How Strong Data Protection Can Help Drive Digital Health Advancements

The benefits are increasingly clear. Remote and telemedicine have already helped maintain a high standard of patient care during the COVID-19 pandemic. Hospitals and general practitioners regularly share digital medical files to help ensure more efficient treatment between disciplines. More patients are taking advantage of the opportunity to keep a closer check on their own health. The number of wearable devices, such as fitness trackers, has almost doubled in the last few years. Around 87 million smartphone users in the US use at least one health or fitness app monthly.

So what happens with all this data? How can we ensure that physicians and patients can take advantage of the potentially lifesaving opportunities digital health innovations can provide while knowing their data is safe?

As BIOTRONIK's Data Protection Officer Boris Arendt told us during an interview for Data Protection Day, innovation and data protection can mutually reinforce each other—and digital innovation need not come at the expense of privacy.

I am a lawyer specializing in IT law and have headed the data protection department at BIOTRONIK for three years now. Along with my team, I’m responsible for making sure we comply with data protection laws and regulations around the world, especially the European General Data Protection Regulation (GDPR), since we’re based in Germany and so is our Home Monitoring Service Center. We work very closely with specialist teams, especially those behind Home Monitoring and our Patient App, as well as our IT and Cybersecurity teams, to make sure we’re operating those services in full compliance with all relevant laws.

Our work is actually very exciting overall. Since we’re a global medical device manufacturer and provider of digital health services, personal data is often being processed and transferred internationally—so we must keep an eye on the data protection laws and regulations that apply in virtually every part of the world. That means being in regular contact with our colleagues in every region in which we do business. It’s challenging, but very rewarding work, especially because we’re involved in important projects that help improve the health and lives of patients around the world.

We also work on ways we can better use data to create value for our clients and help patients manage their health in an increasingly networked world. That might be through recent innovations like artificial intelligence (AI), for example. In our field, we often refer to this as “increasing data sovereignty.”

Data security requirements are constantly evolving with advancing technology and digitalization, particularly when we consider cloud services and connected health applications. This results in a continuous need for review and adjustment. For Home Monitoring, just to use one example, we operate an information security management system that is certified in accordance with the international security standard ISO/IEC 27001. Under this standard, Home Monitoring is independently audited, to make sure we’re keeping up with these ever-changing standards and requirements.

The core area of our data processing takes place in our own data centers in Germany. GDPR is a robust and complex EU regulation. Around global data transfer requirements in particular, it’s one of the strictest pieces of data protection legislation in the world—and the clinics we work with who are outside the EU know it offers a high data protection standard. It certainly makes our work challenging, but it gives us the opportunity to reassure patients and physicians that their data is secure, creating trust amongst our clients and their patients, both in Europe and around the world. We’re noticing this more and more lately, as we get more questions from the clinics we work with on data security. Patients and physicians are clearly taking an interest in the topic, which is a great opportunity for us to both educate and reassure.

Health care digitalization and patient data protection are not contradictory. Of course, higher standards for health data make sense given how sensitive it is. But as I always say, almost anything is possible as long as it’s planned and handled properly. Data protection law offers a wide range of standards for how data should be processed in a digital world. This is exactly where we see an essential role for us as a team. We support new projects or health applications early on in product development. That way, we can make sure data protection parameters are clear to everyone involved right from the get-go. In this way, data privacy isn’t an add-on or afterthought but rather built right into the initial concept for a new product or application. This is what’s meant by the GDPR’s “Privacy by Design” Principle. In this way, I would even go so far as to say that data protection regulations like GDPR can be considered a driver for digitalization. New digital designs focus increasingly on the automatic implementation of data subject rights, especially as more and more places around the world are taking inspiration from European GDPR for their own data protection laws. Long term, that will likely help create a global standard.

We’re also seeing governments incentivize innovation that follows the “Privacy by Design” principle. For example, the German government requires developers of health applications to pass a test procedure before they will clear the application to be reimbursed by health insurance funds operating in the country. That test procedure includes implementing specified GDPR requirements and other data security measures. With data protection built right into incentive structures, digital health development is even more closely linked with a respect for data privacy. We’re now seeing many other countries adopting a similar kind of procedure.

BIOTRONIK has always ensured the highest quality solutions and we prioritize patient safety. We run a data protection management system (DPMS) that steers and implements GDPR and other regulatory requirements and continuously improves the necessary technical and organizational processes. Beyond that, we make sure our employees have a clear understanding of our data protection policies and processes, and work with our partner clinics to make sure they can ensure patient data protection on their end—especially when they’re using a service like Home Monitoring.

As a member of both MedTech Europe and BVMed, we also serve on industry committees in the field of data protection and digital health. A particularly exciting conversation at the moment is how to use artificial intelligence in dealing with health data, and how to increase data sovereignty in healthcare.

As we generate more and more data, both to manage our own health and in general, strong data protection procedures will only become more crucial. But as Boris has pointed out, that doesn’t need to be a process of making sure data protection keeps up with innovation, but that innovation comes with privacy already integrated into its very concept. That’s a commitment BIOTRONIK supports and will continue.