Following on our earlier Globe and Mail op-ed and Law Bytes podcast, I am pleased to co-author a commentary on health data sovereignty and security with Kumanan Wilson and Mari Teitelbaum in the Canadian Medical Association Journal. The key points identified in the piece:
- Canada’s population-based health data are an invaluable resource that provide economic and health system opportunities through the development of health-related artificial intelligence algorithms.
- Concerns about the potential monetary value of these data, access by the United States for surveillance purposes, and how data often reside on cloud servers owned by US companies, make it essential that Canada redouble efforts to ensure the security and sovereignty of data.
- We suggest a multipronged approach that includes encrypting health data by design, requiring health data be hosted on Canadian soil (data localization), inserting a blocking statute into privacy laws, and investing in the development of Canadian sovereign cloud servers to host health data.
In the multipronged approach that you have listed above I would add logging of all access to the data, whether it be read or write, and in the case of write, recording the change made to the data. This does two things. FIrst of all, it records if someone is attempting to mine the data, and who it is. While some of this may be unauthorized. Unfortunately this is not necessarily a trivial issue; commercial databases that I have seen do not support this type of traceability. The second is that it allows for easy rollback in the case of an incorrect entry.
The previous deals with privacy aspects of the system. In the end, however, simply doing this with hospital data is insufficient. Realistically it needs to be extended, perhaps as phase 2, to all primary care providers, including nurse practitioners, dentists, optometrists and pharmacists. This would simplify things for the doctors, but also the patients. For instance, I currently have prescriptions from both my family doctor and a specialist. When these come up for renewal, the issuing doctor needs to be contacted. Adding in the primary case providers would allow the family doctor not only to renew prescriptions but also to look for interactions, etc. The reason that I add dentists is because there are people who need an antibiotic prior to a dentist visits, even for a cleaning (for instance, replacement heart valve recipients).
The note about the CLOUD Act in the linked article is interesting, however. It puts the US position on TicTok in perspective.
Great post!