How to successfully ensure data privacy and security to transform healthcare?

Brynn Roberts, PhD

Global Head of Data Services at Roche Diagnostics

How to successfully ensure data privacy and security to transform healthcare?

8 September 2021 | 10min

Quick Takes

  • As technology advances and the potential of data to transform healthcare flourishes, so does the importance of data privacy and security

  • Patient trust and transparency are critical to the successful application of data to improve healthcare

  • Fostering a strong data privacy and security culture and clarifying accountability are key steps to ensure the safe storage and usage of data

As technology advances and the potential of data to transform healthcare flourishes, so does the importance of data privacy and security.   

We sat down with the Head of Data Services at Roche Diagnostics, Bryn Roberts, to get his view on why organizations need to put patient data privacy and security first and what actionable steps can help to ensure it.  

Data privacy and security – a brief overview

HT: As Head of Data Services, could you give us a brief overview of what data privacy and security is and how you ensure it?

Bryn Roberts: To understand how data privacy is ensured, we must first understand the different types of data that are collected and how they are being used. Within Roche Information Solutions, we have two main customer areas: Lab Insights and Provider Insights. Provider Insights typically serve healthcare professionals and providers, or patients directly, while Lab Insights serves operations and management of medical and diagnostic laboratories.

On the lab side, Roche is often not dealing with identifiable patient data, meaning that we look at aggregated data or data without any form of patient information.  These data are still highly valuable to support lab efficiency, monitoring the performance of assays and instruments, for example. In these cases, data privacy from a personal perspective is not such a concern.  However, there remain important considerations and contractual obligations determining how we need to protect the data and what we may (or may not) do with the data.

On the provider side, we are more likely to be processing data with the potential for patient identification, where privacy is paramount.  The most robust approach to ensure privacy is anonymization or pseudonymization, based on the intended use.  Having this performed by the provider, or a third party, before receipt is optimal.  Otherwise, anonymization as close to data ingestion as the intended use allows is preferable.  In addition, details of informed consent need to be appropriately managed and applied, as do any additional regulatory and contractual requirements.

Like anonymization, data encryption is another foundational tool in data security and privacy.  Encryption of data for transmission is commonplace but that protection may be extended to the storage and analysis of data.  There are methods of encryption available, so-called homomorphic encryption, which allow computation to be performed on data whilst encrypted.  Performing analyses over homomorphic encryption reduces the risks of exposing sensitive data through multiple cycles of decryption and encryption.

Complexities arise when dealing with data that have had the obvious patient identifiers removed or replaced (e.g. names and addresses), but the data still contain identifiable information.  For example, clinical images that include faces or other unique features, such as tattoos or scars.  Genetic information is another data type with the potential to connect to an individual. The privacy risks depend on the context and the intended uses of the data, with mitigation requiring a robust risk-based assessment process.

Unique security and privacy measures for unique cases

HT: With the more complex, novel cases, how do you determine the appropriate privacy and security measures to put in place? 

Bryn Roberts: There are a variety of guidelines to consider, for example, those that form part of regulatory frameworks such as the General Data Protection Regulations (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), where there are clear requirements to protect data. 

In some cases, ethics committees may be asked to consider specific studies or data sets and provide advice on distinct risks or special mitigation plans.  In other cases, there may be existing requirements placed on the healthcare system or provider that we inherit as their solution provider. 

There are a variety of different sources that we need to understand, and those guidelines and regulations are constantly being updated, as new risks come to light.  If we get further into the field of data analytics, then we start to see other requirements come into play. Not necessarily to do with privacy, but questions around ethics.  For example, considering bias, fairness and explainability when using machine learning models.

Beyond regulations and ethics, it is also critical to monitor the wider threat environment to ensure that security measures are commensurate with the cyber risk landscape.

Best practice for cross-national treatment of data security measures

HT: As we talk about the use of data, how do global organizations cope with the differing security and data privacy requirements when trying to share and make use of the data?

Bryn Roberts: That is a great challenge and modern regulations do take account of globalization.  For example, as just mentioned, the GDPR of the European Union (EU) has territorial scope covering both companies (and other entities) established in the EU and personal data relating to subjects in the EU, regardless of where the data processing takes place.  A company with high integrity, like Roche, would typically apply the highest standard globally anyway.  In addition to maintaining high integrity, this practice also translates to certain business efficiencies and minimizes risks of non-compliance across complex global data ecosystems.  So maybe the answer is actually very simple – use the highest standards globally and maintain a well-informed view of the global threat landscape. 

The top security and privacy challenges facing healthcare organizations today

HT: What do you see as the biggest data security and privacy challenges facing healthcare organizations today?

Bryn Roberts: One of the big issues, as we move into using Cloud-based platforms, is the requirement to protect our solutions and data within third-party Cloud environments.  This is extremely important and a major concern, especially considering ongoing threats such as hacking.  We rely on Cloud providers to implement state-of-the-art cyber security measures to protect the platform from intrusion and for early detection of breaches.  In addition to that layer, we are accountable to ensure our solutions and datasets are protected robustly.

Another challenge comes with data integration. As data become richer and the understanding of potential value grows, there is more and more interest in integrating datasets to provide enhanced healthcare insights.  For example, bringing data together from multiple tests will require a patient identifier to know that these data belong to the same individual.  If we wanted to track a patient longitudinally along their patient journey and provide insights to support clinical decision making with integrated data, we’re also handling an identifier.  Pseudonymisation is one method used to obfuscate such an identifier to protect the privacy of individuals.  However, it can be complex to perform across multiple independent data sources.

The shift to technology enabled care

HT: Technology enabled care such as telehealth services and mobile health apps, are at the forefront of healthcare transformations. What impact will this have on data protection and privacy regulations and for organizations offering these services? 

Bryn Roberts: Take COVID tracking apps as an example.  In several countries, there are applications that enable proximity measurements to be tracked between mobile devices, which brought up questions around personal privacy.  A number of approaches were designed that enabled people to be informed when they’d been near someone who later tested positive, without revealing the identity of individuals.

This is an interesting use-case that made whole populations think about this problem, perhaps for the first time.  We want to leverage the data to produce the most value for the patient, payer, and healthcare system overall. Yet, this brings intrinsic risks because, for the data to have the most power, we often need to relate them to an individual.  If you want to do things such as correlating comorbidities or longitudinal data, you have to link data to an individual in some way or another, which generally comes with additional risks.

Concurrently, technology is moving forward in areas around pseudonymization, anonymization, and even homomorphic encryption, where we retain the integrity of the content of the information, but make it fully anonymized from the perspective of the user. 

Technologies such as Blockchain, which allow the tracking and immutability of transactions between systems and ecosystem players, are of increasing interest especially when working in ecosystems of ‘untrusted’ or unknown players.  These types of technology will likely have a role to play in the future, also in democratizing data sharing for individuals.

Society is becoming sensitized to how some tech companies and advertising companies have been accessing and using data, through mechanisms like third-party cookies, and I anticipate the bar being raised significantly as healthcare apps and data become more widespread on platforms like smartphones.

Transparency and choice at the forefront of patient data usage and security

HT: If we consider medical data at the individual patient level, such as data generated by sequencing, imaging, digital biomarkers, do different measures apply?

Bryn Roberts: They’re not necessarily different, but they must be applied more rigorously.  Take for example a digital biomarker in a neurodegenerative disorder.  Based on a device, such as a smartphone, that the patient or subject carries with them always, it may be passively monitoring factors such as the location and movements of the individual.  This enables longitudinal assessment of locomotor symptoms.  Unsurprisingly, these data may be highly sensitive for individuals and they need to trust that their privacy will be protected appropriately.

How do we build that trust?  Informed consent plays a big role – making sure an individual understands the full implications of what they are providing and agreeing to its use. Another critical factor is providing the element of choice.  For example, the ability to turn off monitoring for a specific timeframe, being aware that there will be a loss of fidelity, and possibility of reduced insights.  This full understanding, transparency, and choice are critical to moving forward in such digital health applications.

Technical considerations such as how we move and store data, whether on the device or in the Cloud, determine data security and privacy for digital health applications.  Encrypting data on the device and during transmission is common practice but there are further opportunities to protect privacy through anonymization, separation of certain data types, and minimizing data residency times.  This is ‘privacy by design’ in action – meaning as we design the system we consider carefully the data we will handle and how to best preserve privacy. 

The vital role of patient trust to turn data into valuable insights

HT: On one hand, it seems that individuals or patients want ownership and control of their data, yet at the same time these data must be shared for healthcare providers or companies to provide valuable insights back to them. Do you feel like this trust to share data is being gained with patients, or do you feel like we still have a long way to go?

Bryn Roberts: We have a limited understanding and window on that.  Within our clinical trials, we know that patients have a high level of trust in Roche, for example.  When we deploy digital biomarkers to either healthy subjects or patients in controlled clinical trials and studies, we know there’s a very high degree of compliance and adherence to the protocol over time.  Based on the positive feedback from those patient communities and the enthusiasm to participate in understanding the disease, or their personal situations, we see trust in action.  That window suggests there’s already high trust, which we need to maintain, but that’s within a highly controlled environment.  These are typically people who are very proactive in wanting to collaborate with a company like Roche to develop new treatments and healthcare solutions.

As we deploy digital tools out into the broader community, we’re starting to understand how the broader population feels, which is generally positive.  Like all technologies, you get the early adopter cohort moving in enthusiastically, followed by the broader population at rates according to their perception of value and risk.  We’re still in the early adopters phase with digital health applications, and we’re getting most of the feedback from enthusiasts and curious participants.  We know there will be a certain portion of the population who will, for a number of reasons, be reluctant to participate.  We must accept and respect that fact and continue to engage in dialogue with patients, caregivers, physicians and others, to make sure we’re understanding the environment we’re operating in and what concerns people have.

That comes back to transparency, and the importance of choice.  Informed consent is critical in this regard, and has been applied and refined over many years in the clinical trial setting.  An individual has the right to withdraw their consent and not participate in future data collection, which gives people a sense of security – even if they never withdraw their consent, they know that the mechanism is there should they wish to use it.  Similarly, in other settings, the aforementioned GDPR provides similar assurances, giving the right to have one’s identifiable personal information removed from the memory of a corporation or organization.

A mutual or reciprocal benefit to patients is key to formulating trust

Bryn Roberts: The more data we have, the more powerful the insights we can generate, the better we can support patients and healthcare systems.  It would be unfortunate if individuals became uncomfortable participating because they do not feel that there is sufficient benefit for the effort and risk they are investing, or that others are benefiting disproportionately.  It’s very important for us to ensure that individual participants receive some direct personal benefit from their participation.  This could simply be the knowledge that they are helping others or potentially as impactful as gaining novel insights that help them and their doctors to make more informed decisions in their own medical care.

In the case of a digital biomarker, they can look at reports to see how they are performing day-to-day with their symptoms, for example. That’s also an interesting dialogue to have with individuals as part of the contract.  In return for collaborating in data generation, what benefit do you expect to receive in return? I think if you do that well and it’s a well-balanced equation, there shouldn’t be too many problems.

The complexity of data ownership 

Bryn Roberts: The question of: “Does a patient own their data”, is very complex.  Unquestionably, a patient has certain rights, the right to privacy for example, but who owns healthcare data is more complex and needs further discussion.  Healthcare systems vary between countries and factors such as who pays for data generation will influence the culture of ownership.  Patients, physicians, payers, governments and other stakeholders may all claim some degree of ownership, so it might be better to talk in terms of data citizenship rather than data ownership, where each player in the system has rights and responsibilities.

Here’s a concrete example.  If a physician orders some clinical tests for a patient and that patient requests all the data to take away, there’s a discussion to be had between the patient and the clinician, and careful consideration must be made. Few clinicians would refuse to give the patient the data without good reason.  However, there may be additional dialogue needed to ensure the patient remains safe by having access to the data.  Perhaps additional information, context, training or tools are required to interpret the data correctly as a basis for life-changing decisions.

In certain circumstances, informing an individual about the results of genetic testing, such as sequencing, may need to be conducted by a qualified genetic counselor.  The counselor will be able to tailor the information for the individual, considering the probabilistic nature of such results, personal preferences, and factors related to actionability and heritability.

For public health management, governmental organizations may need access to diagnostic data.  Healthcare professionals routinely perform audits of healthcare records, looking for opportunities to improve care for future patients.

So, as we see in just these limited examples, healthcare data citizenship is not straightforward and trying to boil it down to a simple question of ownership could be detrimental for individuals and society at large.

A message to C-suites focused on ensuring data security and privacy

HT: What advice would you give to healthcare executives and leaders as this focus on ensuring data security and privacy increases?

Bryn Roberts: 

1 Take the subject very seriously and give it appropriate consideration in everything that the company does.
2 Be clear on who is accountable at the highest level. Executive teams may have multiple roles related to data, such as Chief Information Officer, Chief Data Officer and/or Chief Digital Officer.  They will also have roles relating to compliance, such as a Chief Compliance Officer and Chief Legal Officer.  In some cases, some of these roles may be combined.  Whatever the model, make it clear who is accountable on the executive team for data security and privacy.  Appropriate measures can then be cascaded throughout the organization, with appropriate executive reporting to track status.
3 Implement privacy by design. Ensure that privacy, as well as security, are anchored in the architectures and processes used for the development and implementation of data products and services.  Data sets should be reviewed by experts for potential privacy risks and appropriate mitigation strategies implemented in the workflows.  These measures will avoid costly remediation and provide robust compliance.
4 Engage with the key stakeholders, such as physicians, patients and caregivers, who can provide valuable insight into how they expect healthcare data to be used and protected.  What benefits do they expect to receive in return for their participation?  This will result in better products and services, of course, and will build transparency and trust.
5 Build a culture around data privacy. For example, through appropriate training of data scientists who work deeply in datasets and need to understand appropriate use under different scenarios.  Consider carefully how reward and recognition models foster data citizenship and privacy considerations.
6 Monitor the wider threat environment to ensure that security measures are commensurate with the prevailing cyber risk landscape.

Brynn Roberts, PhD has a PhD in Pharmacology and a background in Data Science. He joined Roche in Basel in 2006 and, in his current role as Global Head of Data Services within Roche Diagnostics, Bryn’s accountabilities include data strategy, architecture and governance, data engineering, and data science. Beyond Roche, Bryn is a Visiting Fellow at the University of Oxford, with interests in AI and machine learning, systems biology, and scientific software development. He is an Associated Faculty member with the University of Frankfurt Big Data Lab and lectures in medical informatics at the University of Applied Sciences, NW Switzerland. He is a member of several advisory boards including the Pistoia Alliance, University of Oxford Dept of Statistics and SABS Centre for Doctoral Training, the Microsoft Research/University of Trento Center for Computational and Systems Biology, and RoX Health.