Telemedicine and data exploitation
During the Covid-19 pandemic, telemedicine experienced a global boost. Post-pandemic, the telemedicine industry has been valued at a quarter trillion dollars. However, there are issues, ranging from lack of clear guidelines, lack of training for providers, and issues of connectivity, to costs for patients, the remote care being covered by insurance, that providers must understand prior to deploying telemedicine solutions.
- The Covid-19 pandemic has given telemedicine a global boost.
- The reproductive and maternal care sector reported similar developments during the pandemic with evidence showing that telemedecine was applied “on a wide scale for different aspects of maternal and newborn healthcare”.
- Providers must understand risks of telemedicine solutions prior to deploying them.
This piece is a part of a collection of research that demonstrates how data-intensive systems that are built to deliver reproductive and maternal healthcare are not adequately prioritising equality and privacy.
Telemedicine describes the vast range of applications and technologies used to provide and manage healthcare remotely.
Telemedicine as its most basic refers to the transmission of data from a patient to a healthcare professional through a range of electronic platforms (devices, apps, etc.). This means that the electronic platforms themselves have the ability to access the patient data.
However, telemedicine can be more than a communication tool. It can be combined with sophisticated technology in services ranging from remote monitoring systems to virtual assistants to support care.
The first appearance of telemedicine can be traced back to the 19th century. Since then, the use of telemedicine has been driven by the increasing availability and use of internet and communications technologies across the health sector, including for reproductive and maternal care.
A survey conducted in 2014 by the WHO’s Global Observatory for eHealth (GOe) to analyse the progress being made in the uptake of eHealth in developing countries, particularly for the benefit of women’s and children’s health, indicated that telemedicine and teleconsultation were the most frequently adopted services, with of 47% of the 64 countries implementing them. It’s also been used in HIV-related programmes.
During the Covid-19 pandemic, telemedicine experienced a global boost as it allowed for patients to be managed outside hospital facilities. It also allowed for ill patients to be triaged remotely, enabling hospitals to prioritise resources and reserve the capacity in hospital for high-risk patients.
Post-pandemic, the telemedicine industry has been valued at a quarter trillion dollars. The reproductive and maternal care sector reported similar developments during the pandemic with evidence showing that telemedecine was applied “on a wide scale for different aspects of maternal and newborn healthcare”. However there were also issues, ranging from lack of clear guidelines, lack of training for providers, and issues of connectivity, to costs for patients, the remote care being covered by insurance.
However it doesn’t look like telemedicine is going anywhere.
In addition to mitigating the risk of contagion, a key appeal factor of telemedicine is its apparent cost-effectiveness for healthcare providers and patients alike. It allows patients across the board to save time and money, and enables the infirm and the elderly to access care without physical effort. It also allows those in low-resource settings such as rural areas and remote sites to access care. Further, it enables healthcare providers to save costs by shortening the average length of appointments and, in the case of AI-led applications, telemedicine enables providers to save on staff time and costs.
Below we describe a few of the applications made possible by telemedicine in the health sector, and in particular reproductive and maternal healthcare.
Examples of telemedicine uses
Real-time, video-based health consultations and advice
Perhaps the best-known example of telemedicine is the use of videocall consultations.
The provision of real-time, video-based health consultations has been integrated into the reproductive and maternal care sector. This has led to the development of a "telemedicine network, linking major maternity hospitals to provincial and county hospitals for teleconsultation, teleeducation and telementoring for surgery.".
During the Covid-19 pandemic, services enabling 1-1 smartphone-based videocalls between health professionals and patients flourished across the public and private healthcare sector. Videocalls enable healthcare professionals to see patients remotely, while preserving the benefits of visual assessment. As the United Kingdom’s National Health Service quick guide for video consultations states, “visual assessment adds key clinical data”.
The Kenyan Ministry of Health took similar measures to adapt services. They encouraged telemedicine for antenatal care. Birth registrations were to be processed via SMS as part of the new process. Similar initiatives were also launched in El Salvador as well as many other countries including Albania, Belgium, Azerbaijan, Finland and Spain.
There have been some instances which go full circle from consultation to treatment. These processes include the delivery and processing of the care itself with prescriptions being sent to the patient. This includes obtaining contraceptives, which occurred increasingly with Covid-19. In some instances, access to remote safe abortion care was provided by non-for-profit organisations. Some countries including France used telemedicine to deliver all associated medical appointments.
Health monitoring apps/software
Unlike video-based consultations, some remote health monitoring initiatives rely on information exchange over time with a view to facilitating diagnosis and treatment. The data collected by these applications varies, and ranges from concrete data points (e.g. heart rate, glucose, blood oxygen levels) to video footage.
For reproductive and maternal care, remote monitoring devices for various areas of prenatal care have been reported including: (1) cardiotocography; (2) blood glucose levels; (3) blood pressure; and (4) prenatal ultrasounds.
Regardless of the condition they cater for, these systems have common features:
- health data is collected by patient/user through device (e.g. pulse oximeter, glucometer, etc)
- health data is input onto the relevant app/platform (through device-app pairing or through direct patient/user input)
- health data is shared with a designated clinical team in real time, and monitored
There have also been programmes put in place to enable community-based antenatal care provided by midwives in remote locations. These programmes aim to connect, share information by collecting data from patients about weight and health, and then share that data through an app with third-party.
The Mobile Obstetrics Monitoring trialled in Indonesia is an example of such a mechanism. It has had positive results on the efficacy to detect very high-risk and high-risk pregnancies.
Many of these mechanisms in the reproductive and maternal care sector are still nascent and many of the studies completed on evaluating and assessing them have been of pilot projects and/or within limited clinical trials. It is recognised that further studies are needed before generalising the benefits and uptake of such mechanism on a large scale.
In other health sectors, more advanced systems have been deployed. For example apps that can build on these communication features by applying machine learning capabilities. The Propeller app, aimed at people suffering from asthma or chronic obstructive pulmonary disease, reportedly “learns about your flare-ups and medication use and can help you become an expert at managing your symptoms and identifying your triggers”. Some data from the app can be accessed by partner healthcare organisations, who “are alerted when a patient transitions to a poorly controlled status” and similarly “receive reports that include patients’ medication adherence, trigger and symptom trends […]”.
Other innovative initiatives have seen the deployment of video-based observation in the monitoring of health conditions, known also as video-observed therapy or ‘VOT’. VOT has been deployed to support patients with active tuberculosis by way of daily remote observation using a custom smartphone app that allows patients to film themselves taking medications on a computer or mobile device. These images are then transmitted to a remote observer via the internet. A 2019 study published in the Lancet found that VOT was a more effective approach to observation of tuberculosis treatment than directly observed therapy, i.e. observation done in person.
Some telemedicine systems take a significantly more comprehensive approach: in addition to concrete health measurements, they rely on data collection systems to assess a person’s environment. These systems have proliferated in the field of geriatric medicine, which specialises in the care of elderly people.
Wireless sensors monitoring activity inside the home are a key example. By detecting movement and door activity, they are capable of providing a detailed insight into an occupant’s day-to-day activities in the home on a 24/7 basis. One provider, for example, offers the option to monitor movement, bathroom visits, visitors, and sleep based on data collected by the sensors. The data is then uploaded to a portal that can be consulted by authorised individuals. While these systems are often used by concerned family members, they can also be used by healthcare providers. For example, Canary Care offers a range of services to UK’s National Health Service institutions, ranging from initial assessments to reablement after hospitalisation.
For years there have been discussions of using tools such as wearable sensors in the context of antenatal care by monitoring lifestyle behaviours and other risk factors associated to the health of a person such as their weight, blood pressure, stress, etc., maternal adaptations during pregnancy and linking these to pregnancy complications with the aim of rectifying them once they’ve been identified to lead to healthier lifestyle behaviours and minimise risk of pregnancy complications.
And in recent years this continued to attract much attention with advancements in technology, and also expansion of the data collected to not only refer to specific health conditions or within a short period of time but to integrate comprehensively one’s whole environment in realtime 24/7 to enable continuous and long-term monitoring. New tools are being developed to tackle the realities of low-resource settings where advanced tools are not accessible to enable “comprehensive assessment of both the mother and fetus with compatibility across a wide range of mobile devices” “to obtain physiologic information” in a way that is efficient and cost-effective.
Areas of concern
One recurring area of concern with the deployment of digital solutions and tools like telemedecine is the digital divide and the implications this has to reach significant groups due to their limited access to digital infrastructure, both software (the digital platform) or hardware (mobile phones) to use these tools.
In studies conducted, the “availability of technology and connectivity seem to pose a serious bottleneck”. These concerns were also noted in terms of reliance on technology and connectivity for access, and the lack of it, resulted in “increasing maternal and newborn health disparities and inequities”.
As with any device-based application, telemedicine can only go as far as the technology available to the patient. At a minimum, telemedicine initiatives require the patient to have a working internet connection, a data plan, or sufficient local bandwidth; and video-based technologies require patients to have a smartphone.
In low-income settings, the absence of one or more of these resources can be a significant obstacle in the provision of healthcare, a Kenyan study found.
Any telehealth application processing health data must appropriately safeguard against the risk of unlawful disclosure. Time and again, data leaks concerning medical information have made headlines. Even if in the reproductive and maternal care sector few have been reported and documented, multiple examples exist across the healthcare sector and beyond.
In 2020, Vastaamo - a Finland-based healthcare provider which ran the largest network of private mental-health providers in Finland - suffered a catastrophic data breach exposed its patient database, which included personal details as well as therapy notes, to the entire internet. Hackers then blackmailed former and current patients - at least 25,000 of them - to pay a ransom sum in exchange for the promise of confidentiality of their leaked data.
The challenge of telehealth applications is also the driving purpose behind their existence: to collect health data from individuals. Some telehealth applications collect and store vastly more data than electronic databases managed by healthcare providers would typically contain. This makes the risk of harm attaching to unlawful disclosures much larger.
For example, in 2020, Babylon Health suffered a data breach that mistakenly sent videos of patients’ private consultations with doctors to other patients. The breach laid bare the risk inherent to video -based - or even audio-based - applications. And in many cases, that risk echoes over time, as telehealth appointment apps often keep a record of consultations for a significant amount of time. In Babylon Health’s case, at the time of writing, the period of retention of video or audio consultations is 10 years.
Similar concerns associated with the security of telemedicine were reported in terms of trust in the system in particular by groups who feared persecution such as undocumented migrants.
There are also concerns with the evolution of telemedicine to use various technologies including mobile phones and smart devices, for example wearables and Internet of Things (IoT). These concerns stem from the fact that the tools are controlled by a third-party, not the healthcare actors in terms of design and functionality or security.
Security is hard, and it is generally impossible to guarantee a 100% security and that data breaches won’t occur. However, steps can always be taken to identify and mitigate risks. Legislation often plays an important role in laying down minimum privacy and security standards with which healthcare providers must comply.
In the United States, for example, the Health Insurance Portability and Accountability Act (HIPAA) provides that the processing health data must be subject to high technical and administrative safeguards. This comes with specific requirements, which range from staff training to access, audit and integrity controls. These obligations also apply to third-parties processing health data, such as software providers. This means that healthcare providers without ownership of or access to highly specialised software catering to HIPAA requirements are not able to resort to telehealth solutions.
The impact of the Covid-19 pandemic
As noted above, in response to the pandemic many countries resorted to digital solutions to provide care, including telemedicine in the reproductive and maternal care sector. However, many studies reflecting on such developments indicated the lack of guidance and regulation of such shifts in particular in settings where such mechanisms were not in place before the pandemic.
Furthermore, the Covid-19 pandemic and the imperative to facilitate remote health consultations resulted in changes or suspensions to existing security and privacy frameworks. In early 2021, the US Department of Health and Human Services decided to exercise its enforcement discretion and waive penalties for HIPAA violations against healthcare providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the Covid-19 nationwide public health emergency. This meant lowering the standards applicable to platforms facilitating telemedicine.
While extraordinary challenges warrant extraordinary measures, it is important that the highest privacy and security standards be observed when it comes to health data. Therefore, any relaxation of standards should be limited to what is strictly necessary, for the shortest possible period.
While patients using telemedicine applications may expect for their health data to be shared with their clinicians, some or all of that data may also be shared with third parties. For example, data entered in telemedicine platforms may be used to train healthcare systems. Similarly, data contained in electronic health records may be used to inform and train telemedicine initiatives. On occasion, this has happened without the prior knowledge and consent of data subjects.
In 2017, details of 1.6 million patients from the UK NHS were shared with Google’s DeepMind to develop and refine an alert, diagnosis and detection system that could spot patients with the risk of developing acute kidney injury. The UK Information Commissioner’s Office found that the NHS Trust had failed to comply with data protection law, as patients had not been adequately informed that their data would be used as part of the testing process.
As documented by Privacy International and others over the years, there are significant concerns with security applications including concerns of third-party data sharing. This is well-documented when it comes to menstruation and pregnancy applications for example.
This is in particular concerning when it involves third-parties such as the private sector, who play a role in the provision of the service. In many instances it is unclear if such third-parties have access to patient data in one way or another. It is also unclear if they use it for commercial purposes such as selling other health products, insurance or others business ventures including utilising this data to train their own services and products.
Finally, in relation to wearables and other IoT devices, there are existing concerns about their data processing activities. This includes the web of partnerships they are building to diversify their sources of revenue by commercialising the incredible wealth of information they have about people’s lives, such as Fitbit’s partnership with insurance companies. These concerns are heightened when such companies are then bought out by tech giants multiplying the risks and concerns.
What should be done differently
While there is great potential emerging from telemedicine especially as demonstrated with the realities and challenges faced during Covid-19, there remain significant concerns about privacy and surveillance. There are also concerns around inequality, poor governance and guidance.
Clear guidance and regulations of actors
There is a need for more comprehensive regulation and guidance for the use of such tools in the health sector by ensuring there is a clear framework and standards for telemedicine. These frameworks can take the form of ensuring compliance with existing safeguards provided in health regulations as well as data protection law.
Comprehensive digital health and/or specific telemedicine strategies and frameworks, and corresponding legislation where needed, will ensure there is a framework to guide and oversee the implementation of such digital tools in the health sector, and provide the roles and responsibilities of the actors involved in the ecosystem.
This regulatory framework is also needed in relation to the software and hardware working its way into to the health sector including mobile applications, wearables and IoT devices.
Privacy and security standards should inform decision-making and design
Privacy is often a source of concern for those who reportedly stand to benefit the most from any telemedicine initiative. A 2014 survey tackling the use of cameras in UK care homes found that, while the initiative was largely supported by relatives, it was opposed by over half of the care home residents surveyed. They cited privacy concerns as the overriding reason.
These concerns are valid and generally recognised by data protection frameworks, which categorise health data as sensitive or special category data, namely data warranting a higher level of protection and processing safeguards.
In practical terms, this translates into a prohibition for processing health data unless specific requirements are met, such as the explicit consent of the individual concerned or, as it may be in the case of healthcare, the protection of vital interests of the data subject. Genuine consent entails that the data subject is made aware of how their data will be processed, for how long and by whom. Transparency is therefore crucial to ensuring that this requirement is met.
Having a legal basis for processing health data, while a fundamental requirement, is not the only concern healthcare providers and third-parties involved in the deployment of telemedicine initiatives should have in mind. In accordance with well-established data protection principles, all entities involved should endeavour to minimise the data collected to what is strictly necessary for the purpose that the telemedicine technology was intended for.
Lastly, systems processing health data must be secure and protect against the risk of unauthorised disclosures.
Ensure complementarity and availability of services
Remote health monitoring platforms should be as inclusive as possible. They should not automatically assume that patients have reliable and affordable access to an internet connection, a smartphone, any necessary devices, nor the money to meet these associated costs. This is particularly important in the impact assessment then design and implementation of telemedicine to ensure gender inequality and other inequities are not reinforced and becoming yet another factor of exclusion.
If difficulties emerge and it becomes apparent that some patients cannot access quality of care they need through telemedicine, workable alternatives should be offered to the patient, including in-person care.
Regulating the role of industry
In many instances of telemedicine there will be a public-private partnership. This means that a public body will work in partnership with a private company. In some instances it may be solely provided by a private company within or outside a state-provided health system.
Therefore, there is a need to regulate the role of industry in both scenarios: where industry enables and provides digital solutions to governments, and ensuring they abide by certain normative and legislative obligations to protect patients.
There is finally a need for greater scrutiny of how mobile applications, wearables and IoT devices are designed, to ensure that privacy is built into such tech from the outset.