REVIEW
Analysis of requirements for confidentiality and exchange of digital health data
Yelets State University named after Bunin IA, Yelets, Russia
Correspondence should be addressed: Azkhar K. Alzubaidi
Kommunarov Str., 10А, Yelets, Russia; moc.liamg@09ratsrhza
At present, digital medical services, which can analyze survey results based on extensive data, have seen rapid growth. So, the issue of medical secrecy and data confidentiality remains highly relevant.
On the one hand, medical secrecy is protected by the state through restrictions and defense mechanisms. On the other hand, the issue is influenced by the ethical part. According to Aleksandra Dronova, State Secretary and Deputy Minister of Health of the Russian Federation, it is regulated by special standards of the medical law. ‘Now, when information technologies are being developed, it is essential to ensure medical confidentiality during treatment and protection of data collected from patients’, says the expert. Data processing is associated with the risks of its disclosure. Thus, the issue of reliable protection has reached a new level [1]. As per Federal Law as of 21 November 2011 No. 323-FZ
‘On fundamental health care principles in the Russian Federation’ [2], medical secrecy involves various data including the fact of seeking medical aid by a citizen, condition of health, diagnosis and data obtained during a medical survey and treatment [3]. The law strictly prohibits the disclosure of the data to persons who have acquired them, except as required by law [4].
First, in the presence of written consent of the citizen (authorized representative), information classified as medical secrecy can be transferred to other citizens and qualified persons to conduct a medical survey, treatment and associated procedures [5].
Second, in the absence of written consent, the following cases are allowed (part 4, art. 13, Law No. 323-FZ) [2]:
- to perform a medical survey and treatment of a citizen who is unable to express own will because of his/her condition;
- at risk of spreading infectious diseases, mass poisoning and destructions;
- at the request of state bodies only in cases specified by law, for instance, at the request of inquiry, investigation agencies, or court in connection with an investigation or trial;
- to control whether persons recognized as suffering from drug addiction discharge the duties imposed on them by court;
- when medical aid is provided to the minor;
- to inform the law enforcement agencies of certain cases, such as admission to the hospital of a person who most likely suffered as a result of unlawful actions;
- to have a military medical examination;
- to investigate an industrial accident and a professional disease;
- when medical organizations exchange data;
- to exercise accounting and monitoring within the system of compulsory social insurance;
- to control the quality and safety of a medical activity.
The strict limitations are designed for proper protection of medical secrecy and confidentiality of patients in the Russian Federation. The term ‘medical secrecy’ does not encompass the full range of individuals who should maintain the secrecy; it refers not to doctors only but to the entire personnel of the medical institution where the patient is admitted and any people who obtained access to the data (for instance, pharmacists or lawyers). The medical secrecy includes not only medical data about the patient’s health but also other data such as the patient’s location, the fact of seeking medical aid, hospitalization, surveys, etc. [6, 7]
It is stressed in the concept that anybody who has access to medical information of the patients should ensure medical confidentiality, and that by doing so, they maintain patient trust in the medical system.
The legislation of the Russian Federation, namely the Federal Law ‘On fundamental health care principles in the Russian Federation’ as of 22.07.93 No. 5488-1 (Resolution No. 5488-1) states that citizens have the right to keep it confidential that they referred to medical aid, along with other data submitted by them while asking for medical aid. The rights include a requirement for informed and voluntary consent to medical intervention and a right to refuse from it. The rules and standards of handling medical data are also regulated by the Ethical Code of a Russian Physician (Code, 1994) [8].
As per article 30 entitled ‘The Patient’s Rights’ of the law about fundamental principles, a patient who refers for a medical aid has a right to keep the following information confidential: fact of seeking medical aid, condition of health, diagnosis and other data obtained during examination and treatment as per article 61 hereof. The patient can also select who can obtain access to his/her health-related data (par. 6.9 of article 30) [8].
According to article 31 ‘Citizens’ rights to health information’, the data contained within the citizen’s medical documents constitutes medical secrecy and can be disclosed without a citizen’s consent only in cases set in article 61 hereof. It also guarantees the right of everyone to obtain health-related data in any convenient form including data about the survey results, the presence of a disease, prognosis, methods of treatment, related risks, possible interventions and their consequences, and treatment outcomes [8].
According to article 61 ‘Medical secrecy’, data confirming that medical assistance was sought, information about a citizen’s health, diagnosis and other data obtained during an examination and therapy are considered as medical secrecy [8].
The right of citizens for confidentiality of transferred data while obtaining medical assistance and other information constituting medical secrecy entails responsibility of medical workers and other persons for disclosure of data. The responsibility can include administrative, disciplinary or criminal measures in accordance with the legislation of the Russian Federation and republics within the Russian Federation.
Analyzing the regulation of the legal status of medical secrecy, the head of the department of social legislation of the Institute of Legislation and Comparative Law affiliated to the Government of the Russian Federation Natalia Putilo has noted a growing tendency to exclude something belonging to medical secrecy. Thus, the previous edition of the Legislation of the Russian Federation on the Protection of the Health of Citizens (approved by the Supreme Court of Russia as of 22 July 1993 No. 5487-1, which is no longer in effect) had five positions related to the exclusions of medical secrecy disclosure, whereas the previous and current editions of the current law had 10 and 14 positions respectively. It should be noted that according to the decisions taken by the Constitutional Court, the Russian legislation is imperfect as far as medical secrecy goes. Additional grounds have to be established in relation to disclosure of medical secrecy to relatives of deceased patients in certain cases. According to the expert, the respective legislation is under development now. It means that there is a growing number of exclusions in relation to medical secrecy disclosure[2].
The issue about the legislative regulation of telehealth services deserves separate discussion [2]. Telehealth technologies represent the means of distant interaction between medical professionals and patients, identification of participants and records of medical consultations and observations. In the legal society, there exist two opposite opinions about the subsequent regulation of telehealth technologies. Some experts believe that the existing regulation is not sufficient and needs to be more rigid and detailed. Others believe that the current standards are elaborated enough and that excessive regulation prevents novel information technologies from development[9].
In the light of medical sector digitalization, numerous processes of data treatment have gone to electronic format. Increased information puts more responsibility on its safety. Thus, information safety in medicine requires to observe three principles: integrity, accessibility and confidentiality. It is necessary to protect not just information but also the infrastructure used to process the data. Moreover, the medical sphere is a part of critical informational structure; the subjects of the sphere have to protect the data and correspond to safety requirements [1].
Medical institutions have numerous personal data belonging to employees and patients. Many of the data represent medical secrecy [10, 11]. Due to that, their vulnerability to various cyber-threats, either of which represents unique challenges and risks, is increased even more. Ransomware attacks are of particular concern. Let’s consider the WannaCry attack in 2017, which seriously affected the National Health Service (NHS) of Great Britain and showed the vulnerability of medical systems to similar threats [12].
Personal medical information (PMI) is highly valued in the black market. So, data theft also poses significant risks. A good example is the Anthem Data Breach of 2015, when hackers were able to steal 79 million member’s records [13].
Phishing attack is another common threat aimed at health care workers. Its goal is to extract confidential information or install malware. This is what happened in 2019 at the University of Washington Medicine when a misconfigured server had resulted in almost million of patient data being exposed online [14].
Internal threats, either intentional or accidental, are also a problem in medicine. The incident in 2018 when a nurse of a New-York hospital Illegally obtained access to patients’ medical records by breaching their confidentiality can serve as an example [15].
A growing use of connected medical devices or Internet of Medical Things (IoMT) brings about new vulnerabilities. For instance, FDA report on pacemaker safety made in 2017 underlines potential IoMT related risks [16].
Supply chain attacks is another vector of cyber-threats when intruders target third-party suppliers associated with medical institutions. In 2020, the security of a large American-based hospital system was breached through a supplier. Millions of patients were affected [17].
DDoS (Distributed Denial of Service) attacks can paralyze IT health care systems as in case of DDoS attack launched in April 2014 on Boston Children’s Hospital when the operation of the hospital was seriously disrupted [18].
So, information safety in medicine acquires even more importance. Artificial intelligence (AI) is an important ally here as it offers novel solutions to solidify the security of data and keep them confidential. The ability of AI to rapidly analyze huge amounts of data, detect abnormalities and react to online threats revolutionizes the way data protection is handled. AI-based technologies will reformat the methods used by us to protect and treat the confidential data by ensuring a high safety standard within our interconnected world, starting from predictive threat analysis and ending with complex encryption methods [19, 20]. The AI systems are good at analyzing samples and abnormalities seen in the large sets of data, making them more effective in the field of advanced threat detection than regular software. They can examine normal network behavior and rapidly determine deviations, which can point at a security alert such as unauthorized access or attempts of data exfiltration. Early detection is essentially important to prevent or mitigate the consequences of violation of personal data security [21].
AI can respond to threats faster than humans. As soon as a threat is detected, AI can take actions immediately such as isolation of involved systems, block of suspicious network traffic or activation of other security protocols to prevent subsequent damage. Moreover, AI can conduct a predictive analysis based on historical data, which allows to predict and prevent potential safety threats [22].
AI increases data safety by improving encryption methods. By optimizing encryption, AI makes it difficult for unauthorized users to access confidential data. These AI-based encryption methods are constantly evolving and outpace intuder’s attempts to crack the security code [23].
The biometric authentication systems represent another area with a significant contribution from AI. AI improves facial recognition, fingerprint scanning and voice recognition by ensuring a better security access to confidential information as compared to traditional passwords [24].
As far as maintenance of confidentiality during data analysis goes, AI can extract valuable data from big data with simultaneous protection of single data points. Some methods such as differential confidentiality prevent data analysis results from breaching individual confidentiality. Moreover, AI tools are crucial to ensure compliance with data protection laws such as Federal Law No. 152-FZ ‘Concerning Personal Data’ as they automatically evaluate whether the data handling practices within a company correspond to the required legal standards [25].
AI also improves security information and event management (SIEM) systems by correlating and analyzing security signals originating from various sources. This ensures better understanding of potential security threats. Finally, AI is invaluable while assessing templates indicative of a fraudulent activity in critical sectors such as finances and health care protecting institutions and their clients from potential fraud [26].
CONCLUSION
One of the main system requirements of the system is to ensure the confidentiality of a large amount of data accumulated at medical institutions. Due to low protection of confidential data of the existing medical information systems, there are risks that hackers will attack data systems and use personal data of patients and medical professionals for unacceptable purposes.
AI integration into medical information systems makes analysis and solution of common issues, confidentiality and safety, much more effective. AI is essential to reduce the problems by offering complex solutions, which is impossible to do with traditional methods.
AI algorithms can monitor and detect any unusual actions or potential threats within medical information systems. By analyzing patterns and detecting abnormalities, AI can present an early warning system against hacker attacks, which pose a significant risk due to low protection within the existing medical information systems.
Moreover, AI can reduce load on IT personnel at medical institutions by automating routine tasks such as data backup, encryption and disaster recovery. The automation allows to cut expenses and minimize human errors, which can be costly and harmful in sensitive medical data processing.
Finally, AI can increase the total reliability of medical information systems. Use of AI along with advanced algorithms for threat detection and response can result in a higher safety and security, which is crucial in the processing of sensitive medical information.