Health in the Age of the Data

Revolution

Matthew McMillan, Partner

Louise Cantrill, Partner

10 March 2017

What has changed in the last 10 years?

Data revolution – what is it?

Real life examples in health

Key challenges

Key risks

Managing the challenges and risks

What we will cover

Electronic health record (EHR) systems

Smartphones become ubiquitous

Tele-medicine

Emerging technologies on the rise

artificial intelligence: accelerate R&D efforts

augmented reality: fitness apps

drones: emergency response

Internet of Things: remote patient monitoring

3D printing: customised implants

What’s changed in the last 10 years?

Big data revolution

5 billion gigabytes of data every 2 days

Structured, unstructured, semi-structured

Volume, velocity, variety

Disruptive, transformative

Big data + analytics = data-driven insights = value

Big data revolution - what is it?

10% are using big data

45% are investigating how they use big data

25% do not see a need for big data

20% see a need but are not investigating how to use big data

Big data matters!

Current state of play in Australia

Example: Diabetes management

Example: Smart pill bottle cap

Example: Royal Free Hospital

Personal information issues are becoming more prominent

97% of Australians don’t like their personal information being used for

secondary purpose

Dissonance between what we want vs what is possible

Data-driven innovation needs a strong foundation in privacy

Privacy underpins security – “two sides of the same coin”

Privacy and security matters!

Breadth of personal information subject to regulation:

capable of identifying individual, or rendering individual reasonably identifiable

combination of data sets

Sensitive information includes:

health information

genetic information

biometric information used for verification or identification

Differing regulatory approaches here and overseas

Key privacy and security challenges

Openness and transparency in management of personal information

To do this, need to understand your data flows

Helps with data security strategy

Key privacy and security challenges

Notification and consent:

must notify individual how personal information is collected, the purposes of

collection and to whom information will be disclosed

traditional notion of “informed consent” challenged

Issues:

consent buried in privacy policies

bundling of consents

obtaining meaningful consent

avoiding negative reactions

Key privacy and security challenges

Use and disclosure of personal information:

cross-border disclosures and accountability

IoT industry is generally poor on privacy

Data mapping and supplier due diligence is critical

Security:

burden increases with the sensitivity of the personal information involved

It’s not just a matter of compliance, but a business fundamental

Key privacy and security challenges

Mandatory data breaching reporting requirements

Action by the Privacy Commissioner(s)

Breach of duty

Class actions

A statutory duty based on a right to privacy?

Identity theft, ransomware

Risks

My Health Records Act 2012 (Cth)

Applies to registered healthcare providers

Must notify the Privacy Commissioner and/or the System Operator (in the case of

State and Territory agencies) when there has been unauthorised collection, use or

disclosure of health information included in a healthcare recipient's My Health

Record

Privacy Amendment (Notifiable Data Breaches) Act 2017(Cth)

Applies to entities covered by the Privacy Act 1988 (Cth)

Must notify Privacy Commissioner and affected individuals of an ‘eligible data

breach’ - unauthorised access to, unauthorised disclosure of, or loss of personal

information where there is a risk of serious harm to the individual to whom the

information relates

Failure to provide notification may result in investigation by Privacy Commissioner

Mandatory data breach reporting

Commissioner's powers:

undertake investigations

make a determination

enforceable undertakings

civil penalty orders of up to $1.7 million for companies under the Privacy Act

Privacy Commissioner

Recent investigations involving a number of Australian companies, NSW

public sector agencies and healthcare providers:

Pound Road Medical Centre

Organica and Brygon

MedVet

Privacy Commissioner

Wyndham Worldwide (US)

Hackers invaded the main network of one of Wyndham’s operating

subsidiaries and stole credit card information for over 619,000 Wyndham

customers

Federal Trade Commission began to investigate and subsequently

commenced legal proceedings

Wyndham’s shareholders simultaneously brought shareholder derivative

action against certain directors and officers of the company, and the company

itself as nominal defendant

Duty owed, but not breached – adequate systems in place

Breach of duty

Horizon Blue Shield

Two laptop computers, containing sensitive personal information about

members, were stolen from Horizon

Even without evidence that the plaintiffs’ information was used improperly, the

alleged disclosure of their personal information created a de facto injury

Medical Informatics Engineering

Took MIE three weeks to discover hackers had gained access to systems,

compromising personal information of nearly 4 million Americans

Insurers sought order declaring no duty to defend or indemnify MIE

Triple-S Management Corporation

USD $3.5 million settlement after repeatedly failing to put safeguards in place

to protect beneficiaries information

Class actions

Lahey Hospital and Medical Center

Non-profit teaching hospital pay USD $850,000 and implement corrective

actions for violations related to lax security

Sony

Settlement reached after detailed medical records swiped in cyberattack

Cancer Care Group

Large radiation oncology practice fined USD $750,000

Unencrypted server backup media and laptop containing the protected health

information, Social Security numbers and insurance data for some 55,000

patients was stolen from an employee's car

Class actions

Google v Vidal-Hall (UK)

Collection of private information about internet usage

An action for breach of privacy is now decoupled from the requirement to

prove economic loss

Legislative right to privacy?

Action for breach of privacy?

Identity theft

Unauthorised trading in personal data

Ransomware

Royal Melbourne Hospital cyber attack on pathology department in

January 2016

Gold Coast medical centre held to ransom by Russian hackers who encrypted

thousands of patient medical records

Data security risks

De-identification as a potential solution

what does it look like?

possibility of re-identification, e.g. Australian Public Service employee census

creation of new personal information through the power of analytics

need for multi-sector cooperation

Managing the challenges

Implement a privacy and security management program

Undertake privacy impact assessments (PIAs)

Be alive to changing community attitudes

Put patients/clients in control:

increased transparency

privacy policy

privacy settings

consent

Managing the challenges

Notification and consent models:

continuous

unbundling

meaningful

dynamic

Increased involvement and engagement of patients/clients on new

initiatives

Managing the challenges

Data security:

technical, operational, contractual safeguards

Reviewing adequacy of existing measures

Ensuring appropriate contractual protections with vendors

Managing the challenges

Mature information governance frameworks

Top-down management approach

Policies, practices and procedures

Regular staff training

PIAs

Threat or risk assessments

Data breach response plans

Audits

Testing

Technology

Implementing a management framework

Questions