Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Aligning Patient, Industry, and Privacy Goals in the Age of Big Data"


Published on

Part of the "2016 Annual Conference: Big Data, Health Law, and Bioethics" held at Harvard Law School on May 6, 2016.

This conference aimed to: (1) identify the various ways in which law and ethics intersect with the use of big data in health care and health research, particularly in the United States; (2) understand the way U.S. law (and potentially other legal systems) currently promotes or stands as an obstacle to these potential uses; (3) determine what might be learned from the legal and ethical treatment of uses of big data in other sectors and countries; and (4) examine potential solutions (industry best practices, common law, legislative, executive, domestic and international) for better use of big data in health care and health research in the U.S.

The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School 2016 annual conference was organized in collaboration with the Berkman Center for Internet & Society at Harvard University and the Health Ethics and Policy Lab, University of Zurich.

Learn more at

Published in: Healthcare
  • Be the first to comment

  • Be the first to like this

Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Aligning Patient, Industry, and Privacy Goals in the Age of Big Data"

  1. 1. Data  Policy  for   Internet  of  Things   Healthcare  Devices: May  6,  2016 Marcus  Comiter Harvard  University Aligning  Patient,  Industry,  and   Privacy  Goals  in  the  Age  of  Big  Data
  2. 2. Digital Physical
  3. 3. Sense Internet  of  Things  (IoT) Network Take  Actions
  4. 4. Components  of  an  IoT Healthcare  System Data  Layer Devices Applications
  5. 5. Types  of  Healthcare  Data Electronic  Health   Records New data modalities: activity and sleep trackers, daily blood chemistry analyzers, 24/7 heart rate monitors Internet  of  Things Digital version of existing data modalities
  6. 6. Ramifications  of  the  Healthcare  IoT and  Data  Layer • Fundamentally  transform  aspects  of  chronic  disease  prevention  and   treatment • Medical  Research • Long-­‐term  collection • Large-­‐scale  studies • New  modalities • New  economic  models • Provision  of  immediate  incentives  for  healthy  living  via  market  forces
  7. 7. Potential  Futures Innovation  and   Advancement Misuse  and  Abuse Nothing  at  All
  8. 8. > Main   Points Comparative  Approach:  Looking  to  the  Internet  as  a  Model The  data  collected  from  IoT healthcare  devices  is  fundamentally  different  in  nature  from   traditional  sources  of  healthcare  data,  such  as  medical  records,  and  far  more  similar  to  data   characterized  by  the  development  of  the  Internet.   > Third  Party  Data  Auditors  (TPDAs)  as  a  Solution TPDAs  are  specialized,  highly  technical  third  party  actors  hired  by  individuals  to  audit  the  use  of   their  healthcare  data  by  data  owners  such  as  insurance  companies,  data  brokers,  and   researchers.  TPDAs  address  the  shortcomings  of  the  data  policy  regulation  on  the  Internet  by   building  in  both  a  technical  and  policy  regime  to  the  Healthcare  IoT and  Data  Layer  itself  that  is   aimed  at  explicitly  aligning  the  incentives  of  patients,  researchers,  insurers,  and  government  with   the  end  goal  of  treating  and  preventing  chronic  disease  while  giving  users  full  control  over  and   understanding  of  their  data.  
  9. 9. Outline  of  Talk 1. Considerations  in  Designing  Policy  for  Data  as  a  Healthcare  Platform   1. Third  Party  Data  Auditors:  A  New  Solution 2. TPDAs  Address  Important  Considerations  in  Data  Policy 1. Policy  Recommendations  for  Precipitating  TPDAs
  10. 10. Policy  Considerations
  11. 11. Consideration  One Individual  Awareness
  12. 12. Individual  Awareness • The  ability  of  individuals  to  be  cognizant  of  what  data  has  been   collected,  and  how  it  could  possibly  be  used. • Even  when  privacy  may  not  exist,  an  awareness  of  this  lack  of  privacy  has   utility
  13. 13. Individual  Awareness  on  the  Internet • The  current  model  of  data  collection  on  the  Internet  greatly  complicates,   if  not  destroys,  the  concept  of  individual  awareness. • Structurally,  the  Internet  has  developed  into  a  de  facto  surveillance   state.   • The  data  collection  happens  surreptitiously:  technology  facilitates   tremendous  amounts  of  data  collection  without  ever  needing  to  inform   or  interact  with  its  target • Incidental • Purposeful • Systematic • Data  brokers
  14. 14. Individual  Awareness  in  the  Healthcare  IoT • The  same  challenges  to  consumer  awareness  discussed  in  the  previous   section,  as  well  as  additional  ones,   apply  just  as  strongly  to  the   Healthcare  IoT and  Data  Layer • Lack  of  consent  mechanism  for  IoT devices  (Activity  Tracker  example) • Phone  as  the  core  of  a  Personal  Area  Net  (PAN)
  15. 15. Consideration  Two Accountability  through   Transparency
  16. 16. Accountability • Accountability  of  actions  taken  on  the  data  layer  rely  on  transparency  of   practices • This  lack  of  accountability  is  strikingly  out  of  line  with  existing  policy  in   similar  matters • The  FCRA  attached  accountability  to  these  organizations  by  requiring   them  to  “provide  notice  when  an  adverse  action,  such  as  the  denial   of  credit,  is  taken  based  on  the  content  of  [their]  report.” • Realize  the  relevancy  of  this  legislation  to  the  current  situation  of   the  data  layer:  a  non-­‐consumer  facing  industry  (credit  agencies)  that   had  substantial  powers  over  consumers  (the  public)  but  little   accountability,  was  legislatively  mandated  to  increase  its   accountability  to  consumers.   • This  situation  mirrors  the  data  layer,  and  bears  special  resemblance   to  data  brokers.  
  17. 17. Accountability  on  the  Internet • Many  data  layer  firms  are  not  consumer-­‐facing  firms  (i.e.,  the  firms   collecting,  selling,  and  using  the  data  of  a  particular  individual  do  not   necessarily  have  a  relationship  with  that  individual) • E.g.,  data  brokers  have  virtually  no  relationship  with  subjects • Many  individuals  are  completely  unaware  even  of  the  existence  of  data   brokers,  let  alone  do  they  understand  how  their  data  is  being  used.  
  18. 18. Accountability  in  the  Healthcare  IoT • Just  as  in  the  Internet  economy,  data  brokers  have  already  emerged   combining  and  selling  anonymized healthcare  data. • As  individuals  and  their  medical  care  will  be  increasingly  affected  by  the   data  associated  with  them,  they  have  a  fundamental  right  to  ensure   attributes  such  as  the  accuracy,  collection  standards,  and  use  of  this  data   are  appropriately  held  to  societal  standards. • These  ideas  are  certainly  not  novel:  they  have  underscored  the  FTC’s  Fair   Information  Practice  Principles  (FIPPs)  since  the  1970s.  
  19. 19. Consideration  Three Enforcement  of  Existing  Laws
  20. 20. Enforcement  on  the  Internet • Data  points,  when  combined  and  used  with  inference  algorithms,  can  be   used  to  create  de  facto  indicators  of  race,  ethnicity,  religion,  sexual   orientation,  and  other  markers  that  have  traditionally  been  avenues  for   discrimination • A  White  House  report  on  Big  Data  cites  an  instance  of  racial   discrimination  on  the  Internet  (search  result  example)
  21. 21. Enforcement  on  the  Healthcare  IoT • Firms  may  hide  behind  complicated  algorithms  that  are  able  to  create   discriminatory  or  harmful  behavior  automatically. • This  firm  may  create  an  algorithm  which,  when  given  data  as  input,   automatically  learns  discriminatory  behavior. • Many  ethnic,  religious,  and  racial  groups  have  particular  health   issues  that  can  be  traced  not  only  to  genetic  causes,  but  also  to   cultural  and  societal  causes.  Algorithms  may  potentially  create  de   facto  indicators  for  these  lawfully  protected  groups   • This  can  even  happen  without  the  knowledge  of  the  firm  itself
  22. 22. Consideration  Four Protecting  Innovation
  23. 23. Protecting  Innovation • Previously  discussed  advancements • Maintaining  consumer  confidence  in  the  Healthcare  IoT and  Data  Layer   itself • With  the  power  the  data  provides  firms,  there  are  a  number  of   incentives  for  firms  with  access  to  this  data  to  act  poorly  in  order  to   turn  a  quick  profit
  24. 24. Third  Party  Data  Auditors  (TPDAs)
  25. 25. What  are  TPDAs? • TPDAs  are  a  class  of  highly  technical,  skilled,  private  market  organizations   that  are  hired  by  individuals  to  monitor  and  audit  the  collection  and  use   of  their  data.   • After  collecting  all  of  the  data  that  has  been  collected  on  their  clients  by   data  layer  firms,  TPDAs  analyze  the  data  that  was  collected,  how  the  data   was  collected,  and  how  it  was  used.   • Once  finished  with  this  analysis,  the  TPDAs  present  their  findings  to  the   client  in  an  easy  to  comprehend  report,  as  well  as  alerting  them  to   potentially  harmful,  unscrupulous,  or  unlawful  collections  or  uses  of  data.   • By  empowering  individuals,  TPDAs  will  allow  the  citizenry  to  regain   control  of  their  lives  on  the  data  layer.  
  26. 26. What  are  TPDAs? • TPDAs  are  entirely  devoted  to  protecting  the  citizenry  on  the  healthcare   data  layer • A regulatory  policy  creating  TPDAs  are  essentially  instantiating  a   permanent  citizen  advocate  in  the  data  layer.   • TPDAs  will  embody  policy  goals  without  top  down  regulation • TPDAs  market-­‐based   structure  allows  them  to  address  the  rapidly   changing  technology  sector • TPDAs  can  address  data  layer  regulation  by  leveraging  the  same   entrepreneurial   spirit,  energy,  and  zeal  that  has  itself  created  the   technology  sector  (fighting  fire  with  fire)
  27. 27. How  TPDAs  will  Operate
  28. 28. 1.  Certification • Similar  structure  to  other  trusted  groups • Doctors • Lawyers • Credit  Reporting  Agencies
  29. 29. 2.    Initial  TPDA  Setup • Choose  which  data  layer  firms  (i.e.  which  data  brokers,  for  example)  the   TPDA  will  offer  as  part  of  its  auditing  services • Write  software  to  be  able  to  interact  with  these  firms’  data  systems,   allowing  the  TPDA  to  work  with  the  data  it  receives  on  its  clients  from   the  data  layer  firms. • Begin  creating  the  software  they  will  use  to  analyze  and  audit  their   clients’  data.   • Using  highly  technical  data  processing,  machine  learning,  and   statistical  techniques,  each  TPDA  will  design  its  own  “secret  sauce”   with  which  to  understand  how  data  is  used.  
  30. 30. 3.    Client  Hires • The  client  provides  the  appropriate  level  of  identification,  as  well  as   authorization  to  request  their  data  from  data  layer  firms.  
  31. 31. 4.    TPDA  Requests  Data • TPDA  uses  the  identification  and  authorization  provided  by  its  client  to   pull,  or  request,  the  client’s  data  from  all  data  layer  firms  with  which  the   TPDA  offers  auditing  services.  
  32. 32. 5.  The  TPDA  Parses  and  Analyzes  the  Data     • Using  the  proprietary  algorithms  and  methods  it  has  previously   designed,  the  TPDA  begins  analyzing  how  the  client’s  data  has  been   used.   • By  searching  for  common  patterns,  understanding  use  cases,  and   tracking  data  flow  between  all  of  the  firms  being  audited,  the  TPDA   attempts  to  find  all  of  the  relevant  information  regarding  the  use  of  the   data. • This  is  a  very  powerful  idea,  as  TPDAs  directly  allow  technology,  rather   than  just  policy,  to  regulate  the  data  layer.  
  33. 33. 6.    Formulating  a  Report • The  TPDA  produces  a  detailed  report  for  each  of  its  clients that  is  both   informative  and  actionable • Each  report  contains  information  regarding  how  the  client’s  data  has   been  used,  and  will  alert  clients  to  any  potential  sensitive,  illegal,  or   abusive  uses  of  data.   • This  report  may  also  make  suggestions  as  to  changes  in  use  of   technologies,  tracking  opt-­‐out  opportunities  not  currently  utilized,  and   other  potential  suggestions  of  import.  
  34. 34. How  TPDAs  Address  Policy  Considerations
  35. 35. Individual  Awareness • The  cornerstone  of  TPDAs  is  in  providing  individual  awareness  as  a   service • Through  the  report  and  advisory  roles  TPDAs  play,  consumers  are   empowered  to  understand  what  data  has  and  is  being  collected,  and   how  this  data  is  being  used,  shared,  and  sold  within  the  data  layer
  36. 36. Accountability  through  Transparency • TPDAs  create  an  accountability  mechanism  by  creating  a  window   through  which  consumers  may  examine  data  layer  firms. • Importantly,  this  window  is  a  meaningful  one  through  which  consumers   may  draw  useful  and  actionable  information,  and  is  well  suited  to  the   current  and  future  state  of  the  data  layer.
  37. 37. Enforcement  of  Laws • On  an  individual  level,  consumers  can  now  see  what  information  has  been   collected  and  shared  with  particular  organizations,  as  well  as  the  data   based  inferences   made  from  it  by  data  layer  firms  such  as  data  brokers.   • Once  empowered  with  this  information,  consumers,  either  by  their  own   impetus  or  on  recommendation  of  their  TPDA,  may  further  examine   potential  misuses  of  data.  
  38. 38. Protecting  Innovation • Realize  that  there  is  little  if  any  burden  placed  on  data  layer  firms • Rather  than  recommending  top  down,  broad  regulatory  policy  for  the   data  industry  as  a  whole,  TPDAs  empower  better  decision  making  through   empowering  consumers  and  regulators  to  better  understand  the  data   industry  and  how  it  operates.  
  39. 39. 1. Mandate  Data  Access 2. Create  TPDA  Regulations  and  Certification  Process 3. Educate  the  Citizenry Policy  Recommendations
  40. 40. Congress should mandate that all Healthcare IoT and Data Layer firms must oblige consumer requests for access to any data held on them by a firm, regardless if that firm collected or purchased that data. Data includes both facts directly collected on an individual, as well as inferences made about that individual. Mandate  Data  Access
  41. 41. Congress should create a task force to create the necessary regulations regarding the legal responsibilities of TPDAs, or task the FTC with this responsibility. Following this, Congress should task the FTC with setting up the mechanism to create the TPDA certification process. Create  TPDA  Regulations  and   Certification  Process
  42. 42. Congress  should  create  a  task  force  to  educate  the   citizenry  regarding  the  existence  of  TPDAs  and  the   services  they  offer. Educate  the  Citizenry
  43. 43. Given  the  means,  knowledge,  and  ability  to  exercise   meaningful  control  over  their  digital  lives,  citizens  will  be   able  to  make  the  most  of  the  great  opportunities  the   Healthcare  IoT presents. Closing  thought
  44. 44. Thank  You