marcus comiter, "data policy for internet of things healthcare devices: aligning patient,...
Upload: the-petrie-flom-center-for-health-law-policy-biotechnology-and-bioethics
Post on 23-Jan-2018
266 views
TRANSCRIPT
Data Policy for Internet of Things Healthcare Devices:
May 6, 2016
Marcus ComiterHarvard University
Aligning Patient, Industry, and Privacy Goals in the Age of Big Data
Digital
Physical
Sense
Internet of Things (IoT)
Network
Take Actions
Components of an IoT Healthcare System
Data Layer
Devices
Applications
Types of Healthcare Data
Electronic Health Records
New data modalities:activity and sleeptrackers, daily bloodchemistry analyzers,24/7 heart ratemonitors
Internet of Things
Digital version ofexisting datamodalities
Ramifications of the Healthcare IoT and Data Layer
• Fundamentally transform aspects of chronic disease prevention and treatment
• Medical Research• Long-‐term collection• Large-‐scale studies• New modalities
• New economic models• Provision of immediate incentives for healthy living via market forces
Potential Futures
Innovation and Advancement
Misuse and Abuse Nothing at All
>
Main Points
Comparative Approach: Looking to the Internet as a Model
The data collected from IoT healthcare devices is fundamentally different in nature from traditional sources of healthcare data, such as medical records, and far more similar to data characterized by the development of the Internet.
> Third Party Data Auditors (TPDAs) as a Solution
TPDAs are specialized, highly technical third party actors hired by individuals to audit the use of their healthcare data by data owners such as insurance companies, data brokers, and researchers. TPDAs address the shortcomings of the data policy regulation on the Internet by building in both a technical and policy regime to the Healthcare IoT and Data Layer itself that is aimed at explicitly aligning the incentives of patients, researchers, insurers, and government with the end goal of treating and preventing chronic disease while giving users full control over and understanding of their data.
Outline of Talk
1. Considerations in Designing Policy for Data as a Healthcare Platform
1. Third Party Data Auditors: A New Solution
2. TPDAs Address Important Considerations in Data Policy
1. Policy Recommendations for Precipitating TPDAs
Policy Considerations
Consideration One
Individual Awareness
Individual Awareness
• The ability of individuals to be cognizant of what data has been collected, and how it could possibly be used.
• Even when privacy may not exist, an awareness of this lack of privacy has utility
Individual Awareness on the Internet
• The current model of data collection on the Internet greatly complicates, if not destroys, the concept of individual awareness.
• Structurally, the Internet has developed into a de facto surveillance state.
• The data collection happens surreptitiously: technology facilitates tremendous amounts of data collection without ever needing to inform or interact with its target• Incidental• Purposeful• Systematic
• Data brokers
Individual Awareness in the Healthcare IoT
• The same challenges to consumer awareness discussed in the previous section, as well as additional ones, apply just as strongly to the Healthcare IoT and Data Layer
• Lack of consent mechanism for IoT devices (Activity Tracker example)
• Phone as the core of a Personal Area Net (PAN)
Consideration Two
Accountability through Transparency
Accountability
• Accountability of actions taken on the data layer rely on transparency of practices
• This lack of accountability is strikingly out of line with existing policy in similar matters
• The FCRA attached accountability to these organizations by requiring them to “provide notice when an adverse action, such as the denial of credit, is taken based on the content of [their] report.”
• Realize the relevancy of this legislation to the current situation of the data layer: a non-‐consumer facing industry (credit agencies) that had substantial powers over consumers (the public) but little accountability, was legislatively mandated to increase its accountability to consumers.
• This situation mirrors the data layer, and bears special resemblance to data brokers.
Accountability on the Internet
• Many data layer firms are not consumer-‐facing firms (i.e., the firms collecting, selling, and using the data of a particular individual do not necessarily have a relationship with that individual)• E.g., data brokers have virtually no relationship with subjects
• Many individuals are completely unaware even of the existence of data brokers, let alone do they understand how their data is being used.
Accountability in the Healthcare IoT
• Just as in the Internet economy, data brokers have already emerged combining and selling anonymized healthcare data.
• As individuals and their medical care will be increasingly affected by the data associated with them, they have a fundamental right to ensure attributes such as the accuracy, collection standards, and use of this data are appropriately held to societal standards.
• These ideas are certainly not novel: they have underscored the FTC’s Fair Information Practice Principles (FIPPs) since the 1970s.
Consideration Three
Enforcement of Existing Laws
Enforcement on the Internet
• Data points, when combined and used with inference algorithms, can be used to create de facto indicators of race, ethnicity, religion, sexual orientation, and other markers that have traditionally been avenues for discrimination
• A White House report on Big Data cites an instance of racial discrimination on the Internet (search result example)
Enforcement on the Healthcare IoT
• Firms may hide behind complicated algorithms that are able to create discriminatory or harmful behavior automatically.
• This firm may create an algorithm which, when given data as input, automatically learns discriminatory behavior.• Many ethnic, religious, and racial groups have particular health
issues that can be traced not only to genetic causes, but also to cultural and societal causes. Algorithms may potentially create de facto indicators for these lawfully protected groups
• This can even happen without the knowledge of the firm itself
Consideration Four
Protecting Innovation
Protecting Innovation
• Previously discussed advancements
• Maintaining consumer confidence in the Healthcare IoT and Data Layer itself
• With the power the data provides firms, there are a number of incentives for firms with access to this data to act poorly in order to turn a quick profit
Third Party Data Auditors (TPDAs)
What are TPDAs?
• TPDAs are a class of highly technical, skilled, private market organizations that are hired by individuals to monitor and audit the collection and use of their data.
• After collecting all of the data that has been collected on their clients by data layer firms, TPDAs analyze the data that was collected, how the data was collected, and how it was used.
• Once finished with this analysis, the TPDAs present their findings to the client in an easy to comprehend report, as well as alerting them to potentially harmful, unscrupulous, or unlawful collections or uses of data.
• By empowering individuals, TPDAs will allow the citizenry to regain control of their lives on the data layer.
What are TPDAs?
• TPDAs are entirely devoted to protecting the citizenry on the healthcare data layer• A regulatory policy creating TPDAs are essentially instantiating a
permanent citizen advocate in the data layer.
• TPDAs will embody policy goals without top down regulation
• TPDAs market-‐based structure allows them to address the rapidly changing technology sector
• TPDAs can address data layer regulation by leveraging the same entrepreneurial spirit, energy, and zeal that has itself created the technology sector (fighting fire with fire)
How TPDAs will Operate
1. Certification
• Similar structure to other trusted groups
• Doctors
• Lawyers
• Credit Reporting Agencies
2. Initial TPDA Setup
• Choose which data layer firms (i.e. which data brokers, for example) the TPDA will offer as part of its auditing services
• Write software to be able to interact with these firms’ data systems, allowing the TPDA to work with the data it receives on its clients from the data layer firms.
• Begin creating the software they will use to analyze and audit their clients’ data. • Using highly technical data processing, machine learning, and
statistical techniques, each TPDA will design its own “secret sauce” with which to understand how data is used.
3. Client Hires
• The client provides the appropriate level of identification, as well as authorization to request their data from data layer firms.
4. TPDA Requests Data
• TPDA uses the identification and authorization provided by its client to pull, or request, the client’s data from all data layer firms with which the TPDA offers auditing services.
5. The TPDA Parses and Analyzes the Data
• Using the proprietary algorithms and methods it has previously designed, the TPDA begins analyzing how the client’s data has been used.
• By searching for common patterns, understanding use cases, and tracking data flow between all of the firms being audited, the TPDA attempts to find all of the relevant information regarding the use of the data.
• This is a very powerful idea, as TPDAs directly allow technology, rather than just policy, to regulate the data layer.
6. Formulating a Report
• The TPDA produces a detailed report for each of its clients that is both informative and actionable
• Each report contains information regarding how the client’s data has been used, and will alert clients to any potential sensitive, illegal, or abusive uses of data.
• This report may also make suggestions as to changes in use of technologies, tracking opt-‐out opportunities not currently utilized, and other potential suggestions of import.
How TPDAs Address Policy Considerations
Individual Awareness
• The cornerstone of TPDAs is in providing individual awareness as a service
• Through the report and advisory roles TPDAs play, consumers are empowered to understand what data has and is being collected, and how this data is being used, shared, and sold within the data layer
Accountability through Transparency
• TPDAs create an accountability mechanism by creating a window through which consumers may examine data layer firms.
• Importantly, this window is a meaningful one through which consumers may draw useful and actionable information, and is well suited to the current and future state of the data layer.
Enforcement of Laws
• On an individual level, consumers can now see what information has been collected and shared with particular organizations, as well as the data based inferences made from it by data layer firms such as data brokers.
• Once empowered with this information, consumers, either by their own impetus or on recommendation of their TPDA, may further examine potential misuses of data.
Protecting Innovation
• Realize that there is little if any burden placed on data layer firms
• Rather than recommending top down, broad regulatory policy for the data industry as a whole, TPDAs empower better decision making through empowering consumers and regulators to better understand the data industry and how it operates.
1. Mandate Data Access
2. Create TPDA Regulations and Certification Process
3. Educate the Citizenry
Policy Recommendations
Congress should mandate that all Healthcare IoT andData Layer firms must oblige consumer requests foraccess to any data held on them by a firm, regardless ifthat firm collected or purchased that data. Data includesboth facts directly collected on an individual, as well asinferences made about that individual.
Mandate Data Access
Congress should create a task force to create thenecessary regulations regarding the legal responsibilitiesof TPDAs, or task the FTC with this responsibility.Following this, Congress should task the FTC with settingup the mechanism to create the TPDA certificationprocess.
Create TPDA Regulations and Certification Process
Congress should create a task force to educate the citizenry regarding the existence of TPDAs and the services they offer.
Educate the Citizenry
Given the means, knowledge, and ability to exercise meaningful control over their digital lives, citizens will be able to make the most of the great opportunities the Healthcare IoT presents.
Closing thought
Thank You