Innovators in science and technology are developing precision medicine to treat and prevent disease on an individual basis. Researchers working in precision medicine depend on access to massive amounts of structured and unstructured health information—in other words, big data. Patient electronic health records are an ideal source of structured information, such as diagnoses, treatments performed, laboratory results, prescription drugs administered, geographic location of patients, and, whenever available, the patient’s genomic information. And networked medical devices, known as the Internet of Medical Things (IoMT),1 generate vast stores of personal health information. This article considers how medical device data from the IoMT might be integrated into electronic health records, both as an aid to providers in treating patients and a resource for precision medicine researchers.
Precision Medicine and Big Data Analytics
Precision medicine—the ability to tailor treatment to the needs of an individual patient—is in its infancy. Many diseases still have no known cause or effective treatment. The National Institutes of Health, academic researchers at Vanderbilt University, Mayo Clinic, Cleveland Clinic, and many others are using big data analytics technologies, genomics research, bioinformatics, and molecular biology to develop individualized patient treatments for precision medicine. Advancements in genomic research have given medical professionals the ability to create highly detailed physiological profiles of individuals and a baseline for predicting the impact of the individual’s genes on disease. Research and development in precision medicine require a continuous source of individual health information and big data. The IoMT is a vast pool of that big data. Electronic health records are the catalyst for putting genomic principles into practice.
The Precision Medicine Initiative
The White House Precision Medicine Initiative of 20152 encourages the Secretary of Health and Human Services (HHS) to augment efforts to address disease prevention, diagnosis, and treatment.3 Those efforts may include (1) developing a network of scientists to carry out the initiative; (2) new approaches for addressing scientific, medical, public health, and regulatory issues; (3) applying genomic technologies to provide data on the molecular basis of disease; and (4) collecting information through channels linked to patients’ electronic health records and voluntarily provided by a diverse cohort of individuals that can be used to better understand health and disease. Advanced supercomputing will likely be necessary to implement the initiative.
The Precision Medicine Initiative requires (1) compliance with existing laws and regulations for the protection of human subjects involved in research; (2) policies and mechanisms for secure data sharing across systems, including protections for privacy and security of data; and (3) consideration of biological and social determinants of health.
Why Integrate Medical Device Data into Electronic Health Records?
Medical device data, transmitted directly to electronic health records, could give physicians instant access to information they may need to make treatment decisions. For example, patient data in real time from pacemakers, blood glucose monitors, insulin pumps, heart rhythm monitors, and health, wellness, and fitness apps could inform healthcare providers as they review patient histories and prepare treatment plans. Alerts from networked medical devices connected to electronic health records might notify diabetics that their blood sugar is too high or too low or that a cardiac patient’s pulse is too fast—and to seek immediate treatment.
These kinds of data could be rich sources of accurate individual health information for research, when authorized by hospital institutional review boards or privacy boards, or de-identified or provided in limited data sets under data use agreements with researchers.4
Overview of Challenges
Information collected using wireless medical devices cannot reasonably be streamed directly into electronic health records without first addressing and resolving multiple sociotechnical and legal concerns. These matters broadly include cybersecurity and patient safety, data accuracy, and, as a backdrop, ownership rights in the data collected.
Medical Device Cybersecurity
Data in the IoMT is not secure. Wireless transmission of data to mobile devices through the Internet creates weak points for hackers. Interconnectivity between medical devices and systems for electronic health records leaves those medical devices vulnerable to security breaches, in the same way that other networked systems are vulnerable. As far back as 2014, the SANS Institute reported that 94 percent of medical organizations had been the victim of a cyberattack, including attacks on medical devices and infrastructure, potentially affecting patient safety and clinical care.5
Medical device manufacturers are generally not subject to the privacy and security laws that affect most healthcare organizations, such as physicians and medical centers. Therefore, if a healthcare organization streams data from networked medical devices directly into its electronic health records, the medical organization needs to understand, remediate, eliminate whenever possible, and continuously monitor the security threats and vulnerabilities inherent in that process.
Organizations that stream data from medical devices into electronic health records should perform regular and thorough security risk assessments. Those assessments should include all the medical devices that stream data into the system. Detailed technical, physical, and administrative privacy and security policies and procedures will promote patient trust and encourage participation in precision medicine research. Continuous monitoring may be required for reasonable security. The White House’s recently released “Data Security Policy Principles and Framework” for the Precision Medicine Initiative may be a useful resource as well.6
The data collected by the medical device may not always be accurate. The device manufacturer may post a disclaimer of data accuracy on a website or in a “click through” license agreement or in or on the package for the device. The disclaimer may state that available bandwidth for the device is inadequate to permit the manufacturer to ensure data accuracy, which clouds the value of that data for both research and treatment purposes. Healthcare providers should ascertain whether the device has sufficient bandwidth available to ensure data accuracy.
Who Owns the Data?
Users of networked medical devices may not have a clear chain of title to the data collected on the device. The medical device manufacturer or third parties may claim ownership of data by virtue of limitations in the purchase agreement or license for the device or they may have patents, software agreements, or trade secrets that limit what the user can do with the data collected on the device. Healthcare providers can avoid this potential problem by making sure they receive an irrevocable license, granting them exclusive rights to de-identify, aggregate, commercially use, and transfer all data collected by the medical device. Providers should be sure they acquire a license with those rights before streaming medical device data into an electronic health record and making those data available to third parties for precision medicine research or other potential endeavors.
Regulation of Medical Devices
Medical devices are regulated by the Food and Drug Administration (FDA).7 The FDA has published numerous voluntary guidances for medical devices. Among them is a voluntary guidance for medical devices that are actually mobile apps, whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended while performing a medical device function (i.e., while being used for diagnosis of a disease or other conditions or the cure, mitigation, or prevention of disease).
On January 22, 2016, the FDA issued, for comments, a Draft Guidance for Industry and FDA Staff.8 The draft guidance, titled “Postmarket Management of Cybersecurity in Medical Devices,” contains “nonbinding recommendations” and takes the position that “[c]ybersecurity risk management is a shared responsibility among stakeholders, including the medical device manufacturer, the user, the Information Technology (IT) system integrator, Health IT developers, and an array of IT vendors that provide products that are not regulated by the FDA.” The FDA notes that best practices for the cybersecurity of medical devices involve collaboratively assessing cybersecurity intelligence information for risks to device functionality and clinical risk, including during the design phase prior to manufacture of the device. The FDA acknowledges that cybersecurity protection is a multifaceted problem that involves medical device users, manufacturers, licensees, technical controls, governance, regulators, and standards setting organizations. Nevertheless, as of June 2016, healthcare organizations still have the legal responsibility to secure the data in patients’ electronic health records. They cannot transfer or assign that responsibility.
Conclusion and Implication
The IoMT, with billions of networked medical devices, is a massive fount of health information, poised to fuel research in precision medicine. Health, environmental, lifestyle, and genomic information about an individual from the IoMT may be incorporated into individuals’ electronic health records and made available to academic and governmental researchers for precision medicine initiatives. Healthcare organizations that stream data from medical devices into electronic health records must ensure that the data they collect is appropriately secured and continuously monitored. Such organizations should take steps to acquire a clear chain of rights to de-identify, aggregate, and commercially use the data they collect using medical devices. Currently, there are no mandatory security standards that apply generally to medical device manufacturers. Therefore, few manufacturers have designed or manufactured their medical devices with reasonable security for healthcare purposes. Mandatory legislative standards and regulations requiring manufacturers to design specific medical devices with defined and detailed security features could further both patient safety and precision medicine while facilitating a stream of big data for research. u
1. Eric Topol, The Patient Will See You Now: The Future of Medicine Is in Your Hands 146 (2015).
2. A White House Initiative of President Obama, announced on January 20, 2015, in his State of the Union Address.
3. See Advancing Precision Medicine Act of 2016, S. 2713, 114th Cong. (2016) (introduced by Sen. Lamar Alexander). The act would establish a precision medicine research cohort. The lay participants in the cohort are designated as “research participants” who will share biological samples, genetic data, and diet/lifestyle information, all linked to their electronic health records. The National Institutes of Health is the agency authorized to build the cohort.
4. An institutional review board is a board, committee, or other group formally designated by an institution to review research regarding humans as subjects. It has authority to approve, require modifications of, or disapprove all research activities covered by the HHS and FDA Protection of Human Subjects regulations and may, under certain condition, waive the individual authorization requirement.
5. Barbara Filkins, SANS Inst., Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon 2 (2014), https://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report- widespread-compromises-detected- compliance-nightmare-horizon-34735.
7. See Federal Food, Drug, and Cosmetic Act, 21 U.S.C. §§ 301 et seq.