The Data Privacy Panel highlights: Data {Privacy|Governance|Management} Summit
Huge thanks again to @Eric Tham, @Archis Gore and @Matthew Trunnell for their insights during the Privacy Panel Discussion at the Data {Privacy|Governance|Management} Summit in Seattle on 17th October.
A video summary of the Privacy panel is attached below.
Panelists (L to R):
Dr. Eric Tham, VP & Assoc CIO, Research IT, Seattle Children's Research Center
Archis Gore, CTO, Polyverse.io
Matthew Trunnell (Matter), VP & Chief Data Officer, Fred Hutchinson Cancer Research Center
Moderator: Sanjay Joshi
Some quotable quotes from the discussion that were not in the video summary attached above:
Matter: There is something we have not touched upon much yet about is "Why do we care about privacy?" and we have these assumptions that privacy is a good thing we don't have a constitutional... privacy is not recognized..
Sanjay: It (Privacy) is not a word in the US Constitution, by the way...
Matter: Other countries have different views; Why do we protect privacy? There is a strong ethical reason to do this, this is actually codified in US Regulations in the context of what is called the "Belmont Report" and the Belmont Principles for how we deal with patients -- how we deal with people outside of the regulatory environment. There is also a very interesting (as Eric was mentioning) an ethical counter-argument which is about sharing data for the benefit of the whole ... and I think that Pediatric research has really been leaders in sharing data because it has been a requirement, but I think it is a really interesting tension that a lot of us in Healthcare are feeling.
Audience question: A question in a different realm altogether. I'm on a Policy Advisory Committe for Drones and UASes (unmanned aircraft systems). We are in the early stages of saying "if we do a flyover, we collect all this data which is intended for one use or another: land use, environmental data." It is obvious that you will be collecting a lot of inadvertent data like somebody sunbathing in their yard... All data collected by cities falls under the Public Information Act. Anyone can basically make a request for information. How on earth do you take that kind of data and sort it... is there software out there that would scan it, scan certain types at different resolutions? How reliable is that? Or do you guys have a different kind of method by which you don't get into that quagmire...
Archis: ... You're hitting the nail on the head. The best way to know that we don't have an answer is the ask the "contra-positive." The proposition is perfect. Everyone is going to give you a billion algorithms but then when you look at an appendectomy you look at appendectomies across the country yuou basically say there is a failure rate of 7% (I just made that up), but when it hits 8% you actually have an insurance company that is going to say "if the 8th person out of 100 dies we are liable for this" That is what cars do... if you hit someone or something at 60 miles per hour this is the impact... always ask the counter-positive. If that image were to be leaked, how much money are you going to put on the line? Suddenly every methodology that is going to solve this problem just disappears.
Sanjay: (Iceland) uses recordings of surgeries for insurance purposes... they are a very small country (about 300K) with larger populations unintended consequences have always happened. Do you think we are heading in that direction Eric? From at least a surgery perspective. Having been an ER guy for a little while...
Eric: We are currently in the middle of a transition of our Electronic Health Records. I'll answer it a little differently. To accelerate research we are actually building research into our electronic medical record. Lot of discussion now is what is "Standard of Care" and what is "Research." One thing we are going to do to enable -- which the University of Washington does and pioneered "Open Notes" -- the concept when a physician writes a clinical note on you, they release it to the patient portal right away; Udub was one of the early pioneers in that. So we were talking about how do we do that with our new Electronic Health Record -- the question is what is considered research and what could be released to the families and more importantly what could be potentially accidentally release to an insurance company if we do not structure our data, actually our Metadata to identify this as research data or research documentation versus clinical documentation which by law you have to provide the insurance company. By contract.
Sanjay: Archis in terms of technology tell me the 2 or 3 most interesting pieces of technology both for Privacy and Anti-Hacking threat vector footprint...
Archis: So the one that we focus on.. internally. My favorite one right now, something to watch out for... still being incubated even if the promise is there... it is Homomorphic Encryption. Stil being worked on. We don't know that it won't work; we haven't seen a mass scale usage. That really means that you can actually run queries and analytics on encrypted data without decrypting it -- you get what you want out of it, without actually being exposed to it. Lot of promise; we'll see.
Other big thing is "Masking" which is what I already spoke about heavily -- which is non-causal replacements which still lead to similar analyses and so that is like a poor-person's approximation of Homomorphic Encryption... Those two.
Sanjay: Is regulatory reporting becoming more mature in your opinion, or are there gaps...
Eric: I still spend a fair amount of time... Going back to Matthew's comment about the Belmont Report and the Institution of Institutional Review Boards (IRBs) to protect research subjects -- those types of agreements take a very long time and conceptually we are trying to get agreements in place where we share one IRB across multiple institutions; conceptually that is what we were trying to do to accelerate research and to be able to share that data. Again, those are very complicated upfront to negotiate.
Sanjay: In your opinion Matter and Eric, the policy generation engine needs to improve a little.. do patients need to be more educated.. what is your take on this?
Matter: Policy is always going to lag and as we go faster it is just going to lag further. In some cases that may be good because policy can be bad -- sometimes it is good. You talked about the Washington Privacy Act that is not going to go.. there was legislation that was slipped in British Columbia to modify their Privacy Act recently, it was called FIPA to make it easier to support cross-border data-sharing. It can go both ways. We will always go faster than policies. There is a lot to be said about involving data subjects directly, because that removes certain regulatory burdens -- it certainly doesn't remove the ethical burden -- it is particularly complex there (in Pediatrics).
Audience question: I am going to piggyback (on) and tie it back to what Archis said earlier. Being a technologist, all these years, dreaming that technology can solve all these problems -- sounds like once the ethical decisions are made, we can apply the right technology: Homomorphic Encryption, BlockChain, Mask out only what you need, dial in exactly where you are going to do it... choose where the risk is.. why can't we do that now?
Archis: NO. We can't.
Matter: All of this is being developed now. I think that is where we are going and we are going to make mistakes along the way. We are going to keep trying things and but ya, we are not there... IF we get the SkyNet before we get there then.. well then it is a different problem.
Eric: I think it is going to create new moral and ethical questions with the new technologies...
Topics mentioned in the discussion:
Diabetic Retinopathy and Deep Learning
Right to Privacy in the United States
The Data Governance Panel Summary
####
Copyright ? 2019 Sanjay Joshi.
Shout out to @Amar Joshi for the video post-production and transcription; @Fortunato Vega and @Dan Savage for organizing the event...
Expert Digital Health, Investor, Advisor
5 年I would encourage all health care to adopt #OpenNotes as a step to build trust. After years within the #HIE segment, I would encourage better data mapping and improved audit methods that are easier- perhaps #artificial_intelligence could help?