Topics Overview of "Security and Privacy" Regulations for Health Data Platforms in the U.S. and Europe

Printable PDF

Masami Morita, Senior Researcher, Pharmaceuticals and Industrial Policy Research Institute (PIIPRI)
Takayuki Sasaki, Senior Researcher, Pharmaceuticals and Industrial Policy Research Institute (PIIPRI)
Yasuhiko Nakatsuka, Senior Researcher, Pharmaceuticals and Industrial Policy Research Institute (PIIPRI)

"Data is the new oil. As this concept permeates society and we rapidly change to a data-driven society, businesses utilizing data are being created in a variety of industries. In the medical and health care industries, there is a growing movement to utilize a variety of medical data, including electronic health records (EHR), receipt data, DPC data, and genomic and omics data. In addition, with the acceleration of digitalization trends such as the development of IoT and digital biomarkers, mHealth (mobile health) and wearable products for healthcare are becoming popular, and it is becoming possible to visualize and digitize daily activities and vital data, etc. Significant progress has been made in the utilization of not only medical snapshot data, but also information related to daily life and health ( PHR1).

In order to maximize the use of these digitized health data (including genome, medical information, lifestyle information, etc.) and realize precision medicine and preemptive medicine, it is necessary to build an integrated "digital health infrastructure" rather than utilizing each of them separately. Even the WHO, which is expanding its focus on digital health, mentions the need for an integrated digital infrastructure in its Digital Health Guidelines2) issued in April 2019. The Digital Health Partnership, organized to support the effective implementation of digitalized health services and involving 23 countries around the world, goes even further and lists "cybersecurity" and "interoperability" as key elements of a digital health infrastructure. The Digital Health Partnership, an organization of 23 countries around the world, goes even further and identifies "cybersecurity," "interoperability," "evidence and evaluation," "policy environments," and "clinical and patient engagement "3) and has prepared a white paper on each4).

Health data is highly sensitive information, and it is important to ensure security and privacy protection for a platform that handles such data in an integrated manner. In this paper, we would like to outline how laws and regulations are being developed to ensure security and privacy protection, especially in Europe and the U.S., where platforms are being built.

Status of Health Data Platform Construction

U.S.A.

In the U.S., the use of health data platforms is accelerating, led by private IT platforms such as GAFA (Google Inc., Apple Inc., Facebook Inc., and Amazon Inc.). For example, Amazon, in collaboration with MERCK and Accenture, has built a cloud platform for precision medicine5), and is working with MERCK and Accenture to develop a platform that will enable rapid and efficient research and discovery of new treatments through the platformization of the growing and increasingly diverse research data of pharmaceutical and biotechnological research and development. The company aims to promote rapid and efficient research and facilitate the discovery of new treatments through the platformization of the growing and diverse research data of pharmaceutical and biotechnological research and development.

Google, in partnership with Deloitte, is building a healthcare cloud platform6) to provide a variety of data, including artificial intelligence solutions, clinical data warehouses, genomics, and images, to medical institutions and life science companies, with the aim of promoting early diagnosis, etc. 6) to promote early diagnosis, etc.

IBM is also expanding its abundant medical data to medical AI, aiming to build a platform that enables healthcare life science companies to utilize IoT and Big Data. For example, Watson for Oncology is analyzing medical data, medical literature, and guidelines from experts to support the creation of evidence-based treatment plans7).

Although the private sector is the main player, as described above, there are also national initiatives. For example, the National Cancer Institute (NCI) announced the NCI Cancer Research Data Commons (CRDC), a cloud-based infrastructure in 2017. This initiative aims to accelerate cancer research and Precision Medicine by providing physicians, researchers, and others with access to genomic and omics data, etc., with the goal of developing a related data platform8).

In the U.S., while national organizations such as the NIH support healthcare-related government strategies such as the Precision Medicine Initiative, there is a notable movement to build platforms through collaboration among giant platforms such as GAFA, academia, advanced medical institutions, pharmaceutical companies, IT companies, etc. Health data is highly sensitive data.

Since health data is highly sensitive data, platform providers are implementing security measures and complying with various regulations and laws in the medical and pharmaceutical industries when building their platforms. In addition, they must comply with the privacy policies and personal information protection laws of each country.

For example, Google has seven principles of privacy and security: "respect for users and their privacy," "clarification of the content and purpose of data collection," "no sale of users' personal information," "self-management by users," "ownership of users' data," "introduction of the highest level of security technology," "exemplary security enhancements," and "respect for the privacy of users. The seven "Privacy and Security Principles" are defined in the "Privacy and Security Principles. Furthermore, the system complies with the requirements of HIPAA, which centrally regulates privacy and security standards related to healthcare9).

Europe

In Europe, there is a movement to build a platform in the medical and healthcare fields as a national strategy, and around 2000, the construction of an EHR network was undertaken ahead of the rest of the world, and the creation of a medical information platform is being promoted.

In Finland, an initiative called the Personalized Health Finland program, which aims to create a new healthcare platform and business creation, has been underway since 2018 to promote personalized medicine and prevention, including biobanks, health data, medical data, prescription data, etc. The program includes the creation of various data platforms10). Such examples of state-led digitization of healthcare, including medical information, can be found throughout Europe, including Estonia, the United Kingdom, and Nordic countries.

Regarding genome information in the EU, in April 2018, 13 EU member states (Italy, Estonia, Cyprus, Slovakia, Spain, Sweden, Czech Republic, Finland, Portugal, Malta, Lithuania, Luxembourg, and the United Kingdom) set a goal to "make 1 million genomes accessible in the EU by 2022. The UK Biobank has so far made a number of efforts to make genome information accessible throughout the UK. The UK Biobank has so far collected gene therapy data on about 500,000 people across the UK, and the measures already implemented by the member states in sequencing and building biobanks are to be used and maximized in these 13 countries.

At the same time, Europe is developing an environment in which researchers can store, manage, analyze, and reuse vast amounts of research data in a reliable environment across borders, and utilize real-world data for clinical trials and clinical research. Furthermore, the EU is promoting measures such as the GDPR (General Data Protection Regulation) 12) and standardization, as well as developing the European Open Science Cloud (EOSC), which includes cross-border use of genomic information13), aiming to integrate genomic data with medical data.

Regulations in the U.S. and Europe related to health data utilization
security/privacy

In building a platform in the healthcare domain, it is necessary to create a mechanism (data ecosystem) in which data is stored and utilized in parallel. In such a system, it is also important to address the legal system (architecture), including the development of data security and privacy. This section summarizes major laws, regulations, and guidelines related to security and privacy in the United States and Europe. The Japanese system is also listed in Table 1 for reference.

Table 1 Major Laws, Regulations, and Principles Related to Security/Privacy

U.S.A.

In the U.S., in light of the sensitivity of medical information, "HIPAA " 14) was enacted in 1996, followed by "HITECH " 15) in 2009 for the purpose of medical IT. These laws centrally define privacy and security standards for healthcare, and require entities responsible for protecting medical information to take measures to ensure privacy and security. HIPAA is designed to protect the privacy of personal medical data while at the same time making the data useful for medical advancements, and is used by IT companies and other entities that handle medical data as a standard that emphasizes privacy protection.

HITECH" was created to make "HIPAA" more effective by expanding the application of privacy provisions and strengthening penalties, since "HIPAA" did not include measures to deal with security and privacy issues that might be expected in the introduction of medical IT.

The "CSF (Cyber Security Framework), " 16) published by the National Institute of Standards and Technology (NIST) on February 12, 2014, is a framework dedicated to security risks in the IT world and is a set of guidelines aimed at strengthening security measures. The CSF, which has been standardized by NIST in various aspects of security in the U.S., takes a cross-disciplinary, multi-layered defense approach that builds a multi-stakeholder ecosystem based on cloud infrastructures, and conducts multi-layered defense to avoid direct attacks and information leaks against critical systems. This is based on the premise that the IT infrastructure infrastructure infrastructure consists of a centralized cloud layer, fog node layer, and end device layer*, and that many IT infrastructure companies are involved in the appropriate management of security. In addition, there are a number of industry-specific Information Sharing and Analysis Centers (ISACs) in the U.S. that collect, share, and warn about threat information, and there is now an Information Sharing and Analysis Organization (ISAO) that covers an even broader range of categories. These are now being supplemented by Information Sharing and Analysis Organizations (ISAOs) that cover a broader range of categories. In the United States, the Department of Homeland Security has cross-industry security jurisdiction.

Europe

On May 25, 2018, the GDPR came into effect, regulating the acquisition and use of personal data by companies. Individual rights were strengthened (right to information, right to access, right to restrict processing, right to be forgotten, right to data portability, etc.) and the harmonization and uniformity of personal data protection was enhanced. Companies in regions to which the "GDPR" does not apply will be subject to the same level of data protection obligations as under the "GDPR. The "GDPR" applies to the processing of personal data and applies to data controllers and processors based in the EU17). It also applies to data controllers and processors who provide goods or services to individuals in the EU and who process or monitor personal data.

The GDPR is a uniform set of rules for the EU and is binding on all member states. Each country is required to establish its own laws and regulations in accordance with these uniform rules.

The NIS Directive (Network and Information Systems Security Directive) 18) was adopted by the EU Council on May 17, 2016, and entered into force on August 8, 2016, to enhance overall cybersecurity in the EU. It requires organizations that provide social infrastructure services, such as energy, transportation, financial, etc., in EU member states to strengthen their security measures and obligations. However, this Directive is not a law itself, but rather an instruction to each EU member state to establish its own national laws. The NIS Directive is a minimum standard in Europe, and the actual establishment and implementation of laws and regulations is left to the authorities of each country.

For example, Germany, an EU member state, enacted the "IT Security Act" in 201519) prior to the NIS Directive, which stipulates that the following minimum standards for cyber security must be met by the Information Security Agency, that security audits must be conducted on a regular basis (every other year), and that cyber attacks must be reported to the Information Security Agency. The Act also requires major and critical infrastructure providers to report to the Information Security Agency in the event of a cyber-attack. There are also penalties for non-compliance. The UK also established the Network and Information Systems Act in 201819), which requires critical infrastructure providers to take effective cybersecurity measures, and there is a strict surcharge system not only for GDPR but also for security.

For security in Europe, a certification mechanism for a security framework called the European Security Certification Framework (EU-SEC) 20) has been established, and this framework is called the Information This framework is designed as an extension of the Information Security Management System ( ISMS* ).

Summary

In Japan, the Cabinet Cyber Security Center (NISC), Cabinet Secretariat, has formulated the "Revised Guidelines for Establishment of Safety Standards, etc. for Ensuring Information Security in Critical Infrastructure (Fifth Edition)" (draft) 21) and is soliciting opinions on April 19, 2019. (As of September 25, 2019, the call for comments has been closed.)

The handling of medical information in the three ministries' (Ministry of Health, Labor and Welfare, Ministry of Internal Affairs and Communications, and Ministry of Economy, Trade and Industry) guidelines also clarifies the scope of responsibility for partial outsourcing and provision to third parties in various guidelines, but the security discussion regarding the Application Programming Interface (API) for health data has not been discussed. However, it will be necessary to discuss the security of health data Application Programming Interface (API) in the various guidelines. In addition, it is desirable to consider the concept of multi-layered defense and security measures including multi-stakeholder responses at each layer. In Europe, a certification system for security has been introduced, and this certification should be closely examined by Japanese companies.

There is no doubt that building a platform is important to create an environment for a data-driven society and research, but it is also important to create a data ecosystem, and it is also necessary to start developing a legal system for data security and privacy at the same time.

As medical databases are connected to IT networks and IoT devices when building platforms in the future, security measures for APIs are expected to become more stringent. Japan needs to catch up with this trend as soon as possible.

  • As of December 2023
    In July 2015, the Pharmaceutical Industry Policy Institute established the "Big Data Utilization and Research Group in the Medical and Health Field" within the institute to study issues related to big data in the pharmaceutical industry. This report is based on the "Study Group's" research and study, including a lecture by Mr. Hisashi Yoshizawa of Urushima Sogo Law Office.
  • As of December 2023
    Health data platform refers to an individual infrastructure system or environment for collecting, storing, distributing, integrating, analyzing, and managing various health data (including lifestyle and behavioral data). It is also sometimes referred to as a platform as an overall term that brings together multiple infrastructure systems, environments, etc.

Return to News List

Share this page

TOP

Site Search