Solving the data privacy challenge when working with Digital Health and Artificial Intelligence for Personalised Medicine
PubGene AS is building Coremine Vitae, a Digital Health solution for Personalised Medicine. It is intended to aid in the personalised, shared clinical decision, finding treatment options for patients and their healthcare teams. It is based on a CE-marked Medical Device MDD Class I, harnessing the powerful combination of human and machine intelligence.
This article was initially published on coreminevitae.com/blog/
For patients to safely benefit from a digital health solution at scale, it must be delivered through the hands of medical doctors. Coremine Vitae’s impact in healthcare will be at its greatest once it becomes embedded into clinicians’ workflow. I made it my mission to make it happen. To do so, positioning Coremine Vitae as a reliable partner of the local and regional eHealth ecosystems is a necessity. Interoperability and collaborations are enabling more efficient healthcare of high quality.
My two non-negotiables:
- Working with health, we cannot be approximate. People will count on us for life decisions. We need to work towards quality excellence.
- People in need of our services are in their most vulnerable state. They want solutions fast. We need to protect them. Once they get better, they shouldn’t have to live with the consequence of having their data privacy leaked. (e.g. insurance loss, bank loan approval challenged, employment/career blocked, or simply being seen as sick — not fun).
Those are also the concerns of Healthcare organisations, which work under strict regulatory constraints. It is our duty as an eHealth vendor to provide them with compliant solutions.
Being transparent on how we address those points will facilitate integrations and the rollout of our solution to public healthcare.
So, how do we address the data privacy challenge when building a Digital Health solution based on Artificial Intelligence software for Personalised Medicine?
Those are 4 solutions:
- Obtain the patient informed consent;
- Achieve total compliance with the National Codes of Conduct for Information Security and Data Protection in Health and Care services (in Norway, it is defined by Normen), and ISO/IEC 27001 Information Security Management;
- Work only with non-personally identifiable information (non-PII);
- Utilise a Federated Learning Server.
In this 4-article series about Data Privacy in Digital Health and Artificial Intelligence, I will dive into the practicality of each of those.
If you are interested in this topic, make sure to follow to not miss a thing!
Some References
Relevant to the Norwegian Market
Information Security and Data Protection in Health and Care
- The Norwegian Code of Conduct for Information Security and Data Protection in Health and Care, mapped to ISO 27001: https://ehelse.no/normen/oversikt-over-normens-krav-og-mapping-mellom-iso-og-normen
- ISO/IEC 27001 Ledelsessystemer for informasjonssikkerhet, Standard Norge https://www.standard.no/fagomrader/ikt/it-sikkerhet/isoiec-27001/
- The EU Privacy Code of Conduct on mobile health (mHealth) apps https://ec.europa.eu/digital-single-market/en/privacy-code-conduct-mobile-health-apps
- Data protection by design https://www.datatilsynet.no/en/about-privacy/virksomhetenes-plikter/innebygd-personvern/data-protection-by-design-and-by-default/?print=true
Informed Consent
- GDPR Consent Requirements https://gdpr.eu/gdpr-consent-requirements/
- Norwegian Privacy Regulation (personvernforordningen) artikkel 13 og 14
Data Protection
- Data Protection Impact Assessment — DPIA — https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/vurdere-personvernkonsekvenser/vurdering-av-personvernkonsekvenser/
Regulatory sandbox for creating responsible artificial intelligence (‘the AI Sandbox’)
