Data sharing in healthcare: new techniques for sharing health-related data

When we talk about data sharing, we refer to a type of data processing with a very broad scope.

In fact, data sharing falls within the processing that Article 4(1)(2) of the GDPR refers to as 'disclosure by transmission, dissemination or otherwise making available'.

The legislator provides this broad definition because, in practice, the ways in which data are shared are so diverse that they cannot be limited to specifically predetermined cases.

The European Commission uses the term 'data sharing' as a generic term to indicate that parties other than the original data controller may process the data of that controller:

• analysing it on behalf of third parties and sending them the results of such analyses,
• allowing third parties to access it within their own systems
• transferring the data to them.

This concept also encapsulates the potential of data sharing: the multiple ways in which data can circulate increase the circulation and dissemination of knowledge and expand the cultural, scientific and economic heritage of our society.

It is therefore no coincidence that the GDPR breaks with the past and regulates the issue of data protection in a very progressive way, striking a substantial balance between the protection of the rights of individuals and the free movement of data.

Free movement of data means, in practice, the legal possibility to use it.

If there is one sector in the digital age where this possibility is crucial for our community as a whole, it is undoubtedly the health sector.

Data sharing for data driven healthcare

Health-related data provide access to clinical information that can be used not only for the treatment of the patient to whom the data relate (the primary purpose of data processing), but also for numerous other purposes (the so-called ‘secondary purposes’) such as reasons of public interest in the sphere of public health and occupational medicine, public health surveillance, ensuring high levels of quality and safety of healthcare, medicines or medical devices; support for public bodies or institutions in the health sector in the performance of their tasks; production of official statistics at national, multinational and EU level; education activities; scientific research activities; product development and innovation activities; algorithm training, testing and evaluation activities, including in medical devices, AI systems and digital health applications; provision of personalised medicine.

In this context, digitalisation is essential for extracting reliable information from healthcare data: it helps healthcare professionals to standardise procedures and optimise clinical pathways while reducing costs.

Just think of telemedicine: sharing clinical parameters collected by medical devices, for example, enables remote monitoring of patients, allowing timely diagnoses and the ability to review and modify therapies without in-person consultations.

The medical device industry itself has become highly data-driven since the MDR and IVDR came into force.

Both regulations call for better data collection and increased use of data analytics and data science technologies, as there is a greater need to process data using state-of-the-art methods.

In fact, monitoring the performance of medical devices and in vitro diagnostics through near-real-time data transmission is required by both Regulations throughout the lifecycle of medical devices, during which devices must be monitored for safety and efficacy.

Consider, in particular, the obligations on manufacturers in the area of vigilance and reporting of incidents involving medical devices in the context of post-market surveillance, which involves the collection of patient data related to the use of medical devices, demonstrating that data sharing is also a safety issue.

Beyond the strict regulatory requirements, we must also consider the potential use of data for research and development, for conducting surveys and market research, and even for marketing purposes.

But digital clinical data sharing is not just for the benefit of professionals: health technologies also support patient empowerment.

Data sharing via apps and connected medical devices makes it easier to monitor and treat patients outside hospitals, increasing their autonomy and also improving patient satisfaction and treatment adherence.

The European Health Data Space

In order to realise the full potential of health data and meet the need to use it in a resource- and cost-efficient way, it is essential to align different national policies through a governance framework at European level.

The European Health Data Space (EHDS), launched by the European Commission on 3 May 2022, responds to this need and will enable the EU to make a huge qualitative leap in the way healthcare is delivered across Europe. It will enable people to control and use their own health data both in their own country and in other Member States, promote a true single market for digital health services and products, and provide a regulatory framework for the use of health data in research, innovation, policy-making and regulation.

In this last respect, researchers, companies and public institutions will have access, under strict conditions, to large amounts of high quality health data, which are crucial for the development of life-saving therapies, vaccines or medical devices, as well as for ensuring better access to healthcare and more resilient health systems.

In particular, the EHDS aims to improve the sharing and use of health data by overcoming regulatory barriers caused by different national laws.

Indeed, as is well known, the GDPR allows Member States to adapt the application of certain aspects of the Regulation to their national context. Not only that: Article 9(4) of the GDPR allows EU countries to maintain or introduce further conditions, including restrictions on the processing of health-related data.

In this respect, the study that underpinned the EHDS showed that both differences in the application of the Regulation and implementation-related legislation at national level have led to a regulatory fragmentation, which hinders cross-border cooperation in healthcare provision, management of health systems and research.

In this context, the 2021 Commission document Assessment of UE member States’ rules in Health Data in the light of GDPR., is of great interest.

Quality and interoperability of data

For data sharing to reach its full potential, the need to overcome regulatory hurdles goes hand in hand with the need to ensure data quality.

After all, this is nothing more than complying with the data accuracy principle set out in Article 5 of the GDPR, which is more crucial in the healthcare sector than in any other.

In this regard, it is interesting to analyse the report of the Digital Health Europe (DHE) consortium supporting the European Commission's Communication on the digital transformation of health and care in the digital single market and its initiative for a European health data space.

Among its suggestions to the European Commission and Member States, DHE also points to

• take measures to improve data quality at the level of healthcare providers and ensure that data from devices and/or reported by patients can be migrated to a common health data space;
• promote, support and monitor the quality of shared data, including through the adoption of common data quality criteria and labels to be used and displayed by data controllers providing data to the EHDS when sharing data.

At the same time, it should not be underestimated that the very act of sharing data in the digital world improves data quality.

Consider how monitoring and comparing performance increases data consistency and reduces errors, making healthcare practice more transparent and evidence-based.

Device connectivity and real-time access to data also help to speed up medical interventions and improve diagnostic timelines through greater access to data and more effective data analysis.

In this context, access to accurate and timely health data also enables patients to self-manage chronic conditions by monitoring and evaluating their outcomes or adjusting their habits and lifestyles.

But while the quality of data is essential for its effective use, it is also necessary to ensure its interoperability.

To do so, the DHE suggests:

• to provide support for the development, definition and adoption of interoperability standards and data quality rules applicable to data generated by patients and citizens through apps, wearables, sensors and complementary non-health but health-relevant data, such as pollution and climate data.
• to control the use and dissemination of interoperability standards centrally, where legally possible.
• to ensure the proper implementation of the right to data portability, as provided for by the GDPR, on a large scale.

Data access and privacy-preserving data sharing

The ever-increasing risk posed by constantly evolving threats to information systems used for data sharing makes it impossible to address the issue of data sharing separately from that of cybersecurity.

For this reason, on Data Protection Day, the European Union Cyber Security Agency (ENISA) published the report 'Engineering Personal Data Sharing'.

The document assumes that ensuring compliance with data protection principles, such as transparency and minimisation, requires a very thorough assessment and a careful implementation by-design.

ENISA therefore aims to outline how IT security in the context of data sharing can contribute to the protection of data shared between different parties, using technical solutions based on advanced encryption techniques.

The report is particularly useful for entities processing health-related data, as it contains specific use cases for data sharing in the health and research sectors.

Above all, ENISA outlined the following requirements:

• For the diagnosis and treatment of individual patients, data should be in plain-text since patients must be identifiable.
• The same data used for medical research (possibly on a large scale) should be appropriately pseudonymised to ensure that re-identification by a researcher is unlikely (unless the user provides explicit consent for non-pseudonymised processing, which should be revocable at any time) and that the possibility of removing the link between two different sets of data for different purposes is present.
• The ability to handle multiple sources of patient data, including wearable devices and apps, must be ensured.

With regard to the second point, the possibility of requiring consent for non-pseudonymised processing must be balanced, in the writer's opinion, with the principle of data minimisation: processing the data of participants in a clinical trial in the clear should only be allowed if necessary for the purposes of the research.

The report then proposes a kind of granularity of data sharing, which consists in implementing data sharing with the explicit consent of the user. In other words, no entity would be allowed access to a user's health data unless the user explicitly grants it.

The example ENISA provides is of a patient using a wearable device:

• the wearable device is intended for glucose monitoring but also collects other clinical parameters such as blood pressure and caffeine levels;
• the data streams are uploaded to the cloud to be shared with different parties (doctors, family members, etc.).

The main challenge foreseen by ENISA is to find ways for the user to selectively share specific data streams generated by the device with specific subjects.

Such an access model can be based not only on the identity of the recipient, but also on additional parameters such as the time period in which the data was generated or its type. For example, a third party could be granted access only to data corresponding to the last three months) and/or to specific parts of the data set (e.g. blood pressure measurements).

The technique proposed to enable this selective sharing of data is asymmetric encryption, but this has limitations in terms of practicality and efficiency.

Indeed, if the same data were to be shared with several recipients, the user would have to share the same data several times, each encrypted with the recipient's public key.

This leads to two critical issues:

• redundancy, which becomes a predominant problem especially in the case of high volumes of data that are constantly being produced;
• the fact that, since some recipients may not be known in advance, new encryption would be required for each new access to be granted.

To overcome these limitations, the report proposes the use of two particular asymmetric encryption techniques:

• Attribute Based Encryption (ABE), in which data can be encrypted using a public key, but at the same time, unlike 'classic' public key encryption, there can be multiple decryption keys, each of which is linked to small additional pieces of information about the data, called attributes. Decryption keys are generated from a generic secret key that must remain private. In the case described above, the user data generated by the wearable device is associated with specific attributes related to it, such as date of origin, object type, etc. These attributes will later be used to define the access control mechanism for this data. The data is then encrypted and uploaded to the cloud. When a third party requests access to a user's data, the user creates an access policy for that party specifying which exact properties must be satisfied by the data to which access is to be granted. Once the recipient (e.g. a doctor) receives this decryption key, it will only be able to decrypt locally the data that satisfies the access policy defined by the user, since the ABE decryption key only decrypts a subset of the data set.?

• Proxy Re-Encryption allows for the re-encryption of an already encrypted data set from one public key to another, without the proxy having access to the unencrypted data set. This is an ideal approach when the entity with whom the data is to be shared is not known at the time of the initial encryption or the sharing is to be done via untrusted infrastructures.

Returning to the use case described above, the user encrypts their data with their public key and uploads it to the cloud. When a third party, e.g. the doctor, requests access to the data, the user generates a so-called re-encryption key, using his own private key and the doctor's public key. The re-encryption key can then be sent to the cloud provider, which is now able to encrypt the data with its own public key. The re-encryption key can be sent to the cloud provider, who is now able to convert the initial encrypted data set into a new encrypted record that corresponds to the encryption using the physician's public key. In this way, only the physician can decrypt the data - and thus access it - using their private key.