervention: “By uniting currently fragmented clinical data and integratingconceptsoftheVirtualPhysiological Human, @neurIST will have a major impact on the management of cerebral aneurysms.” Yet this project faces significant privacy challenges, becauseitinvolvesthesharingofelectronic health records across European countries.Oneofthekeyissuesforthis project and others is what it means to “de-identify” data. Even this relatively simple question has no clear answer. Whatisanonymousdatainonecontext maybepersonaldatainanother,ifitis possible to connect data from diverse sourcestoidentifyanindividual. The path forward will involve IT and telecomcompanies’implementingsecurity features early in the design stage, at deeper and deeper levels in the network; systematic training of public and private actors, and greater public awarenessofprivacyrightsandobligations.Onlybyapproachingprivacyas a continuum involving all actors in the chain(suchaswiththemulti-stakeholder approachintheDMP(DossierMédical Personnel) project recently relaunched by French Health Minister Roselyne Bachelot)willthebalancebetweenprivacyandeHealthbefound. Carol A. Umhoefer, a Partner at DLA Piper, is Chair of AmCham’s Legal Affairs Task Force. ( France Member since 1961) www.dlapiper.com Winston J. Maxwell, a Partner at Hogan & Hartson, is Co-Chair of AmCham’s New Media & IT Task Force. ( France Member since 2004) www.hhlaw.com Systemcrash InthecasestudyinvolvingpatientRalph, ENISA points to any number of links in the chain that could fail, in spite of redundancy:thesensorsonRalph’sbody, thewireless-accessnetwork,thetelecoms 1. Using an approach called “privacy by design” CommerceinFranceN°73–Autumn2009 27