Agenda

Embedding Privacy in Digital Health

WEDNESDAY, MAY 25, 2022

Sessions will be aired in Eastern Time in the U.S.

10:55 AM

WELCOME FROM ACTIONABLE INTELLIGENCE NETWORK

Satish Kavirajan, Managing Director, Actionable intelligence Network


11:00 AM

CHAIRPERSONS’ OPENING REMARKS

John Giantsidis, JD, M.Eng., President, CyberActa, Inc.
Naeem Hashmi, Digital Health Solutions, Strategic Advisor, Boston Scientific


11:15 AM

DIGITAL HEALTH PRIVACY: GROWING COMPLEXITY

This presentation will review the complex web of privacy laws applicable to medical devices, the Internet of Medical Things, and wearable devices.  Using practical hypotheticals, the session will explore when these digital health products are subject to HIPAA, FTC privacy principles and the California Consumer Privacy Act.  The presentation will also cover best practices for developing a privacy policy and privacy compliance program consistent with applicable laws and best practices.

Reece Hirsch, Partner, Morgan Lewis & Bockius LLP


11:45 AM

PANEL DISCUSSION: GOVERNMENT PERSPECTIVES ON PRIVACY AND DIGITAL HEALTH

The HHS Office for Civil Rights and the Federal Trade Commission are the principal privacy and security regulators in the digital health space. This panel will address how the two agencies regulate various digital health products, from medical devices to mobile health apps. The panelists will review the latest enforcement and regulatory developments in digital health privacy, focusing upon practical hypotheticals and questions from attendees.

Moderator:
Reece Hirsch, Partner, Morgan Lewis & Bockius LLP

Panelists:
Lisa P. Goldstein, Health Information Privacy Specialist, HHS Office for Civil Rights
Ronnie Solomon, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission


12:40 PM

OVERVIEW OF GDPR AND FUTURE EU LEGISLATION

  • Contrast GDPR with HIPAA
    6 principles and 3 rights
  • Future EU legislation
    Digital Marketing Act,
    Digital Services Act
    Digital Governance Act
    Privacy
    AI
    De Identification issues
  • Issues with GDPR
    Handling healthcare (sensitive) information
    Transfers outside of EU (Article 44 post Schrems II)
    Privacy by design and default (Article 25 medical device software)
  • Staying out of trouble
    Good cyber security
    Privacy Policy
    Subject access request

William Gamble, GDPR Consultant, IT Governance USA Ltd.

1:10 PM

Virtual Networking Break

1:30 PM

ETHICAL, LEGAL, AND SOCIAL CONSIDERATIONS FOR REAL-WORLD DATA IN PUBLIC AND PRIVATE DOMAINS

Today in the 21st century, the sensitivity of private health care data increasingly overlaps with the sensitivity of private and public digital consumer health data, warranting a closer look at comprehensive privacy protections, the need for stronger digital health literacy education, research, and more. Dr. Hendricks-Sturrup will describe this phenomenon, present some of her latest research on the topic, and engage the audience in discussion and activities where they may share their perspectives.

Rachele Hendricks-Sturrup, DHSc, MSc, MA, Research Director, Duke-Margolis Center for Health Policy


2:00 PM

ENGINEERING PRIVACY IN MEDICAL DEVICES AND HEALTH PRODUCTS

Today, medical devices are dynamic, providing many touch points. And their data surface is no longer limited to within the box alone. With 5G, the need for localizing data may go away, making the data surface very wide and spread across many geo-boundaries. Preserving individual’s privacy is a huge nightmare. Although privacy and security are joined at the ‘hips’, they are very different ‘mentally’. We simply can’t keep building higher walls to protect privacy. In fact, building higher walls does not protect privacy. We need to engineer privacy within the products to take advantage of security walls to avoid data exposure and leaks.

In this session, you will learn:

  • Privacy engineering approaches suited best to medical devices, SaMDs, wearables and health software.
  • How software engineering methodologies (Agile, SCRUM, Waterfall) impact your product privacy design
  • Operationalizing privacy – role of consent in data management
  • Preserving privacy in analytics/AI/ML powered products and research

Naeem Hashmi, Digital Health Solutions, Strategic Advisor, Boston Scientific


2:30 PM

DIGITAL HEALTH APPS AND SOFTWARE AS A MEDICAL DEVICE (SAMD) – INCORPORATING PRIVACY ENGINEERING IN YOUR ENGINEERING PRACTICES

Digital technologies have transformed our lives. Now the data-driven revolution is beginning to transform healthcare. By realizing the potential of digital health, artificial intelligence (AI) and machine learning (ML), we can accelerate the shift towards patient-centered, outcomes-focused access, sustainable healthcare. Digital health is a broad term that encompasses a variety of terms including e-health, m-health and telehealth and captures everything from electronic patient records, remote monitoring, connected devices, digital therapeutics and more. It means embracing information technology, big data, AI and machine learning to collect, share, analyze and use data on patient outcomes to help healthcare professionals make informed decisions and to improve care. Some of those may be considered medical devices (SaMD) and some may be considered clinical decision support (CDS) software. Some of them are regulated by the FDA and other regulatory bodies, and some are not.

But all have a common expectation: privacy.

So, how do we go about designing, building, and commercializing digital health solutions that incorporate the principles of privacy? Integrating privacy requirements in the design of digital health is not a simple task. Privacy is generally not the primary requirement of a SaMD, and it may even come into conflict with other (functional or non-functional) requirements. It is therefore of paramount importance to precisely define the goals of a Privacy by Design process. These goals should form the starting point of the process itself and the basis of its evaluation.

Learn how to embed privacy in your design and development process with a methodological focus centered on risk management that lets you employ privacy utilizing suitable practices, procedures, and tools.

John Giantsidis, JD, M.Eng., President, CyberActa, Inc.


3:00 PM

KEY CONSIDERATIONS IN CONDUCTING A PRIVACY IMPACT ASSESSMENT

A privacy impact assessment (PIA) is an essential part of many projects and can be used to help companies identify the potential risks arising from their collection, use, or handling of information, to find out if they are meeting their legal and regulatory obligations. A PIA focuses on identifying the ways a new project (product or service) or changes to an existing process may affect personal privacy, to help organizations make more informed decisions and better manage privacy risks.

It is important to decide whether to do a PIA early in the projects’ lifecycle. If you fail to identify how your project is likely to affect the individuals whose information you are collecting and using, there are real risks for your organization and for the success of your project. The scale and complexity of your PIA will depend on the scale and complexity of your project and it is not a last-minute legal compliance checklist – rather it’s an active tool to help inform the major decisions involved in planning and implementing your project.

Let’s walk through together the questions to answer before you start any Privacy Impact Assessment, the key steps involved in any PIA and what each of those steps involves, and further steps to consider if your project is more complex or the risks are more significant.

John Giantsidis, JD, M.Eng., President, CyberActa, Inc.

3:30 PM

Virtual Networking Break

3:45 PM

PRIVACY IN DIGITAL HEALTH FROM THE PATIENT PERSPECTIVE

The explosive growth and evolution of cloud and wireless technology, network speed and connectivity, data communications, and sensor technology teamed with a seemingly endless array of applications and devices have fueled the rapid advancement of health care information technologies (HIT), cyber-physical systems (CPS) and the Internet of Things (IoT). As routine (and sometimes non-routine) patient interaction moves farther away from being delivered exclusively in a physical setting to having greater and more innovative options for care delivery in a virtual space, cybersecurity and privacy have become critical components of care quality and patient safety. There is a shared responsibility between the manufacturers, healthcare delivery organizations, and patients themselves to assure the privacy architected and embedded into Digital Health is genuinely achieved at the endpoints. Privacy in Digital Health from the Patient Perspective will discuss the steps we must take to protect and enhance this critical aspect of each patient’s life.

George W. Jackson, Jr., PhD, MBA, HCISPP, CISSP, PMP, CRISC, Director, Health IT and Digital Health, Clearwater


4:15 PM

A TOUR THROUGH THE PRIVACY LANDSCAPE WHEN DEVELOPING AND INCORPORATING ML/AI AND OTHER DATA-DRIVEN METHODOLOGY INTO MEDICAL DEVICE SOFTWARE (MDSW)

It seems like every digital health tool, medical device and healthcare IT solution is incorporating some type of data-driven analytic capability. The innovations may be algorithms that were pre-trained on existing data and process new data against the trained model or they might be adaptive algorithms that continuously evolve or adapt to noise processes and new features in data streams the medical device system acquires.  In certain situations, the risk-management and regulatory analysis for these data-driven models have adequate predicates whereas there are gray areas in others. Regardless of quality and regulatory complexity, the topic of patient and provider privacy is paramount for risk assessment when considering the widespread adoption and distribution of data-driven technologies.

This talk is intended to inform the audience via an overview of the landscape MDSW manufacturers face, across the lifecycle of products with data-driven capabilities/ features. The audience will leave the talk with some ideas – based upon good-practice from experience – how to better manage privacy risk in these types of product while enabling innovation. There is much potential for bettering care delivery with analytical methods, but they must be developed and delivered in trustworthy ways. Key topics to be covered:

  • Definitions and Classifications
    • What do I mean by “AI”?
    • To be or not to be a medical device
    • Common terms and misunderstandings
  • State Of The Art Machine Intelligence techniques with application in MDSW
    • Past
    • Present
    • Future
  • Specialized Privacy Risks Inherent with these methods
    • Medical Imaging
    • Molecular and cellular data
    • Population health
  • Mitigations and state-of-the-art privacy preserving techniques – pros/cons:
    • Multiparty Computing and cryptographic methods
      • Secured Multiparty Computing
      • Homomorphic encryption
    • Differential Privacy
    • Federated Learning
  • Takeaways

John F. Kalafut, PhD, Founder & Principal, Asher Orion Group


4:45 PM

MANAGING PRIVACY FOR SAMD PRODUCTS ON THE CLOUD

  1. Introduction
  2. Defining digital health & SaMD
    – From a cloud computing/privacy perspective
  1. Use case examples for SaMD products on the cloud
  2. Typical flow of PII and PHI in SaMD products on the cloud
  3. Examples of data breaches/vulnerabilities
    – Implications of data breaches/vulnerabilities – using examples from media of data breach fines or from regulatory bodies regarding potential fines.
  1. Practical measures for managing privacy for SaMD products on the cloud
    – Defining privacy-by-design and commentary on the overall privacy framework for SaMD products on the cloud
    – Privacy considerations for SaMD architectural design
    – Operationalizing privacy for SaMD
  1. Wrap-up/summary
  2. Discussion/Q&A

Elena Ames, CIMP, CDPSE, Data Privacy Officer, BrightInsight
James P. Keller, Jr., MS, AAMIF, FACCE, Business Development Director, Medical Devices, BrightInsight

5:15 PM

Virtual Networking Reception

6:00 PM

Day One Concludes

THURSDAY, MAY 26, 2022

Sessions will be aired in Eastern Time in the U.S.

11:00 AM

FIRESIDE CHAT: 21ST CENTURY CURES ACT – SECURING PERSONAL HEALTH INFORMATION IN THE EMERGING AGE OF EXPANDING INTEROPERABILITY

While the 21st Century Cures Act drives a much-needed expansion of the sharing medical information using APIs and FHIR, this increased interoperability poses a risk to keeping private this personal health information. This is due to the now larger number of new information technology applications used for sharing data. These applications expand the exchange of information among providers, payers, life science companies, and patients. In this panel discussion, attendees will:

  • Understand the benefits of expanding the sharing of PHI (protected health information)
  • Review the risks associated with the increased sharing of PHI
  • Hear how interoperability raises privacy concerns for stakeholders

Moderator:
Barry P. Chaiken, MD, Author, Navigating the Code: How Revolutionary Technology Transforms the Patient-Physician Journey

Panelists:
Scott T. MacLean, FHIMSS, Senior Vice President & Chief Information Officer, MedStar Health
Ajit Patwardhan, MD, MS, MBA, Executive Medical Safety Officer, Olympus
Corporation of the Americas

11:45 AM

PANEL DISCUSSION: PRIVACY AND LEGACY MEDICAL DEVICES

Moderator:
Jeffrey Moore, Chief Product Security Officer, Draeger Medical

Panelists:
Nina Alli, Executive Director, Biohacking Village
Seth Carmody, VP, Regulatory Strategy, MedCrypt
Colin Morgan, CISSP, CISM, GPEN, Managing Director, Apraciti, LLC

12:45 PM

Virtual Networking Break

1:30 PM

PRIVACY BY DESIGN FOR SOFTWARE PRODUCT AND ENGINEERING TEAMS

If your database schema is not designed for privacy, don’t let your colleagues fool you into thinking it’s something you can just add in later as a layer. If your modern APIs and integration points aren’t privacy-aware by design, you cannot simply patch it in a future release. If you’re writing code for zero trust, you can’t just change it easily later. Join long-time healthcare CTO Shahid Shah as he talks about the technical means to ensure privacy by design, such as how to create database schemas that allow privacy and security at the table and row levels and how to write code and perform QA to ensure privacy is in the software development lifecycle. This is a can’t miss talk for CTOs, heads of product management, senior engineers, senior architects, developers, programmers, and database professionals (DBAs).

Shahid Shah, Publisher & Chief Editor, Medigy.com


2:00 PM

DIGITAL HEALTH, MEDICAL XR, AND HACKING HUMANS – NEW SOLUTIONS FOR CYBERHEALTH

Digital health and associated spheres like medical extended reality, wearables and implantables, provide new opportunities for extended healthcare access and medical training to a wide swath of the population. Further, pandemic resilience requires the creation of integrated warning systems that can collect and integrate sensitive data at the edge. In many cases, the data collected passively and actively by devices at the edge include biometrics and biometrically-inferred data – the most sensitive data we own. User identification, authentication, data collection, storage, and connectivity on both decentralized and aggregated networks create new threat landscapes that are exacerbated by key edge vulnerabilities. In this talk, we explore some of this new risk landscape, as well as new network solutions and frameworks that provide means for user-centric control, security, and privacy, which will revolutionize both cyberhealth networks as well as edge-based user interactions with Web 3.0 and the metaverse.

In this talk, you will learn:

  1. how to think about the dizzying new array of data collection types and data producers that can be used for intelligent healthcare;
  2. how health and wellness shifted into the commercial market create new opportunities for monitoring, wellness, and risk;
  3. how interactions between biometrics and commercial endeavors, including Web 3.0 and the burgeoning metaverse, create new opportunities and biometric risk;
  4. how humans can be literally hacked and subject to ransomware, much as machines and software;
  5. how future internet architectures and exponential thinking might enhance cybersecurity and user-centric control at the network’s edge.

Divya Chander, MD, PhD, Medical Advisor, Extended Reality Safety Initiative (XRSI) & Chair of Neuroscience and Faculty of Medicine, Singularity University


2:30 PM

ESTABLISHING AND OPERATIONALIZING A DATA PRIVACY PROGRAM

Health data is spilling over the 4 walls of traditional healthcare systems. Digital Health innovations are accelerating consumerization of health products/practices and posing a huge challenge – how to design ‘privacy friendly’ organization and products that comply with local and global consumer-related privacy protection regulations.

In this session, the speaker will discuss a real-world use case to implement a consumer-privacy data program and privacy governance model to operationalize data privacy – within the organization and the consumer products.

Topics:

  • Launching a data privacy program and creating a data governance structure
  • Operationalizing the data privacy program – awareness, education, policies, SOPs
  • Embedding privacy in consumer products throughout the product life cycle
  • Tips and lessons learned: challenges and what worked?

Sam Riley, Senior Corporate Counsel, Dascena

3:00 PM

Virtual Networking Reception

4:00 PM

Summit Concludes