GDPR: blessing in disguise?

Thank you for the invitation and the opportunity to share with you our approach to respecting privacy in the age of Digital health.

I would like to start with a short introduction from the late Niels Schuddeboom, an inspirational patient advocate whose drive to ‘dance with the system’ as he called it, helped us keep our focus on those who need our help.

Question: Who of the attendants here have their own full genome data, using a genome sequencing service like 23andme or Illumina?

With services like this, for about 150 euro you get full access to your own genetic source code. You can use that data to analyze your ancestry, to get insights into your genetic traits, to the genetic markers that define how you respond to certain medical treatments, and to see if you have a higher genetic risk for serious illnesses like Alzheimer’s and Parkinson’s disease.

And this is just the beginning. The Leiden University Hospital sends the genetic data of their patients to their pharmacies, ensuring that they get the medicine that is tailored to their specific genetic design. Precision medicine is an emerging field that has tremendous potential: both in targeted and tailored treatments, as in early warning and even prevention.

Last week, the governments of Cyprus, Luxembourg, Sweden, Finland and Bulgaria created a coalition that aims to bring together the genomes of one million European citizens. With this pool of genetic data, they aim to create the world’s leading hub for research into new cures and treatments. That way being able to bring them to the European market first, and attracting talent and business along the way. With this data, we might be able to find a cure for cancer, Alzheimer’s or ALS.

But I ask you to consider this: genomes are our own biological source code. The data itself is as personal as it gets. It describes exactly what is unique about you. But not only you: your parents, siblings and children share large amounts of that source code. That makes it very hard to anonymize. Only a few family members need to be identified, and you are as well. There is nowhere to hide, to keep this data private.

Ladies and gentlemen, this example is a good way to explain the dilemma we face with privacy in digital health. Health data is highly sensitive and personal and the potential impact of misuse is huge. At the same time, health data needs to be able to flow freely if the situation calls for it. This has to be done in a safe and secure manner, between people, organizations and networks you trust.

Health data becomes more and more consumerized, with personal data generated by sensor-rich wearables and low cost processing and analytics. Traditional healthcare systems are no longer in control of all the data, data is being democratized. This brings a fundamental shift in power. It moves away from the traditional healthcare professionals and the systems they work for and towards the patients, the consumers and the service providers that they choose to use.

The current public discussion about Facebook shows that we have been naïve in thinking that these data Tech service providers will not take advantage of the data we generate. Or that all health data is safely stored in secure locations. Health data is targeted specifically by hackers, because a single patient’s health record will get 350 to 500 dollars on the black market - more than any other type of data. Passwords and e-mail addresses one can change. Your health data, you often cannot.

This brings me to the central element of this talk: trust. In this hyper-connected world of digital networks, governments need to enable citizens to build and maintain trusted relationships. In healthcare, networks of relationships are vast and complex. Patients, citizens, doctors, nurses, hospital management, payers, researchers, government, service providers… And there are different local, regional, national and international relationships. To make it even more complex, it is also very dependent on the situation and context. Needing acute care in an emergency, you need trusted relationships instantly, while with big data analytics for research purposes, the trust relationship is less visible, but equally important.

Ladies and gentlemen, this is why I feel the GDPR is so important. It provides the legal framework that gives everyone the right to decide what third parties can do with their personal data. It’s a very necessary instrument to build trust.

Trust is essential. I need to be able to trust that everyone shares the same goal: improving my health. And that decisions about my health are made based on the right information that is available at the right time and only at the right place. Preferably together with me as an equal partner. I also need to trust that the data used to improve my health is actually about me, comes from my doctors and is not altered during transport. And I need to trust that the people and organizations that use my health data, treat that data as sensitive and personal data and actively protect my privacy.

Privacy is not about keeping personal data hidden from everyone and anyone. Privacy is about who controls access to personal data. Privacy is about building trusted relationships. Respecting privacy therefore, is about giving you and me the power and tools to control who can access my personal information. This starts with informed consent.

There is no trade-off between privacy and quality of healthcare. If there is no trust, there is no consent, you will have no data. We feel that the best way to do this, is to make everyone the CEO of their own health data.

Ladies and gentlemen, in The Netherlands, a patient-led coalition of healthcare stakeholders from primary care, hospitals, long term care, healthcare insurers and government is building the legal, technical and practical framework for a comprehensive set of digital and lifelong tools that enables our citizens to access, download, store, enrich and share their own personal and professional health data. We call this MedMij, or MedicalMe.

I would like to show you a short animation that gives you a clear understanding of what MedMij is.

MedMij essentially creates a trust-framework. It is a set of rules that all personal health data solution providers have to play by. It governs how we build trusted relationships based on our personal health data. MedMij doesn’t stop at patient access to professional data, that’s where it starts. What if you have all your health data with you, imagine the possibilities. What if you could add your smart-device data? What if you could interact with your doctors on a more equal basis? What if you could share parts of your data with family? You decide what happens. With MedMij we take a big step towards a healthcare system that has privacy built in by design, but it is not the answer to everything.

Ladies and gentlemen, in my example about genetic data, the potential for research is evident. This is the case with lots of other health data, personal and professional. The discussions about use of health data for research often focus on data-ownership. This is the wrong approach. When building trusted relationships, we should be talking about data stewardship. The trusted relationship between citizens and researchers is built upon transparency: do we share the same goal, is it interpreted correctly, is it safely stored and handled only by trusted people and networks, is all relevant and necessary data available.

For this transparency, working with international standards and open API’s is essential. Blockchain can be used to create an audit trail. And initiatives like the Personal Health Train enable researchers to get results without having to access the data itself: it brings the algorithm to the data, instead of the data to the algorithm.

Ladies and gentlemen, in conclusion, I say that the GDPR is a blessing in disguise. It is an essential tool to build trusted relationships for health data. It accelerates the democratization of health data and the shift in power from the traditional healthcare systems to our citizens. As such, it is a huge driver for innovation. These are exciting times to be in healthcare!

Last week three countries debated on their healthcare strategies at HIMSS Europe in Sitges. This was my speech at the stage:

The Dutch approach

We all are patients, as are our friends, parents or kids. We are all doctors as we share decision making with our caregivers. Sharing decision making demands shared information. Therefore we gave every Dutch citizen the legal right to download and use their own medical data. The Dutch approach focuses on giving everyone the tools to become CEO of their own health and masters of their own health data.

To better prepare for a doctor’s consult. To share data with doctors. Or even to share data with researchers to improve treatments. But a law is not enough. And even technology is not. It is trust in Information exchange that is crucial.

That is where our Dutch national program called “MedicalMe”, or in Dutch “MedMij” comes in. MedicalMe is a patient-led coalition of insurers, healthcare providers, Health-IT- industry and the government and it is governed by our health information council. Together we develop and test a trust framework consisting of a set of standards to enable exchange personal health data with patients. It is of course based on international standards and best practices. Providing industry with a fertile ground to design innovative personal health environments that really help us all to be ceo of our own health.

Using MedMij everyone can safely download their own medical data into their own personal digital vault. Adding their device-generated and other health data, securely sharing their data with healthcare providers. It is not a fantasy, it will go live this summer.

MedMij creates an amazing opportunity for innovation, as the number of Dutch innovators present today shows. It creates a whole new ecosystem of empowered patients requiring innovative services.

In the next three years, every hospital in The Netherlands will have implemented these standards. General practitioners and pharmacies are already adopting these standards too. Many others are joining the movement. I invite you all to do so too. Think big, act small and start today. By visiting the Dutch house at this conference for example. We welcome you to our movement.
I’m proud that we are working together with all the major stakeholders, as an ecosystem. We don’t have a top-down Big Bang strategy to roll out solutions, but we co-create with patients, doctors, nurses and all others involved. Working agile, thinking big, acting small and doing it everyday. Thus creating a movement that can not be stopped. Such a movement requires leadership, lone nuts and early followers. But it can accelerate fast, as “hello my name is” or the pink socks movement shows.

Who has pink socks in this auditorium. Raise your hands please! This movement was started by nick Adkins at HIMSS in 2015. Just three years ago.

This conference hundreds of members of the Dutch ecosystem are present. Patients like Annemiek, CMIO’s like Felix, doctors like Gabrielle, Insurers like Han, and many many others. We meet and inspire each other to strive for next steps. With one thing in mind: to make all of us masters of our own health.

Lessons learned
In 2011, we were building a national system to exchange patient records. Parliament forced government to step back. Luckily enough, maybe. Because now we are working bottom up, involving doctors and patients. More innovative and not only focusing on periods of illness, but also on staying healthy and being the ceo of your own health and your own health data. Data that is not only medical records but also data that we generate ourselves and enable us to make informed choices. We also learned that this requires a movement and not a top down approach. One needs everyone on board to move forward collectively.

Closing statement
Think big, act small and start today. Be the change to make yourself and all the people around you CEO of their own health. The lone nuts are already followed and the technology is there. Let’s make it happen.