Digital health data
There has always been a duty to protect health data. With growing digitalisation, this topic is receiving even more attention. Service providers and providers of IT systems both have work to do.
Text: Roger Welti, Images: ©iStock, ©Alamy, ©Keystone, 14 december 2017
The electronic patient record (EPR) is providing the impetus for discussions about data protection and data security in the health care sector – among friends and among the experts. According to the Swiss eHealth Barometer 2017, fully 65 percent of the population trust the agencies working with the EPR to protect patient data – not a bad figure. However, the health care professionals are more sceptical. 35 percent of doctors and 42 percent of pharmacists wouldn’t offer their patients an EPR for reasons of data security. What are the challenges involved in protecting electronic patient data? We asked around – by consulting the Federal Office of Public Health (FOPH), asking service providers and looking at sites run by providers of IT systems.
The digitalisation of the health care sector, and the EPR in particular, are permanently changing the power relationships in the handling of medical data. For the first time, the patient is permitted to view his or her data, and can also control the access to this data. The days when an unspecified group of people had access to a patient’s health data – without his or her knowledge – are over. “We are experiencing a paradigm shift,” agrees Salome von Greyerz, the head of the Health Strategies department at FOPH. “This is forcing the service providers to develop a greater awareness of the topic of data protection.”
However, awareness is only part of the process. Technical solutions that fulfil the new requirements are also needed. “The requirements for authentication will only increase at hospitals and other service providers,” von Greyerz points out. The new login processes need to be compatible with the treatment procedures to ensure that efficiency and quality standards are maintained. “There are very successful examples of service providers and experienced technology partners finding good solutions for this through intensive, constructive collaborations,” says von Greyerz.
These solutions do, however, come at a price, as the FOPH also knows. However, when it comes to the costs involved, Salome von Greyerz is adamant: “Data protection must not be a matter of price.” When the legally required minimum standard for data protection results starts causing additional costs, the service providers will need to address this when negotiating the scheduled payments.
The FOPH has found the awareness and know-how relating to data protection and data security among provider of IT systems to be remarkably high. The ransomware “WannaCry” and other incidents have, however, shown that there are still a number of vulnerabilities in the primary systems in smaller hospitals in particular, as well as in homes and doctors’ clinics. “Shifting data storage from local systems to the cloud may be an effective remedy for this,” says von Greyerz. The pending updates to the federal government’s eHealth strategy will also involve the formulation of recommendations and accompanying measures in order to lend service providers support for the topic of data security.
Yvonne Gilli from FMH also considers the build-up of knowledge to be a central objective. Digitalisation is bringing new challenges in relation to data storage, administration and data exchange for practising physicians. “In terms of medical IT technology, Switzerland lacks a lot of the know-how. This urgently needs to be developed – and at university level,” says Gilli.
However, as Gilli points out, know-how alone won’t suffice. Practising physicians need to be remunerated for the IT services they provide – as well as for their expenses for protecting electronic patient data. “These are not, however, represented in the existing remuneration system,” Gilli explains. There isn’t a country in the world in which sustainably promoting the digitalisation of activities in outpatient clinics functions without co-financing from the public purse. As Gilli says: “This will also be true for Switzerland, even though there is a lack of political commitment to this at present.”
While service providers already have a number of challenges to overcome when it comes to data protection and data security, the patients are obviously not particularly interested in the topic, says Yvonne Gilli from FMH. “Your average Swiss citizen is primarily interested in having their data available electronically. At the moment, they are asking very few questions about data protection and data security.”
In the inpatient sector, it is impossible to make a generalised statement about the patients’ interest in the topic of data protection. “Within the scope of the Swiss cancer strategy, for example, a much higher awareness can be identified among patients in oncology,” says Caroline Piana, head of the Tariffs, eHealth division at the hospital association H+.
Hospitals are facing a particularly big challenge in relation to patient data. This data is processed in all sorts of different IT systems. And these systems are often not interconnected, which can be of advantage in the event of attacks from outside. “One disadvantage, however, is that it is much more difficult for the hospitals to get an overview of all patient data records and incorporate them into the EPR,” as Piana explains. Hospital management needs to define the organisational, technical and process-oriented workflows necessary before any collaboration on an EPR platform becomes possible. “The interface to access an EPR platform is therefore not just a project involving IT technology, but affects all aspects of the hospital as a company, including the organisation and processes,” Piana emphasises.
What about the know-how required for the topic of data protection in Swiss hospitals? The H+ association emphasises the fact that the security of patient data hasn’t only become a priority due to digitalisation. Piana: “The hospitals have their own personnel responsible for data protection, or they are looking to involve recognised experts.” One challenge within the context of the EPR is having sufficient hospital personnel with the necessary expertise. H+ will be offering the corresponding training courses in this area.
At each hospital, management must decide for itself whether to make the knowledge of the topic of data protection available internally, or join forces with other hospitals, or get support from external experts. “Within the framework of risk analysis, the hospitals need to consistently examine whether data security and availability could be efficiently guaranteed by means of internal or external resources, or a combination of both,” says Piana.
The complexity of the legal and technical questions relating to data protection means that Swiss service providers will also need to rely on the support of experienced partners. This may be a reason why the planned ICT expenses of hospitals and homes will be relocated from internal operations to external services in the next few years, as a recently published study has shown.
Providers of IT systems are offering stakeholders in the Swiss health care sector the know-how and technical solutions that the stakeholders themselves are unable, or unwilling, to provide. Swisscom, for example, can draw on years of experience in dealing with data security. Among other resources, the Group has more than 100 security experts at its disposal. How important the provider of IT systems considers the security of patient data to be is also demonstrated by the fact that Swisscom employs its own data protection officer for the health sector. Martin Smock monitors the compliance with all laws and regulations. He is regularly in contact with the FOPH, and is the contact person for the Federal Data Protection and Information Commissioner.
“The protection of data and the personal privacy of customers and patients has utmost priority for us,” Smock emphasises. As a provider of IT systems, we are clearly committed to ensuring that health data is given special protection, and is not evaluated by Swisscom. The sovereignty and rights relating to data always remain with the patient. Smock: “Our technology allows us to contribute to ensuring that patients can actually enforce their rights.”