# **Design and Implementation of Digital Health Interventions - Week 2: Regulatory Approaches and Ethics**

This module will focus on **identifying the appropriate regulatory processes associated with digital health and personalised and population digital health approaches**. You will also be introduced to important topics to include the value of data and health care data, data regulations to include areas on **data security, ownership and access** and lastly,** data breaches and fake news** where you will assess contemporary examples.

### **Learning Objectives**
- Identify the appropriate regulatory processes associated with digital health
- Analyse the importance of data security, ownership and access
- Analyse cases where ethics/governance has been breached

## **2.1: Regulatory approaches and data in Digital Health**

### **Different Regulatory Approaches to Digital Health**
The previous videos introduced you to cybersecurity. In the first course in this specialisation, you also examined the differences between personalised and population approaches to Digital Health (DH). Among the many issues covered, issues of **data security**, **trust** and **transparency** are very important in the DH space, compounded by the fact that at global, regional and country level, r**egulation of DH is still evolving** and, in some instances, **lacking**. In this section, we would like you to look in a bit more detail at the regulation of DH.

**Digital healthcare: regulating the revolution**  
This reading is a brief summary of an article which was published in the British Medical Journal (BMJ) in 2018. 

**Summary**   
In the article, the authors note that in DH, the sudden influx of technology, combined with a lack of robust governance, has led to distrust among some clinicians, patients, and healthcare providers. As technologies evolve, the regulation of DH will bring its own challenges.  These challenges are mainly as a result of market forces and the presence of identifiable patient data. As DH technologies emerge, it is becoming very difficult to provide cost effective regulation before they go to market. 

**Market forces, rapid innovation and change**

**Technology is fast-moving**, and so Digital Health regulation has to keep up with quick and sometimes unpredictable developments. The article exemplifies one approach to regulating - or not regulating - certain technologies. At the time of writing of the article, the USA's "21st Century Cures Act" and the Food and Drugs Adminstration (FDA) decreed that **certain technologies do not have to be regulated**. These include **apps which are deemed "lower risk"**; for example, appointment reminders, or "healthy lifestyle reminder" apps.

This approach to not require regulation for certain types of technology means that those technologies can be commercialised quickly.

For technologies which are more likely to need regulation, the regulators will need to be **agile**, and may have to employ **"horizon scanning"** to be able to quickly identify brand-new technologies and respond quickly to their development. Regulators could require technology companies to provide updates. A potential approach to careful deployment under regulated conditions is that some technologies may only be allowed to be used in research studies.

However, discouraging or slowing innovation and ultimate delivery of new technologies could mean that patients ultimately benefit slower or do not end up benefiting at all from potential Digital Health interventions or technologies.

**Personal data**

DH technologies collect valuable, personal data, which is necessarily **patient identifiable**. This data is fundamental to healthcare. Engaging patients in collection of this data requires **trust** and therefore **transparency**, regarding how their data will be used, by whom it can be accessed (and how their use of data will be limited to the agreed uses), how it will be secured, and what the benefit is to patients of these technologies.

There is a need for **cross-border regulation**; healthcare may be governed at a country level, but **companies handling the data may be multinational**, and in an increasingly interconnected world, cross-border regulation could be more efficient and consistent than individual country level. **Supra-national bodies** such as the EU already implement data protection regulation which is applicable in a range of settings, and Digital Health will certainly require similar regulation.

Amidst these challenges, the authors end by making a strong case for an Agile and future proof regulatory framework that everyone can trust.  The full article makes a strong case for a robust DH regulatory framework. 

**Reflection: examples from your setting**  
The purpose of these questions is to help you reflect on different regulatory approaches to DH and how these may apply in your setting.

Think about how DH is regulated in your setting. If there is no regulatory framework for DH in your setting, that’s fine too. Remember, DH health is an emerging field and regulation is still evolving even in settings where it is available.   

1) In DH, there is bound to be **tension between commercialisation of products and regulation**. With your setting in mind, can you think of a few instances or examples where these tensions could arise? How would you manage such tensions, so that individuals benefit from the DH invention but at the same time ensuring the regulatory safeguards are met?  

2) Think about how you would ensure the safety of personalised data in your setting or work place.  

**Reference** 
- Duggal, R., Brindle, I. and Bagenal, J. (2018) ‘Digital healthcare: regulating the revolution’, BMJ. BMJ Publishing Group, 360, p. k6. doi: 10.1136/bmj.k6. Available at: https://www.bmj.com/content/360/bmj.k6.long.



### **Challenges in Digital Health regulation**
This is a segment of an interview with Indra Joshi. The full interview video is the next item in this module. The quoted segment illustrates one reason why regulation in Digital Health can be difficult to develop and implement.

Dr Joshi is discussing artificial intelligence.

______

Felix Greaves: "So are there any particular aspects of regulation that we need to think about, particularly with artificial intelligence, are there any challenges in that space? 

Indra Joshi: "So the **regulation** at the moment is, okay: So we have something called the **Medical Device Regulation**, which looks at if a product classifies itself as a medical device, how does it use what we call software as a medical device to be regulated? The challenges lie as we actually **plug those stand-alone products into the live system**. So at the moment **you can regulate a product that's stands alone** over here. **But once it gets plugged into a system and starts learning on the live dataset, that is when the regulation hasn't quite covered**. Those are things that we're grappling with now. So the ranges it goes is, at what point do you know from a technical aspect that that model is still the model that you plugged into? When is that model going to decay? **Models decay over time as the data varies**. What are the levels of decay that are acceptable? Then from a safety perspective, so in clinical practice, safety is paramount. Whose job is it to actually understand that when that model has decayed, or it needs to turn-off, whose job is it to do that? What's that what we call operating procedure around that? So this is what we call post-market surveillance, are currently in the regulation system. So **how do we build that post-market surveillance in our operating procedure once we've done the bit I mentioned before, actually in real-time**?  

______

So you can see this is an example of the **challenges which come with regulating something where the technology which is being regulated, actually changes while it is in use**! This is an example of rapid innovation and new technologies making regulation difficult.

**Reflection**

How do you think regulation can be developed, given this challenge? Think about this as you watch the video, in the next item.

The content in the video will be relevant for the following lesson, on Ethics in Digital Health.



### **Example on Data Regulations**
Interview with Dr Indra Joshi, the AI Director at NHSX.

- AI in a simplified way can be considered as a set of tools for automatising and enahncing the human brain in recognising patterns in complex pieces of data such as medical images or big datasets of other kind.
- Many good examples of the use of AI in health care is on images. There are many good sets of **image data** available to train and build AI systems. Also a variety of AI tools are becoming available for **diagnostic assistance** (e.g. triage, decision support), integrating multiple datasets to help choice.
- Study with National Health Research Innovation Observatory (NHRIO) found about 130 odd technologies with either European or CE mark or other market authorisation. The majority where in imaging but the type of images processed ranged widely (from cardiology to brain, breast and eyes)
- Challenges of AI for healthcare:
  - AI tools need to be adapted to specific circumstances and datasets (because, for example, they have been developed in a different context)
  - Topol Review: clinicians need to understand the **basics of AI** (e.g. how do you critically appraise a paper about a ML?), how do you adapt a product and adapt it to you system? (partnership of CIOs)
  - Regulation and AI: (see above section)
- **Code of conduct for AI technologies**: to help AI developers. 10 principles (e.g. what is the problem trying to solve? what is the impact on the workforce? what is the commercial model?), they get updated each year. A report was also written to bring together the community (some good examples)
- AI will replace some mundane tasks for doctors and assisting and prioritising.
- The hope is that health and technologies become more symbiotic. Regulations so far have been very stringent for caution.
- **Bias from data**: **diversity** and quality. If the tool is trying to solve a problem for a specific condition, it cannot just be trained on a homogoenous dataset (e.g. training models only on Caucasian population). Computer bias are directly created from human bias. Diverse sources need to be involved.


### **Data Regulation Approaches**
You now have a broad idea of Digital Health (DH) regulation and its importance in making health data more safe and secure. This reading will introduce you to an example of a particular **regulatory framework for data**.  This framework is the **European Union’s General Data Protection Regulation** (**GDPR**) which is essentially a **law to enforce data privacy in all European countries**. Other regulatory frameworks exist. For example, the **United States' HIPAA** (**Health Insurance Portability and Accountability Act**) privacy rule and public health guidance. 

**Summary**  
This reading is a summary of a short article by Charlotte Haug (Haug, C. J. 2018, not open access) and an interview between Dr Haug and Stephen Morrissey, Managing Editor of the New England Journal of Medicine (NEJM), which you can listen to (openly accessible) on the NEJM website.

- **GDPR** enshrines in law the **international principles of protection of privacy and personal data**. It requires that **consumers** of all kinds, including patients, must now give their **explicit consent** for use of their **personal data** — and can **withdraw** it at any time. 
- Patients will have the **right** not only to **see** and **obtain**, but also to **correct** and **erase** Electronic Health Records (EHRs), as well as to **know how and why the data are stored and used**. 
- A key concept in the GDPR is “**privacy by design**”. Privacy by design calls for **inclusion of data protection from the outset in designing systems** and makes it clear that **consumers own their data** and have the power to make corrections. 
- Haug points out that data have been, until now, something which was gathered from patients and "owned" by the doctors, researchers, health systems, or companies which gathered it. The GDPR may lead to a shift to **viewing patients as collaborators** and **giving them the tools to manage their own health** and **participate more broadly in DH on their own terms**.  

The author suggests **three possible strategies** organisations facing GDPR could pursue. These are:

**1) Do as little as possible and try to continue business as usual**   
**2) Move away from working in the regulated area (Europe)**  
**3) Embrace GDPR**   
The second option, avoiding data protection regulation by not doing business in Europe is a shrinking possibility - other countries and regions have their own data protection regulations being implemented. So the choices may realistically be between the first and third strategies.

For companies working in the area of DH, trying to continue business as usual could mean trying to convince people that their data are secure with those companies and that indeed there is such a great benefit to handing over their personal medical data, that they simply ought to do so. However, patients may not be easily convinced! They may for example think a company will simply sell or share their data on for their own gains, which would engender mistrust. People may be deeply unhappy with the idea that any company or healthcare institution "owns" their data.

Dr Haug suggests that the best option may be to embrace GDPR - if patients are actively given control of their data, this may help engage patients and ultimately could lead to advances in healthcare. She has seen that **people are more willing to share their data because they own it** - but they want to know what happens to the data. Of course this is not universal and different groups of patients have different views - but Dr Haug is optimistic that in general, giving patients control and responsibility for their own data, as well as knowledge about what is happening to it, empowers them and encourages participation in healthcare.

**Reflection**  
1) What are the commercial, scientific and political implications of implementing GDPR in your setting?

2) Again, think about your context. In your context, would embracing a data protection policy improve your data handling practices?

3) Think about how you would implement GDPR in your setting or workplace.  

**Reference**  
Haug, C. J. (2018) ‘Turning the Tables — The New European General Data Protection Regulation’, New England Journal of Medicine. Massachussetts Medical Society, 379(3), pp. 207–209. doi: 10.1056/NEJMp1806637. Available at: https://www.nejm.org/doi/10.1056/NEJMp1806637?url_ver=Z39.88-2003&rfr_id=ori:rid:crossref.org&rfr_dat=cr_pub%20%200pubmed.

## **2.2: Ethics & Digital Health**

### **Ethical aspects of Digital Health**
In this reading item you will find one core and one optional reading, both discussing Ethics in Digital Health.

**Reference**
- Core:  
Brall, C., Schröder-Bäck, P. and Maeckelberghe, E. (2019) ‘Ethical aspects of digital health from a justice point of view’, European Journal of Public Health. Oxford University Press, 29(Supplement_3), pp. 18–22. doi: 10.1093/eurpub/ckz167. Available at: https://academic.oup.com/eurpub/article/29/Supplement_3/18/5628045.

**Summary**

This article by Brall et al. discusses the ethical aspects of Digital Health (DH) with a focus on **health justice**. As a **core value of public health**, health justice describes the **social obligations to promote and restore health as a means to achieve individual opportunities and exercise individual autonomy**. With public and private investment increasing in DH, it is important to promote **fair and equitable access to DH technologies**. In this regard, three themes were discussed in this article: i) the ethical chances and challenges unfolding in digital health, ii) ethical guidance needed, and for whom and iii) existing policy and practice initiatives to foster ethical DH.  

The **ethical chances and challenges of DH** are multidimensional with two distinct phases:   
**i) Before utilization of DH:** it describes **access and truthful information, empowerment, and informed consent**. DH tools must be designed to represent all parts of the population leaving no ground for bias and discrimination. DH tools should offer a chance for the **inclusion of marginalised and deprived groups in the population**. There should be **clear informed consent procedures** with room for revision to meet the unfolding challenges of DH  
**ii) During utilization of DH:** During the utilisation of DH, there should be **fairness in storage, access, sharing, and ownership of data**. Data must be stored securely, access must be controlled and documented, and ownership must be democratised to grant individuals full access to their medical information. Finally, DH tools should not compromise the dignity and autonomy of patients.  

The **ethical guidance** needed for DH is **multisectoral** with a **wide range of stakeholders** involved. DH is integrated into a complex network of different parties, involving not only the users and providers of DH technologies and applications. DH stakeholders include: 
- patients 
- governments 
- non-governmental organisations, 
- pharmaceutical and medical companies
- app technologies companies 
- etc 


Within this complex network, end-user data must not be exploited. There is a need to build and maintain trust in the communities and the need to promote data literacy. All stakeholders must possess the all-important values of transparency, accountability, and inclusiveness.  

Because of these challenges highlighted, **policy initiatives are needed**. In April 2019, the European Union (EU) published the “Ethics guidelines for trustworthy AI” which describes the values to be met for DH tools, like artificial intelligence (AI) to be trustworthy. The World Health Organisation (WHO) concurrently released the ‘Recommendations on digital interventions for health system strengthening’, which assess the benefits, harms, acceptability, feasibility, resource use, and equity considerations of DH interventions. Other initiatives are mentioned in the article, but they all seek to make DH fair, equitable, and trustworthy.  

As you read through this article, think about the ethical considerations raised. (You don’t have to write answers for these questions; they are meant for reflection.)

1. What questions should inform stakeholder access to patient data? Would these apply to your setting?

2. List six values that should be met for AI technologies to be trustworthy. Would you add to these to suit your context?

3. List six ethical values of Digital Health.

  

**Reference**
- Optional: Vayena, E. et al. (2018) ‘Digital health: meeting the ethical and policy challenges’, Swiss Medical Weekly. EMH Media, 148(34), p. w14571. doi: 10.4414/smw.2018.14571. Available at: https://smw.ch/article/doi/smw.2018.14571.

**Summary**

This article by Vayena et al., 2018 also discusses the ethical and policy challenges of Digital Health (DH). The ethical challenges highlighted are similar to those discussed in Brall et al., 2019. These challenges include, privacy, security, trust, and accountability. The authors reflect on the impact of Big Data in informing DH ethics as large-scale data repositories create challenges regarding data management, privacy protection, and oversight mechanism. The Global and Swiss data governance systems are discussed wherein the authors make the case to improve global Health Data regulation and better harmonisation of data collection and consent systems in Switzerland. The authors end by discussing the importance of public engagement wherein all stakeholders, particularly patients, are given ownership of the data.

**Reflection**

As you read through this article, think about the ethical considerations raised. (You don’t have to write answers for these questions; they are meant for reflection.)

1. List five conditions for innovative Digital Health products and applications. Would these apply to your setting?

### **Bioethics and Digital Health**
**Summary**  
- This report considers the ethical questions raised by advances in information technology and data science in the context of health care and biomedical research. 
- As we generate more data about people’s health and biology, from more sources, than ever before including GP records, hospital notes, laboratory tests, clinical trials, monitoring devices and health apps, the report does recognise opportunities to generate new knowledge, improve medical practice, increase service efficiency and drive innovation. 
- However, like in previous readings, the report looks at **issues of fairness, trust and equity**. The report sets out **key ethical principles** for the **design** and **governance** of **data initiatives** and identifies **examples of good practice** relevant to anyone approaching a data initiative, such as a principal investigator in a research project, lead policy official or commissioner of services. The report highlights key ethical principles for the design and governance of data initiatives. These principles, similar to the behaviours expected of developers of Digital Health technologies, have already been mentioned in National Health Service (NHS) code of conduct for data-driven health and care technology. 
- The principles include:   
i) respect for persons    
ii) respect of human rights  
iii) participation  
iv) accounting for decisions.

**Reflection**

As you read through this article, you can focus on the following questions. (You don’t have to write answers for these questions they are meant for reflection).

1. Briefly describe three ways that data could be anonymised. Have you had to use any of these approaches in your setting?

2. Briefly describe three opportunities offered by data. Have you benefited from any of these opportunities in your setting?

Reference 
Nuffield Council on Bioethics (2015) The collection, linking, and use of data in biomedical research and health care: ethical issues. Available at: https://www.nuffieldbioethics.org/wp-content/uploads/Biodata-a-guide-to-the-report-PDF.pdf.

## **2.3: Value of Data in Digital Health**
- In NHS the data is described as in intangible asset and it is difficult to put a value on it. There is also not a singe NHS data custodian to act as interface to individuals or organisations who want to access data. 
- In US, individuals can upload their individual medical records on websites and get paid for the upload and usage.
- A lot of value of the data is in its aggregated form, because it allows to detect patterns and potential uses.
- Data could be patented, or giving to use for free for  anumber of years or equities could be introduced --> there are potentially many different value sharing mechanisms.
- There is a variety of deals for data sharing between NHS and private companies and some good use cases.

### **Monetising data**
Because data regulation and safety are a financial issue that must be funded, Fontana et al. make a case for the NHS (UK) to realise fair financial value from its comprehensive, longitudinal patient-level data. The authors argue that if policymakers get this process right, monetisation of data would benefit patients and taxpayers. As you read, think about how this idea could be applied in your context.         

**Reference**

Fontana, G. et al. (2020) ‘Ensuring that the NHS realises fair financial value from its data’, The Lancet Digital Health. Elsevier Ltd, 2(1), pp. e10–e12. doi: 10.1016/S2589-7500(19)30225-0. Available at: https://www.thelancet.com/journals/landig/article/PIIS2589-7500(19)30225-0/fulltext.

The challenges of monetarising health data may include the following:

- **Patient Privacy**: In most instances where monetarising health data supersedes patient interest, there is an increased risk for breach in patient privacy and safety. This could be addressed by strict regulation and enforcement of regulatory laws. It is important to ensuring that patients understand and support the use of aggregated anonymised health data at all times.   

- **Profiteering**: Whereby companies using data solely to maximise profit for patient concerns. This could be addressed by strict regulation and enforcement of regulatory laws. 

- **Monopoly**: Whereby companies form mergers to monopolise data and control very large quantities of data with the risk of profiteering. This could be addressed by strict regulation and enforcement of regulatory laws. 



## **2.4: Data Breaches and Misinformation**

### **Example of a cyberattack**
- Cybersecurity has been a bit neglected in the healthcare sector, considering the confidentiality of the data and value.
- 2017 **WannaCry attack** hit the NHS (and other organisations globally). That event showed how vulnerable healthcare systems are to cyber attacks. A few days before the attack, NHS Digital warned all hospital to patch one of their systems. All the hospitals and healthcare systems that were then hit by the WannaCry attack were later found they did not apply the patch to their systems. This episode highlighted the **vulnerability of outdated systems**.
- A ransome screen appear on the computer systems affected, including systems necessary for healthcare services. The ripple effects over next weeks was quite big on the NHS. The attack was resolved in about 12 hours by a cybersecurity expert.
- Preparation is essential for keeping healthcare systems safe. Obstacles on the way are the legacy of old IT systems and the lack of an inventory of IT resources (thus it is difficult to evaluate whether everything has been patched/protected). 
- IT services need to have more investment (currently is only 2%). Education in cybersecurity of all NHS personnel is also essential. Also opening access to the system to the patients and that would require higher levels of security.
- Building trust between healthcare provider and patients is huge and it is difficult to repair it if it gets compromised.
- IT security of healthcare systems can be considered a **patient safety issue**. It is essential to have a resilience plans in place, doing system back-ups, more investments in cybersecurity.
- There is now a National Cybersecurity Centre run by NHS Digital to monitor and alert for cyberattacks.
- Healthcare organisations now are required to do a cybersecurity assessment of their assets. 

### **Breaching of Data Regulations**
From previous lessons, you have learnt about health data regulations, seen some examples of country-specific regulations (UK and US) and had the opportunity to think about data regulation in your country. This is all well and good, but things don’t work out well all the time. Now, from this short editorial, you will learn and reflect on the consequences of breaching data regulations.

**Summary**
In this editorial, Ghafur et al. describe **data breaches** in the UK, Singapore, Estonia and the US. 
- The **WannaCry ransomware** encrypted data and files on 230 000 computers in 150 countries and impaired the functionality of the National Health Service (NHS) in England. Key systems were blocked, preventing staff from accessing patient data and critical services. 
- In Singapore, the health data of 1.5 million Singaporeans were stolen in a cyberattack in 2018. 
- In Estonia, a cyber-siege in 2007 led the Estonian government to create its cybersecurity strategy, which has built many aspects of cybersecurity into the country’s law. 
- In the US, criminals stole 80 million records from Anthem, a US health insurance company. 

From these examples, there is a clear need for governments to have and enforce data regulations as data breaching is a financial and patient safety issue.    

You are encouraged to read the editorial with a focus on the examples of data breaches in the four countries and reflect on the financial and human consequences of these breaches.

As you read, please reflect on the following question:

What are the financial and patient implications of health data breaches in your setting?

**Reference**
- Ghafur, S. et al. (2019) ‘The challenges of cybersecurity in health care: the UK National Health Service as a case study’, The Lancet Digital Health. Elsevier Ltd, 1(1), pp. e10–e12. doi: 10.1016/S2589-7500(19)30005-6. Available at: https://www.thelancet.com/journals/landig/article/PIIS2589-7500(19)30005-6/fulltext.



### **Viral misinformation**
You have read a lot about health data, its regulation and the consequences of breaching data regulations. But there is one form of data that flows through our everyday lives which is the news. Today we don’t just rely on conventional media like journal articles, newspapers, radio and television for the news; we also now rely more on social media for news almost in real-time. **Social media** has made news data more accessible, but with this comes issues that include **reliability**, **fairness** and **accountability**.  The product of this unvetted news is **misinformation** and **'fake news'**. Perpetuated to influence health, it comes as a **major patient safety issue**.    

You are encouraged to read the commentary by Heidi Larson, which is freely available on the Nature website. 

**Summary**
In this short commentary, the author argues that viral misinformation is one of the biggest pandemic risks of recent times. Importantly, the author reminds us that health misinformation can also be perpetuated by the members of the scientific community. An example is the 1998 publication by infamous former physician Andrew Wakefield purporting to show a link between autism and the measles, mumps and rubella (MMR) vaccine. Despite having his licence revoked and his work retracted, Wakefield persists in campaigning against the vaccine, and expert consensus alleges that his efforts have contributed to persistent global vaccine anxieties and refusals. The authors mentioned other categories of individuals who would want to spread false health news. These include individuals with a financial interest, those with a political interest and the “**super-spreaders**”, **individuals who knowingly or unknowingly distribute the fake news (misinformation) on social media**. The authors conclude that no single strategy works for handling fake news. Everyone, including you, must be ready to play a decisive role. 

**Reflection**
You are encouraged to read the commentary with a focus on the broader consequences of fake news (misinformation) in health. As you read, please reflect on the following questions (You don't need to write the answers. The purpose of the questions is to help you reflect.)

1) As you read, think about the social, economic and political consequences of fake news (misinformation) in your setting. You can limit your thoughts to health fake news and health-related consequences.

2) Can you give examples of fake health news (the health issue and the specific nature of the news)? Was it on social media platforms? 

3) Think about the perception of vaccination in your community. Has fake information influenced these perceptions in anyways?

**Reference**   
Larson, H. J. (2018) ‘The biggest pandemic risk? Viral misinformation’, Nature. Nature Publishing Group, 562(7727), pp. 309–309. doi: 10.1038/d41586-018-07034-4. Available at: https://www.nature.com/articles/d41586-018-07034-4.