In the US, dominant tech giants such as Google, Amazon and Apple are increasingly developing new services focused on care innovations. They are working closely with regular stakeholders in these endeavours, such as hospitals, medical faculties, medicine manufacturers and also the World Health Organization (WHO). On-body devices, speech technology and AI; expectations are high. But there are also concerns because the abuse of patient and user data forms a significant risk.
In September 2019, Apple announced no fewer than three new healthcare studies in collaboration with large healthcare organisations, including various hospitals and the WHO. All three studies focus specifically on Apple Watch wearers. If they download the newly developed Apple Research App, the smart watch changes into a permanent monitor, or an on-body device, which measures the user’s heart rate, the level of noise to which he/she is exposed and the daily level of physical activity.
Even the menstrual cycle of female users can be measured using the new app and it’s no coincidence that one of the studies is a long-term examination of menstrual cycle patterns. Among other things, this Apple Women's Health Study, set up together with the National Institute of Environmental Health Sciences (NIEHS) and Harvard, should support screening and risk assessment for certain gynaecological disorders, such as polycystic ovary syndrome (PCOS) or osteoporosis.
The heart rate and activity parameters will be analysed in the context of the Apple Heart and Movement Study. The goal is to chart how heart rate and activity levels correspond to hospital admissions, serious falls, overall heart health, and quality of life. The tech giant is working with organisations such as the American Heart Association on this study.
Finally, the Apple Hearing Study aims to provide researchers at the University of Michigan greater insights into the noise levels to which ordinary consumers are exposed and how these may impact upon their auditory health. The study’s results will also be shared with the WHO.
The three studies are great examples of a much broader trend of huge tech companies having identified the healthcare sector as a new domain for innovation. Amazon, for example, recently announced a new function for Alexa which enables pharmacy information to be linked to the smart speaker. Alexa reminds the user when they have to take medicine and can also order medication independently. This service is currently only available for customers of the Giant Eagle Pharmacy chain but Amazon has already revealed that it would like to sign up other large pharmacies in the future. Amazon is also developing new speech technology to alleviate the work of medics, such as dictation software that can cope with specific (para)medical terminology (Amazon Transcribe Medical).
Google is not staying behind either. The company has been working with care organisation Ascension, which is active in 21 American states, since 2018. Ascension is providing the Google Brain division with access to patient data in order to enable Artificial Intelligence (AI) and machine learning to gain new insights. Initially, this so-called Project Nightingale was a secret but once the Wall Street Journal was tipped off by a few concerned Ascension employees, both parties had to go public about the collaboration.
Project Nightingale immediately highlighted the Achilles heel of this type of collaboration; to what extent is it desirable for major tech companies to gain access to identifiable user data that has been gathered as part of ‘studies’ or ‘new services’ and what are the corresponding potential hazards? Or, as the Wall Street Journal's Rob Copeland put it: “Until recently, neither patients nor doctors knew that at least 150 Google employees had access to a large part of the data from tens of millions of patients in 21 states, including laboratory results, doctors’ diagnoses and hospital reports, linked to names of patients and dates of birth.”
Almost immediately after the publication of the newspaper article, Ascension issued a press release which outlined the collaboration with Google and the ‘robust efforts’ being made with respect to data security and protection. Apple and Amazon have previously reported ‘multiple layers of verification’ in terms of protecting user information, including speech recognition and passwords. There is still an issue, however, about whether this is adequate in light of the fact that the care sector has become a hugely interesting area for cyber criminals. According to insurer Beazley Breach Response, no less than 37% of all ransomware attacks target care institutions.
Patient data can be misused in a variety of ways, adds Vincent Zeebregts, country manager for Fortinet Nederland, a huge international player in network security. “Medical patient data is currently being traded on the dark web for record prices. This type of information is distinguished from other data due to its permanent nature. This contrasts with a credit card, for example, which can be changed easily. Once this information has been stolen, cyber criminals have masses of time to earn money with patient data. They do so by selling large batches of stolen identity details, blackmailing individuals who wish to hide specific illnesses, or using the information as input for social engineering tricks and finding new ways to target victims.”
According to Zeebregts, the fact that care institutions and particularly hospitals are increasing the use of IoT devices expands the ‘attack area’ or the various methods and devices that can be used for a cyber attack. “The reliability and security of IoT devices will stand or fall depending on how well they have been developed and tested. Have security mechanisms been integrated during every stage of the development process or was security ‘tacked on’ quickly just before the device was released for use?”
The difficult aspect is that patients themselves can do very little to protect their own data. This responsibility lies with the care sector. Zeebregts continues: “Whoever they do business with, care institutions need to make significant investments in security that protects every layer of the network.”