photo
18.10.2024

Data protection in medical robotics in the era of AI ACT and EHDS - conference

On 15 October this year, a conference was held by the Personal Data Protection Office and the AI One Health Foundation ‘Data protection in medical robotics in the era of AI ACT and EHDS’, co-organised by the  Polish Chamber of Commerce of Medical Devices POLMED and the National Information Processing Institute, in cooperation with the Social Team of Experts at the President of the Personal Data Protection Office.

‘The legal environment for obtaining and storing medical data is changing, and the EHDS introduces a new framework for the secure use of medical data at the European level,’ - Miroslaw Wróblewski, President of the Personal Data Protection Office, pointed out at the beginning of the meeting.

The President of the Personal Data ProtectionOffice highlighted the importance of close cooperation and clear regulation between technology and data protection, crucial both for ensuring patient privacy and for medical progress. In the face of these challenges, the Artificial Intelligence Act (AI Act) and the European Health Data Space (EHDS), which aim to monitor and regulate the processing of health data, play a huge role.

As highlighted by the President of the Personal Data Protection Office, recital 16 of the draft EHDS Regulation imposes on the Personal Data Protection Office, as well as on other supervisory authorities, the obligation to monitor compliance with the rules on the processing of personal data in the context of AI.The Office will therefore be responsible for verifying whether medical data processors comply with data protection legislation.

Medical progress and access to data

The harmonious combination of the security of medical data afforded by EHDS with its innovative use can contribute to significant advances in medicine.

It was pointed out that entering the next stage of technological progress - health technology - differs from the previous stage in that it can operate remotely, including through robots.

Health services depend on the data provided by test results obtained with various types of devices. These devices can think, learn and make decisions autonomously, and they update their way of working on the basis of constantly processed information. It is therefore important to provide them with reliable, real medical data. They should not only be effectively protected, but also actively used for research and development purposes.

A medical service is a process, a chain of consecutive events from prediction, warning, surveillance, diagnosis, therapy to rehabilitation. Artificial intelligence collects information, then arranges it into specific categories and gives suggestions for decisions. It links the chain between prediction and warning, between surveillance and diagnosis, therapy and rehabilitation. In turn, the new regulations are designed to ensure that procedures relating to data processing comply with the highest ethical standards, while allowing scientists and research institutions access to information that can lead to breakthroughs and improvements in healthcare.

Culture of health data protection in Poland

During the debate, the problem of documentation and data security in hospitals was raised. The Supreme Audit Office report shows that the majority of hospitals do not ensure an adequate level of security of medical data and access to documentation for patients, which puts into question the basic rights of data subjects

Participants in the discussion stressed that although procedures exist for handling data in the medical sector, in practice they are often not applied. Procedures should be clear and concise in order to minimise bureaucracy and to enable their actual application.

The President of the Personal Data Protection Office  stressed that the EHDS is a sector-specific regulation that must be applied in close cooperation with the GDPR and other legislation, such as the Artificial Intelligence Act. Therefore, it is important that the measures taken are actually implemented in practice and not limited to the superficial development of new procedures.

The need to build trust in the relationship between patients and medical staff and the need for regular staff training to raise awareness of data protection was highlighted. Constantly updating the knowledge of medical staff is essential for patient safety. Furthermore, data protection information should be communicated to medical staff in simple and understandable language.

It was pointed out that the EHDS allows easier access to data for doctors and medical professionals, which should contribute to the development of research.

As noted, there is currently confusion in the regulation of the medical data area. At issue are barriers in the provisions of the Act on Patients' Rights, which include the transfer of data to the Agency. These issues need to be reformed as a matter of urgency, the role of the drafter, the Ministry of Health, is important in this regard.

Robot-assisted surgery

The discussion of robotic surgery highlighted an important problem of perception, which may suggest that robots perform surgical procedures better than humans. An example is the da Vinci system, which has limited use in certain types of surgery.

Robotic surgery should not be seen as a total alternative to traditional surgery, but as a tool that, under the right conditions, can support doctors by increasing the precision and efficiency of procedures. It is important to develop this technology thoughtfully, taking into account both its capabilities and limitations.

The need for reliable measurements of the effectiveness of robotic surgery and monitoring of patients' post-operative outcomes was pointed out. It was emphasised that the lack of such data makes it difficult to assess the true effectiveness of robotic surgery. It is also important to establish an unambiguous definition of robotic surgery in order to better understand its specificity and application.

Threat of hacking attacks on medical robots

The debate focused on the topic of the growing risks associated with automated systems, such as surgical robots, which are vulnerable to cyber-attacks.

Hacking attacks on medical robots are a serious threat. Participants spoke about the need to ensure proper data hygiene and to introduce standardisation at the European Union level to protect the security of the information processed. Inadequate security and vulnerabilities in robot operating systems can lead to dramatic consequences. An example of this is a situation where a hacker, by manipulating data, could cause a patient to undergo a different procedure than planned. The introduction of false information or incorrect parameters can lead to erroneous medical decisions and ultimately create a risk to patients' health and lives.

The development of effective security mechanisms and reliable operational systems will provide guarantees for the protection of both patients and medical staff. Problems with the functioning of these systems can paralyse doctors' actions, limiting their ability to make quick and appropriate decisions in emergency situations.

Measures to increase the safety of medical technology should become a priority in order to realise the full potential of innovation in robotic surgery.

The future of healthcare data protection in the cloud

Cloud technology is becoming increasingly important in the medical sector. As health administrations adapt to the new realities, it becomes critical to have appropriate checklists in place to support administrators in ensuring compliance.

The EDPB supports controllers in building such checklists through, among other things, the regulations in Guidance 07/2020 on the concepts of controller and processor contained in the GDPR. Controllers need to carefully consider what technological solutions they are putting in place. The analysis of cloud measures should be carried out in compliance with accountability principle. Faced with these changes, controllers are obliged to adapt their systems to the new requirements.

Unfortunately, it is often the case that medical facilities do not appoint a Data Protection Officer (DPO). Meanwhile, the presence of a DPO is crucial for effective personal data protection and compliance with the law.

Certification of specific medical services does not equal legalisation of medical processes. Compliance must be maintained at every stage of the process, which is why the role of the DPO is so important.

It was also highlighted that although patient consent is recognised as the best basis for data processed, the EHDS departs from this principle. Today's consent challenges could block the development of innovative medical solutions.

Implement technology responsibly and safely

Effective implementation of the legislation, building trust in the relationship between patients and staff and ensuring appropriate access to data were the main conclusions of the meeting.

New regulations, such as the EHDS and the Artificial Intelligence Act, present the healthcare sector with many challenges, but also an opportunity for growth.

The global healthcare market is expected to reach $320 billion, highlighting the importance of effective data protection as the industry continues to grow. With the changes to come, controllers must adapt their practices to the rapidly evolving legal and technological environment.

The discussion undertaken during the conference is a contribution to further consideration of the necessary courses of action. Only in this way will we build a safe space for health data, in which the patient's right to the protection of personal data is always respected and any procedures used with medical robots take into account the provisions of the General Data Protection Regulation.

The conference was held under the honorary patronage of the Minister of Health and the Minister of Science. Among the guests were medical experts, representatives of government institutions, business and members of the Social Expert Team to the President of the Personal Data Protection Office.