PrivSec Report takes a look at the growth of digital healthcare – and the impact on patient privacy and data security.
We’ve all seen the newspaper reports of how hospitals and ICUs have coped with treating the influx of patients caused by the Covid-19 pandemic. But the disease has also caused widespread changes in the way that day-to-day healthcare services are provided. In common with many other sectors, those changes have often involved the relocation of service provision away from the traditional setting, in this case a healthcare setting such as a doctor’s surgery, to the patient’s own home, enabled by technology.
The introduction of technology into healthcare provision – often described variously digital health, e-health, telemedicine or healthtech – is not a new concept, of course. According to Statista, the global digital health market was worth around USD88 million in 2018, well before the pandemic hit. Technological assistance in the provision of health services in a variety of ways, from digitalising patient records, to online patient consultations, has been growing in recent years, evidenced by a steady number of healthtech IPOs in recent years.
But there is no doubt that the pandemic has focused minds on the potential for technology, not least for its ability to avoid face-to-face contact and facilitate social distancing – vital in reducing the spread of the virus.
In a blog post published at the end of July, UK Secretary of State for Health and Social Care Matt Hancock wrote that:
“The old argument about whether it’s right to prioritise modern technology in the NHS and our care sector is over. The pandemic has proven beyond doubt that better tech is vital for the future success of our health and care service.”
“Now we need to focus on how we can ‘bottle’ the progress we’ve made in the last few months.”
But what are the implications for privacy and data protection?
In particular, remote consultations have become much prevalent than in the past.
“Some services had introduced phone consultations or video consultations but, subsequent to lockdown, that became a wholesale change. The vast majority of services that could offer remote consultations did, or wanted to do so immediately,” says Jonathan Craven, Head of Information Governance and Data Protection Officer at Central and North West London NHS Foundation Trust.
“I think this throws into sharp relief something that we’ve never really considered before, because if you were having a patient consultation in person, it would, 99 times of a hundred, be in a healthcare setting – and therefore the clinician can control that environment. We have subsequently had to consider advising patients around video consultations and what their environment is – is it noisy, are they able to have a secure, private conversation? Sitting in Starbucks is probably not a good environment for you to have your consultation with your doctor.
“Along with that there are considerations around the huge variety of platforms that have sprung up within the last four or five months with regard to video consultations. There were the big players that most people knew about but, from my experience recently, almost any clinical software developer has produced a video consultation app within the last two or three months. We have to evaluate them, and we have to make sure they are appropriate for the use case.”
One such service is Q doctor. Founded by CEO Dr Chris Whittle, a former NHS anaesthetist, Q Doctor is a video consultation platform and clinical service, which was selected to be part of the NHS response to Covid-19 in the UK.
“Our long-standing work to help create extra clinical capacity for the NHS meant that we were already connected to the NHS network through our virtual computers by the time Covid-19 came on the scene. This meant that we were ready to quickly deploy them to hundreds of clinicians, enabling the NHS workforce to continue providing clinical care in a new and adapted way at this critical time,” Whittle says.
According to Whittle, 25 million people can access care via Q doctor consultations, through 3,000 GP practices, NHS trusts and urgent care services in the UK, which he says creates greater capacity, appointment availability and reductions in waiting times in the NHS.
He says: “During the outbreak of Covid-19, we noticed an increase in demand for our services from the NHS, as our online appointments significantly reduced the need for face-to-face contact and enabled patients to be kept safe and distanced from GP surgeries. We were chosen by NHS England to be one of 11 suppliers for the immediate provision of online primary care consultation in March, which undoubtedly increased the reach and use of our services.
“We also had plans in the pipeline to partner with other digital tools and further extend our service offering, which we have been able to bring forward due to demand. For instance, we have now launched an integrated digital platform which includes triage, video calls, patient messaging and treatment information, for the first time, with our partners eConsult and Cognitant Group.”
Privacy and patient data safety has necessarily been key to the development of systems like Q doctor, but Covid-19 has meant that a pragmatic approach has been taken, in some instances.
“There are strict controls around data protection and information governance; these have developed over the last few years and so long-standing suppliers like us have built our systems in the context of good governance and safety. During Covid-19, some standards were dropped in order to quickly facilitate mass use of video platforms, for example, in the face of overwhelming need and a shift in the risk-benefit balance. As the pandemic subsides, NHS organisations are looking for sustainable solutions that meet and exceed ‘peacetime’ standards,” Whittle explains.
“In terms of digital health technology in general, we are aware that there were issues during the outbreak and peak of Covid-19 when it came to data security. The urgency, huge demand, rush to implement and lack of initial guidelines created a perfect environment for mistakes to happen. As such, some providers had security incidents and data breaches, which were covered in the media.”
One such breach concerned Babylon Health, a provider of audio and video consultations, which temporarily allowed a patient access to another patient’s consultation due to a software error.
But Whittle sees the pandemic and resulting tech environment as having positive impacts for data security too:
“… the situation also triggered discussions and increased awareness regarding data security. Many clinicians had to face challenges they’d never encountered before, such as handling sensitive photos, digital consent, secure messaging, picture storage and others that arose from remote video consultations with patients. Guidelines had to be developed quickly to increase confidence, reliability and standardisation of care quality as much as possible. However, these will need to be revised in response to how digital service provision has worked in practice and involve a wider variety of stakeholders to contribute, to ensure these are all-encompassing.
“Security and confidentiality are vital for building trust between providers and patients. Trust is essential as it allows patients to feel safe and comfortable to communicate openly with those who care for them. Without the right information and context, clinicians cannot draw conclusions about a diagnosis, treatment and other aspects of a patient’s health and care.”
At Central and North West London NHS Foundation Trust, Head of Information Governance and Data Protection Officer, Craven, has also been grappling with how to deal with the data generated by tech-enabled ways of handling patient data, not least in ensuring IT infrastructure that is robust enough to meet increased demands.
“Because of the nature of the changing relationship we’ve had with patients, we are not necessarily collecting more data of theirs, but we’re collecting it in new ways, or interacting with them in different ways,” says Craven.
Craven adds that video consultations have thrown up issues of retention of content and around data subject access requests, that he has previously not had to consider before.
He says: “Most ICT storage infrastructures are not currently capable of supporting every single patient consultation being video recorded and stored. So we’ve had to cut our cloth according to our means, and record the content in the electronic patient notes, as we would have done in person. But that requires a bit of reassurance to the patients, to say look, this is how we’re doing things in this new environment,” he says.
In its own systems, Q doctor employs regular stress testing, both internally and externally, with third-party penetration testing. It assesses cyber security through existing frameworks, accreditations and toolkits led or endorsed by the NHS, such as the Data Security and Protection Toolkit and Cyber Essentials. It also has an Information Security Management System in place that ensures that risks are assessed and mitigated.
Alongside its potential, and challenges, Craven sees the digitalisation of aspects of healthcare as a logical extension of people’s evolving lifestyle, which privacy concerns need not stymie.
“This, for me, is the crucial bit that we need to grasp now: the vast majority and the ever increasing majority of our patients are digitally active – and that’s how they want to interact with us,” he says.
“People do their banking online, people do their shopping online… they do medication online, all of these kinds of things. For example, taking a healthcare setting, you can have a person who has a video consultation with their GP, the GP does an electronic prescription, which is automatically immediately sent to their pharmacy, the pharmacy fills out that prescription, and then delivers it to that patient’s door. How is that not a better service provision of healthcare? Particularly if this person is elderly they might have a chronic health condition, it might be incredibly difficult and painful for them to actually leave their own house – and we can do this pathway which means they can do everything from the comfort of their armchair in their living room.”
He adds: “That, for me, is the next stage – is accepting this is where we should be going. It’s not just about tech, but it’s saying, look, this stuff’s there and as long as we make sure we are do it appropriately and with due consideration and within the constraints of the law – which we can do – then who’s arguing against it, and why?”
Whittle has found a great degree of acceptance of services like his among patients.
“The reception has been overwhelmingly positive for the most part, particularly during the outbreak of Covid-19, where necessity meant that patients and surgeries were both keen to embrace digital health tech platforms like ours,” he says.
But, like Craven, he also accepts that such services might not be appropriate in all cases.
“… we don’t deny that face-to-face appointments between patient and clinician are always going to be needed to some extent. The question is where are these absolutely necessary and whose decision is it to make a judgement on these?
“For instance, what if a patient has hearing difficulties, or does not have the technology or capacity to participate (for example, someone living with dementia)? This demonstrates that not all aspects of healthcare can be fully standardised and some clinical judgement needs to be made on a case-by-case basis.
“Just like we have guidelines for treatment, we will need to have frameworks for telemedicine that address such issues. This is an interesting opportunity to create those decision-support systems that will make physicians more comfortable in further embracing future health tech services.”
For digital health providers like Q doctor, he has some advice:
“Be transparent and honest with what you can deliver. Covid-19 has caused rapid digitisation but suppliers need to make sure they don’t over stretch the use cases of the technology they have in place. A tight, value-adding fit is what will work best for both supplier and NHS organisation, which is why I’d recommend two-way discussion to reach mutual understanding of how solutions may or may not fit a given clinical pathway or scenario.”
To ensure a health tech sector that is safe, secure, compliant, and maintains confidentiality for patients amid the ongoing Covid-19 crisis, Whittle calls for data security standards to evolve alongside digital health solutions.
“In the future, doctors’ professional judgement regarding these should be supported with guidance from the NHS and industry bodies.
“I’m confident that policy makers will benefit from collaborating with medtech companies to discuss and debate how this can and must work in practice. Companies and innovators have plenty of first-hand experience of both challenges and successes and could play an important role in developing guidelines and best practice to support a resilient, digitally enabled healthcare system for the future.”