Finding the balance between innovation and data security in healthcare

Finding the balance between innovation and data security in healthcare

In his classic book FarmGeorge Orwell wrote: “All animals are equal, but some animals are more equal than others.” A crude modern comparison might be: “All data should be protected, but some data should be protected more than others.” An example of data that needs more robust security than others is medical data. The reasons for this need little explanation.

When the UK government announced its new data saves lives health and social care strategy, we must consider the security implications and the risks that this entails. In a nutshell, this policy aims to reform the health and social care sector, change the way data is used to achieve progress and efficiencies, help address the Covid-19 backlog, and create a proper system to the future: a future where patients can benefit from faster and more innovative treatments and diagnoses.

Interestingly, the key principles laid out in this strategy are to improve “confidence” in the use of data by the health and care system, as well as to ensure that health and social care professionals have the information they need to improve the overall patient experience and healthcare delivery. . The goal of giving patients greater confidence that their personal information is secure will naturally cause some concern. The public has been informed that there will be secure data environments primarily for the NHS, its various trusts and social care organisations, which will provide access to de-identified data for research purposes.

Within the broader policy document, the government has confirmed that data linked to a person will never leave a secure server and will only be used for agreed research purposes. The NHS refers to this as a ‘trusted research environment’ (TRE). The TRE service provides approved researchers from trusted organizations with timely and secure access to health and care data. Researchers have access to your approved data, in accordance with their data sharing agreements, allowing them to collaborate or link data, as well as share code and results within the same research projects.

In cybersecurity, this is what is known as privacy-enhancing technologies (PETs). Although there is no single definition of PET, it is generally accepted that the term refers to technologies that incorporate fundamental data protection principles by maximizing data security and empowering individuals, as well as minimizing the use of personal data. In this case, PETs will allow the NHS, or other health care services, to protect the privacy of patient records, or personally identifiable information (PII), provided and handled by services or apps.

Common examples of PET include format preservation and homomorphic encryption, secure multiparty computing and secret sharing, differential privacy and obfuscation techniques, and various means of anonymization or pseudonymization. PETs can also be divided into hard and soft varieties. Hard examples include onion routing, secret voting, and VPNs, while soft examples include access control, differential privacy, and tunnel encryption, including secure socket layer (SSL) privacy technologies and transport layer security (TLS).

There is no doubt that privacy-enhancing technologies such as homomorphic encryption will transform security in the cloud, which healthcare providers will rely on. Homomorphic encryption allows data computation in a cloud environment without leaking the private key; It is commonly referred to as the “holy grail” of cloud security.

However, there is little technical information on the actual technology underlying the planned secure data environment for the NHS. Like any technology, there can be good or bad implementations, which can have drastic consequences. This is crucial in cyber security because hackers only need to find the weakest link in the system to break in.

Modern computer systems are extremely complex. There is also the issue related to key management. You can have perfect execution of a PET, but if the key management isn’t perfect, then everything is broken. Another common criticism of PETs is that they can be complex to use. This complexity can lead to errors that could critically lead to patient data breaches, not to mention audit and compliance challenges for healthcare regulators and governments.

PETs are relatively new to IT and there have been outcry about industry giants implementing such technology. In these cases, the concerns were that these companies wielded disproportionate power through their vast troves of data resources. However, we must be aware of not throwing the baby out with the bath water. These are interesting times, but the public should expect the NHS to have the expertise to put the right secure data environment in place. Otherwise, once medical data is leaked, it can never be recovered.

Leave a Comment